Monday, September 3, 2007

The Man In Our Machines

And his name is Mark Zbikowski.

And to be honest, not all machines, but only Windows based.
(Sorry for the eye catch!)

In every application you start, in every dll file that is loaded on your RAM (whether on your desktop, laptop or PDA device), as long as it is Windows based, there are two magic bytes in head of all the others that have a very specific meaning. These are the initials of one of the first Microsoft employees that was involved on all crucial Windows development phases. As said his name is Mark Zbikowski.

Take any windows executable file, dll file, either for PC or Windows CE and you will notice that the first two bytes are 0x4D 0x5A or in ASCII code MZ. Every file conforming to the Windows PE(Portable Executable) format (exe, dll, ocx etc) has an introducing DOS Header.

DOS was Microsoft's first Operating System delivered with all IBM PCs and was entirely command line based. Executable files (technically files that the system loader could map into memory and hand over the CPU control) were also identified by the .exe .com or .bat extension. With the domination of the Win32 and GUI environments, every new program that required Win32 functionality (e.g. drawing) was not able to be hosted under "pure" DOS. The least they should do was to print an error message like "This program cannot be run in DOS mode". This is a commonly found string also in every PE file (although it can be altered on compilation time)

So every windows application or library has a DOS part (basically a DOS dump program that prints out your desired message). In the beginning of this part that is actually the beginning of the file, the two bytes of the key DOS developer, Mark Zbikowski, are found much like a legacy for us to keep in mind that computers have been much less capable.

In the beginning of the PC era, there were not many things that you could do with a computer. Just programs for simple mathematical operations and one-color command line text editors seemed more like a programmer's joke or an attempt to prove that nothing special could be done with these machines. The process address space was limited just to 64K. Programs used to be the same both in the disk and on memory. With a 16-bit memory pointer you could only reach out for 65536 bytes.

Things changed when Mark decided to put a header before the executable file (much following the Unix style) that would describe the entire file and basically its sections so that it would be possible to create a process image much richer than its disk one. This led to a better memory management and of course good news for developers. So, this header replacing machine specific assembly code, should simply mean...nothing. Zbikowski decided to place his initials and since then every windows 'component' carries this legacy.

Further Reading:
Mark Zbikowski Wikipedia Entry
Mark Zbikowski interview

In next posts I will try to give a brief overview of the PE format used in current Windows systems and the exciting amount of information you could retrieve by processing its raw bytes. (Did you know for example that Skype application was technically built in 1992 ? -to help you I was not there! )

No comments: