Results 1 to 2 of 2

Thread: PE question - Subsystem Environments

  1. #1
    Registered User
    Join Date
    Mar 2004
    Location
    maze of twisty little passages, all alike
    Posts
    133

    PE question - Subsystem Environments

    On another (non-reversing) forum, someone was asking about the difference between a DOS application and a Win32 console application. I answered his question, but also kind of sidetracked into the history of Windows environment subsystems and the support (or lack thereof) that Windows has/had for POSIX and OS/2. This lead me to take a deeper look at the Subsystem field in the PE optional header. I consulted the PECOFF Specification v8.0 (dated May 16, 2006), which as far as I know is the latest version. It gives the following decimal values for this field:

    Code:
    IMAGE_SUBSYSTEM_UNKNOWN                    0  An unknown subsystem
    IMAGE_SUBSYSTEM_NATIVE                     1  Device drivers and native Windows processes
    IMAGE_SUBSYSTEM_WINDOWS_GUI                2  The Windows graphical user interface (GUI) subsystem
    IMAGE_SUBSYSTEM_WINDOWS_CUI                3  The Windows character subsystem
    IMAGE_SUBSYSTEM_POSIX_CUI                  7  The Posix character subsystem
    IMAGE_SUBSYSTEM_WINDOWS_CE_GUI             9  Windows CE
    IMAGE_SUBSYSTEM_EFI_APPLICATION           10  An Extensible Firmware Interface (EFI) application
    IMAGE_SUBSYSTEM_EFI_BOOT_ SERVICE_DRIVER  11  An EFI driver with boot services
    IMAGE_SUBSYSTEM_EFI_RUNTIME_ DRIVER       12  An EFI driver with run-time services
    IMAGE_SUBSYSTEM_EFI_ROM                   13  An EFI ROM image
    IMAGE_SUBSYSTEM_XBOX                      14  XBOX
    An old copy of the Win32 SDK that I have also lists:

    Code:
    IMAGE_SUBSYSTEM_OS2_CUI                    5  OS/2 CUI subsystem
    MSDN confirms that and also adds:

    Code:
    IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION  16  Boot application
    Apparently that's a Vista thing.

    Several web pages also listed:

    Code:
    IMAGE_SUBSYSTEM_NATIVE_WINDOWS             8  Native Windows 9x Driver
    I can't find any information to support that assertion, though. As far as I know, VXD files are always in LE format, not PE. And real-mode drivers for Win 9x are DOS MZ format.

    My question -- purely for historical curiosity -- is what the values 4, 6, and 8 were used for, if anything. And for that matter, 15. It looks like they skipped it recently, but I'm not sure why. If 2 is Windows GUI and 3 is Windows CUI, I would speculate that 4 might have been reserved for OS/2 GUI and 6 might be POSIX GUI. I can't find any document that claims to know what these values would indicate.

    Using them causes Windows to display "The <binary> application cannot be run in Win32 mode", which is what it does for pretty much anything other than 2 or 3. Amusingly, if you set the value to 7 (POSIX CUI), Windows will tell you that the executable file doesn't exist!
    The debugging of a thousand lines of code begins with a single-step.

    "It has always therefore been one of my main endeavors as a teacher to persuade the young that first-hand knowledge is not only more worth acquiring than second-hand knowledge, but is usually much easier and more delightful to acquire." -- C.S. Lewis

    I think I can, I think I can, I think I can...

  2. #2
    I don't know much about historical Windows architecture, but I've seen enough of the Win32 API to believe that such codes bear little or no significance. Very often, individual bits carry certain implications but deducing importance from missing values in a sequence is generally misguided. The details of these enumerations are presumably relics of the instantaneous frame-of-mind of whichever developer was responsible for creating them at the time, so unless somebody here has good evidence to the contrary, I'd suggest you forget about this altogether .
    www.ring3circus.com
    Diary of a programmer, journal of a hacker.

Similar Threads

  1. Ideas and concepts: behind the Sin32 Subsystem
    By BanMe in forum Blogs Forum
    Replies: 0
    Last Post: June 27th, 2009, 19:31
  2. Implementing Custom Subsystem == ?
    By shakuni in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: May 10th, 2008, 13:59
  3. Malware and Virtual Environments
    By Kayaker in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: March 25th, 2007, 19:18
  4. N00b question about test al,al (and a conditional breakpoint question)
    By zambuka42 in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 25th, 2006, 15:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •