SYS File Format

Hello All,

Where I can find information about the format of SYS file?
What is the different from DLL PE file format?

Thanks,
Ronen

Don
Wed Apr 18 09:33:18 CDT 2007

SYS file are PE DLL's, the format is the same.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

"Ronenoc" <Ronenoc@discussions.microsoft.com> wrote in message
news:B1EA55B2-06A7-4CAF-B593-1FF8ECFF72A6@microsoft.com...
> Hello All,
>
> Where I can find information about the format of SYS file?
> What is the different from DLL PE file format?
>
> Thanks,
> Ronen

Calvin
Wed Apr 18 12:10:02 CDT 2007

I think all windows executables (exe,dll,sys) are PE. Some have export
sections some don't.

--
Calvin Guan
Broadcom Corporation
Connecting Everything(r)

"Don Burn" <burn@stopspam.windrvr.com> wrote in message
news:urgNNbcgHHA.1244@TK2MSFTNGP04.phx.gbl...
> SYS file are PE DLL's, the format is the same.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> "Ronenoc" <Ronenoc@discussions.microsoft.com> wrote in message
> news:B1EA55B2-06A7-4CAF-B593-1FF8ECFF72A6@microsoft.com...
>> Hello All,
>>
>> Where I can find information about the format of SYS file?
>> What is the different from DLL PE file format?
>>
>> Thanks,
>> Ronen
>
>

AntonBassov
Wed Apr 18 16:04:02 CDT 2007


> SYS file are PE DLL's, the format is the same.

Actually, there is a difference - unlike user-mode exe's and DLL's, drivers
normally have INIT section with the data that is needed only upon driver's
initialization (DriverEntry(), data that is needed to fill IAT, etc). When
driver is loaded, this section gets discarded from RAM. This is done in order
to optimize memory usage - after all, driver code and data sections have to
be loaded in RAM all the time, so that the system saves quite a few pages by
discarding data that is not needed after driver initialization (normally you
have around 100 drivers in RAM, so that the total
effect may be quite significant if the target machine does not have that
much RAM).


Anton Bassov

"Don Burn" wrote:

> SYS file are PE DLL's, the format is the same.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> "Ronenoc" <Ronenoc@discussions.microsoft.com> wrote in message
> news:B1EA55B2-06A7-4CAF-B593-1FF8ECFF72A6@microsoft.com...
> > Hello All,
> >
> > Where I can find information about the format of SYS file?
> > What is the different from DLL PE file format?
> >
> > Thanks,
> > Ronen
>
>
>

Alexander
Thu Apr 19 15:44:15 CDT 2007

It's just a section, named INIT, which is treated in special way by a kernel
PE loader. There is no special provision in the format itself for that
section. PE format is still PE format. Now, considering that a DriverEntry
function of a PNP driver is _very_ rudimentary, there is no much gain of
placing it into INIT.

"Anton Bassov" <AntonBassov@discussions.microsoft.com> wrote in message
news:2BD60926-8033-4D7B-8ED6-0FE0B562A069@microsoft.com...
>
>> SYS file are PE DLL's, the format is the same.
>
> Actually, there is a difference - unlike user-mode exe's and DLL's,
> drivers
> normally have INIT section with the data that is needed only upon driver's
> initialization (DriverEntry(), data that is needed to fill IAT, etc). When
> driver is loaded, this section gets discarded from RAM. This is done in
> order
> to optimize memory usage - after all, driver code and data sections have
> to
> be loaded in RAM all the time, so that the system saves quite a few pages
> by
> discarding data that is not needed after driver initialization (normally
> you
> have around 100 drivers in RAM, so that the total
> effect may be quite significant if the target machine does not have that
> much RAM).
>
>