2

If you remove "data directory" from a "PE file" what will happen ? I think loader will give an error, but I'm not sure. Please try to correct me.

Improve this question
2
  • you mean .data and not directory you mean Section or Segment right? deleting it is pretty simple just get a PEditor by yoda and delete it, you won't be able to run the program it will just say is not a valid Win32 application Commented Apr 30, 2014 at 5:16
  • Thanks for the reply. But I'm talking about 16 data directories(128 bytes) in Optional header of a PE file. All other things like data section, section table and other section will be intact, but i'm just deleting the Data directories from PE optional header. So what will happen will loading this PE file ? Any help will be appreciated .. Commented Apr 30, 2014 at 5:54

2 Answers 2

Reset to default
3

You can't exactly "delete" this directory, however you can set the NumberOfRvaAndSizes field to 0 and then the system loader won't use the entries from it. From the TinyPE page:

The PE specification says that the number of data directories is specified in the NumberOfRvaAndSizes header field and the size of the PE optional header is variable. If we set NumberOfRvaAndSizes to 0 and decrease SizeOfOptionalHeader, we can remove the data directories from the file.

However, the resulting file won't work in Windows 2000 "because the loader tries to call a function from KERNEL32, but KERNEL32.DLL is not loaded". So normally you should add at least an Import Table directory, which needs NumberOfRvaAndSizes to be at least 2. (You also need an import directory if you want your file to do anything useful, like call functions from other DLLs :)

Improve this answer
3
  • Why is "at least 2" for only an Import Table directory? Commented Feb 11, 2015 at 12:53
  • 2
    @SerG: because import directory is index #1 Commented Feb 11, 2015 at 16:09
  • I'm sure you CAN delete this directory, after setting the NumberOfRvaAndSizes to 0, you cut the next 128 bytes and move every following byte to the left 128. Oh, and is Windows2000 still a thing? Commented Jan 4, 2020 at 6:10
0

I haven't done this since the early days of MSDOS filenames in 8.3 form. If you edit the dard disc directory area with a hex editor and change the flag byte(s) which signify that a file is an extended directory then you can open that file as if it was a file. I don't know what happens with later Ms DOSs, though. Easy enough to test with WinHex, if you want.

Improve this answer
1
  • 1
    This is completely irrelevant to PE file format. Commented Apr 30, 2014 at 9:42

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.