Browsing: PE File

The MZ Header

The MZ, at times, noted as ZM is a magic number for the file extension .exe supporting the binary and executable formats and can be extended to new, linear as well as the portable executable formats. The initials ZM or MZ refer to the name of Mark Zbikowski who put them into the original MS-DOS exec format. In as such, having the signature was necessary to create a distinguishing difference with other .EXE files from others that were considered much simpler like the .COM and the DOS formats.

The file can be easily identified by using the ASCII string MZ found at the beginning of the file. Compared to the COM format which is executable, the MZ Header is newer and different in that it contains information on relocation which allows users to access multiple segments that can be loaded on memory addresses as well as can support executable files slightly larger than the 64Kib. The only disadvantage of the MZ Header is that it requires little memory limits which apparently can be bypassed by the use of DOS extenders.

The executable found on the MZ Header can also run efficiently from DOS as well as 9x operating systems. Other 32 bit Windows can as well execute the MZ Header by using inbuilt virtual DOS machines. However, some of the graphical modes may not be supported by the MZ Header. On the other hand, 64-bit versions of Windows cannot execute the MZ Header. However, the DOSBox, Wine, and the DOSEMU are perfect alternative ways of running the MZ executable.

Moreover, it is considered that each and every PE file has a 16-bit DOS program. Due to that, when the file starts, it opens with the .EXE header. In the past, while people used the Microsoft Windows, The Windows 1.x, 2.x as well as 3.xx operating systems, they did not only exist in similar volumes as Microsoft DOS but equally ran with an MS-DOS operating system as well. As a matter of fact, it was highly likely that users found themselves attempting to run some of the programs in windows under the DOS.

Microsoft programmers, therefore, had to ensure that all windows programs had a 16-bit DOS program found at the front of each executable windows with the ability to alert users anytime they attempted to run any program under the Windows program operating under DOS. However, it cannot be considered to be more useful these days as it was back then when users and the world as a whole were transforming from the DOS to other systems and files that came after that. Notably, back then, it was not easy to find a program that could actually bind together a DOS version with a Win32 operating under the same single binary.

Additionally, users should know that the MZ Header is commonly used for backward compatibility. Moreover, it is considered the best to run on a program that has Win32 system as compared to others as well. Moreover, users should know that the MZ signature is commonly used by the MS-DOS relocatable 16-bit under the EXE format.

{ Add a Comment }

What is file entropy?

In general words, entropy is referred as the measurement of particular data in digital values. Similar to this, the term File Entropy is the representation of data sets in specific file. That is, the phrase File Entropy is used to measure the amount of data which is present in a selected file. For example, if you have some files and desire to calculate the entropy value for that, then it will be very simple by accessing the methods of File Entropy and its calculation process. If you are unfamiliar about what exactly means the entropy exactly and how to calculate an entropy value for particular files, just refer the details that are present below. The following details will provide the complete info about what is the entropy and how it is helpful to calculate the exact value of given data.

How it is work

In simple and exact term, entropy is defined as the measurement of unpredictable value or informative content. This definition may include different changes according to the sector or platform that uses the feature of entropy value. But, all types of measurement that is related with entropy calculation include only digital format information. Usually, the File Entropy is denoted by using different formulas depending on the form of selected data. The equation which is used by Shannon is the simple format to calculate the entropy value of data sets in particular file. This equation includes the measurement of random value, which will be calculated as a result by using the number of given data sets.

The result value of Shannon equation is generally represented between the values of zero and eight. So, entropy value of particular file is represented by using the digital values of 0 to 8. The result is either near to 0 or 8 as well as in-between these two numeric values. The final result will be concluded on the basis of value which is derived from the given data sets. For example, if the measured value is closer to zero, then it represents that the value of given data set is non-random or orderly format. Otherwise, if the value is closer to eight, then the given set is random or un-orderly format. This is the basic concept of File Entropy calculation, which is related to Shannon equation.

Uses of entropy measurement

The feature of entropy calculation is applicable for different purposes. But, it is mainly applicable for finding the values of encrypted data and compressed files. Generally, the random data is not similar to the normal kind of user data. For this purpose, the users apply the feature of File Entropy to calculate the value of given data that is represented by the format of non-uniform. Due to the inconvenient format of random data when compared to typical user data, the executable files are generally encrypted with the feature of synchronized decryption algorithm. So, the users can access the data volumes in an easy way and can find the entropy values for those files efficiently.

File Entropy is also use in the field of malware protection, in the process of malware analysis as there are all kind of security related tools that you check on the file to extract all kind of information from the file, to determine if the file is a malware or legit file, and if it is a malware this can be useful on the malware file entropy can be a useful method to quickly check if the malware file had been packed with one of the packed software it is also a good method to check if the file encrypted by one of the encryption algorithm.

{ 7 Comments }