Executable Formats and How To Exploit Them

COM executable formats were very simple and very elegant. They were just bags of instructions the computer would execute, placed after the program segment prefix in DOS. There was no relocation, no code analysis, or reordering tricks — none of the kinds of things we've come to expect from today's convoluted and confusing formats. That made them very susceptible to malware, of course, but it also allowed programs to be smaller and easier to understand. I'll show you what I mean.

So, I've written two programs that do the exact same thing. One is compiled into a COM file, the other into a DOS EXE. The assembly code looks like this:

When compiled, the COM file is a whopping 20 BYTES (!), while the EXE is 536 bytes. The binary code generated, just to compare:

The COM file, to the left, just contains instructions. The EXE file, to the right, contains instructions (at the end of the file), relocation, and program information in the first 28 bytes of the file. And, there's a whole lot of empty space that doesn't get used. Note: if you look at 0x08 and 0x09, you'll see that these bytes store the value 0x0020 (Remember: PCs were little endian then, too). This is the number of 16-byte paragraphs reserved for the header, which brings you to the beginning of the executable code, at address 0x0000200. This information gives you if you're writing a virus, all you need to know to have some idea where you can stuff code for later execution. COM files are easy to infect, and DOS EXE files (or MZ EXE files, named after the magic number in the first two bytes of the file) are just slightly more difficult.