Have you ever wondered why every DOS executable (and since PE headers are derived from DOS headers every Windows executable such as a DLL or an EXE) has MZ at the beginning of the file ? You will find DOS header defined in winnt.h starting off like
e_magic which is a 2 byte magic number is MZ because those are the initials of Mark Zbikowski who designed the DOS executable file format and was an early Microsoft Architect.
The magic numbers for subsequent executable formats in Windows such as NE (New Executable) for 16-bit Windows, LE (Linear Executable) for VxDs, PE (Portable Executable), unfortunately do not have a story like that. [Now I wish I knew the Executables but I don’t.]
PE format has actually got 2 versions – PE32 for 32-bit Windows and PE32+ for 64-bit Windows. Matt Pietrek has written an excellent article on PE format here.
Now going back to DOS header, Wikipedia asserts that one could put ZM instead of MZ in the IMAGE_DOS_HEADER e_magic and Windows will not have a problem loading it. Really ? I believeth not and I think you should not.
Check it out and let me know what you find.
Update: Since none of you chose to communicate, here is what I found. The assertion is correct but with a caveat. PE files will not run with ZM in DOS header. NT loader seems to downgrade them to DOS executables so a modified win32 PE file with ZM will end up executing the DOS stub that shows “This program cannot be run in DOS mode“
