1 Check if the value of the E_MAGIC member of the image_dos_header structure is equal to "MZ", that is, check if the value of the first word of the file header is equal to Image_DOS_SIGNATURE. Why is this? Conversion with MC_ASCII conversion tools, M-> 77 (D) -> 4D (h), z-> 90 (d) -> 5a (h), together is zm-> 5a4d (h), and view Windows The equivalence definition of .inc is image_dos_signature EQU 5A4DH, you can know the same.
2 and then use E_LFANew to locate Pe Header
3 Judging whether the signature member value of the image_nt_headers structure is equal to "PE / 0/0", that is, check if the value of the first word of Pe Header is equal to Image_NT_SIGNATURE. Cause, such as 1, the equivalence definition of Windows.inc. If both match matches, this file is considered a valid PE file.
