How to find out whether a file is executable or not(i.e .dll or .exe or .sys)

Hi,

Is there anyway that we can find out whether a file is an executable or not
at kernel level. Executables means like .dll or .sys or .exe.

Thanks,
Kedar.

I’m currently doing this by looking at known fields in the PE header
(they all contain the MZ signature at the start of the MS-DOS header for
example) - this approach isn’t foolproof because it can lead to false
positives. However, for my application, the identification of
executables is primarily an optimization so false positives are OK
whereas false negatives are not.

The PE header format is described in detail on MSDN

Regards

Mark

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of kedar
Sent: 31 May 2005 17:08
To: Windows File Systems Devs Interest List
Subject: [ntfsd] How to find out whether a file is executable or not(i.e
.dll or .exe or .sys)

Hi,

Is there anyway that we can find out whether a file is an executable or
not
at kernel level. Executables means like .dll or .sys or .exe.

Thanks,
Kedar.


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: mark.cook@ca.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maybe the best is to check the import table. If the executable
imports something from ntoskrnl.exe or hal.dll, it will surely
be a kernel mode DLL or SYS (EXE cannot be kernel mode
only, can it ?)

L.