Search code examples
windowsportable-executable

Why does editbin /swaprun:CD /swaprun:NET change two bytes?

Calling editbin for a dll with the options /swaprun:CD and /swaprun:NET changes the PE header word of the dll, setting bits $0400 and $0800 (so actually it only changes the high byte).

That's what it is supposed to do.

But it also changes another byte (see hex comparison).

Can anybody explain to me what this byte means and why it is being changed?

edit: To clarify: editbin with these options is supposed to set the IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP and IMAGE_FILE_NET_RUN_FROM_SWAP bits in the PE header's Characteristics field (which is a 16 bit word). This is the first byte I am talking about. None of these flags is stored in the second byte, so why does the tool change more than necessary and what does it mean?

enter image description here

Solution

  • IMAGE_FILE_HEADER.Characteristics |= IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP|IMAGE_FILE_NET_RUN_FROM_SWAP;

    So 0x2122 -> 0x2d22 (=2122|0x0c00)

    And IMAGE_OPTIONAL_HEADER.CheckSum is changed from 0x000a3c31 to 0x000a4831