New Executable file format
New Executable (NE) file format used by set of operating system including OS/2, Windows, Multitasking MS-DOS 4 and set of DOS Extenders. It is designed to be store on disk and in-memory usage. In-disk format is same for all OSes, but In-memory usage is mostly specific for Windows systems.
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | ne_magic | Signature word NEMAGIC |
On-disk | |||
02h | BYTE | ne_ver | Version number of the linker |
03h | BYTE | ne_rev | Revision number of the linker |
In-memory | |||
02h | WORD | count | Usage count (ne_ver/ne_rev on disk) |
04h | WORD | ne_enttab | Entry Table file offset, relative to the beginning of the segmented EXE header |
On-disk | |||
06h | WORD | ne_cbenttab | Number of bytes in the entry table |
In-memory | |||
06h | WORD | next | Selector to next module |
On-disk | |||
08h | DWORD | ne_crc | 32-bit CRC of entire contents of file. These words are taken as 00 during the calculation |
In-memory | |||
08h | WORD | dgroup_entry | Near ptr to segment entry for DGROUP |
0Ah | WORD | fileinfo | Near ptr to file info (OFSTRUCT) |
0Ch | WORD | ne_flags | Flag word |
0Eh | WORD | ne_autodata | Segment number of automatic data segment. This value is set to zero if SINGLEDATA and MULTIPLEDATA flag bits are clear, NOAUTODATA is indicated in the flags word. A Segment number is an index into the module's segment table. The first entry in the segment table is segment number 1 |
10h | WORD | ne_heap | Initial size, in bytes, of dynamic heap added to the data segment. This value is zero if no initial local heap is allocated |
12h | WORD | ne_stack | Initial size, in bytes, of stack added to the data segment. This value is zero to indicate no initial stack allocation, or when SS is not equal to DS |
14h | DWORD | ne_csip | Segment number:offset of CS:IP |
18h | DWORD | ne_sssp | Segment number:offset of SS:SP If SS equals the automatic data segment and SP equals zero, the stack pointer is set to the top of the automatic data segment just below the additional heap area. +————————–+ ! additional dynamic heap ! +————————–+ ← SP ! additional stack ! +————————–+ ! loaded auto data segment !% +————————–+ ← DS, SS |
1Ch | WORD | ne_cseg | Number of entries in the Segment Table |
1Eh | WORD | ne_cmod | Number of entries in the Module Reference Table |
20h | WORD | ne_cbnrestab | Number of bytes in the Non-Resident Name Table |
22h | WORD | ne_segtab | Segment Table file offset, relative to the beginning of the segmented EXE header |
24h | WORD | ne_rsrctab | Resource Table file offset, relative to the beginning of the segmented EXE header |
26h | WORD | ne_restab | Resident Name Table file offset, relative to the beginning of the segmented EXE header |
28h | WORD | ne_modtab | Module Reference Table file offset, relative to the beginning of the segmented EXE header |
2Ah | WORD | ne_imptab | Imported Names Table file offset, relative to the beginning of the segmented EXE header |
2Ch | DWORD | ne_nrestab | Non-Resident Name Table offset, relative to the beginning of the file |
30h | WORD | ne_cmovent | Number of movable entries in the Entry Table |
32h | WORD | ne_align | Logical sector alignment shift count, log(base 2) of the segment sector size (default 9) |
34h | WORD | ne_cres | Number of resource entries |
36h | BYTE | ne_exetyp | Executable type, used by loader. 02h = WINDOWS |
37h | BYTE | ne_flagsothers | Operating system flags |
38h | WORD | ??? | offset to return thunks or start of gangload area |
3Ah | WORD | ??? | offset to segment reference thunks or length of gangload area |
3Ch | WORD | ??? | minimum code swap area size |
3Eh | 2 BYTEs | ??? | expected Windows version (minor version first) |
On-disk segment entry
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | ns_sector | Logical-sector offset (n byte) to the contents of the segment data, relative to the beginning of the file. Zero means no file data |
02h | WORD | ns_cbseg | Length of the segment in the file, in bytes. Zero means 64K |
04h | WORD | ns_flags | Flag word |
06h | WORD | ns_minalloc | Minimum allocation size of the segment, in bytes. Total size of the segment. Zero means 64K |
In-memory segment entry
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | ns1_sector | Logical-sector offset (n byte) to the contents of the segment data, relative to the beginning of the file. Zero means no file data |
02h | WORD | ns1_cbseg | Length of the segment in the file, in bytes. Zero means 64K |
04h | WORD | ns1_flags | Flag word |
06h | WORD | ns1_minalloc | Minimum allocation size of the segment, in bytes. Total size of the segment. Zero means 64K |
08h | WORD | ns1_handle | Selector or handle (selector - 1) of segment in memory |
struct new_segdata {
union { struct { WORD ns_niter; WORD ns_nbytes; char ns_iterdata; } ns_iter; struct { char ns_data; } ns_noniter; } ns_union;
};
Relocation table header
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | nr_nreloc | Number of relocation table entries |
Relocation table entry
Offset | Size | Name | Description |
---|---|---|---|
00h | char | nr_stype | Source type (0Fh = NRSTYP - source mask): 00h = LOBYTE, 02h = SEGMENT, 03h = FAR_ADDR (32-bit pointer), 05h = OFFSET (16-bit offset) |
01h | char | nr_flags | Flags byte (03h = TARGET_MASK): 00h = INTERNALREF, 01h = IMPORTORDINAL, 02h = IMPORTNAME, 03h = OSFIXUP, 04h = ADDITIVE |
02h | WORD | nr_soff | Offset within this segment of the source chain. If the ADDITIVE flag is set, then target value is added to the source contents, instead of replacing the source and following the chain. The source chain is an 0FFFFh terminated linked list within this segment of all references to the target |
Internal fixup | |||
04h | char | nr_segno | Segment number (for fixed segment) or 0FFh (for movable segment) |
05h | char | nr_res | Reserved (usually zero) |
06h | WORD | nr_entry | Entry table number (for movable segment) offset segment |
Import | |||
04h | WORD | nr_mod | ??? |
06h | WORD | nr_proc | ??? |
OS Fixup | |||
04h | WORD | nr_ostype | ??? |
06h | WORD | nr_osres | ??? |
Offset | Size | Name | Description |
---|---|---|---|
00h | char | rs_len | ??? |
01h | char | rs_string[1] | ??? |
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | rt_id | ??? |
02h | WORD | rt_nres | ??? |
04h | DWORD | rt_proc | ??? |
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | rn_offset | ??? |
02h | WORD | rn_length | ??? |
04h | WORD | rn_flags | ??? |
06h | WORD | rn_id | ??? |
08h | WORD | rn_handle | ??? |
0Ah | WORD | rn_usage | ??? |
Offset | Size | Name | Description |
---|---|---|---|
00h | WORD | rs_align | ??? |
02h | struct rsrc_typeinfo | rs_typeinfo | ??? |