Hidden 16-bit DOS app inside your Windows apps - Use Ghidra and 16-bit debug.exe to analyze/run it!

Hi everyone! This video covers... • Windows EXE files have a hidden 16-bit DOS app. • The MZ header and 16-bit DOS stub. • Use Ghidra "PE" and "MZ" modes to analyze from two different perspectives. • Tell Ghidra to reinterpret disassembled instructions as data when its first guess is incorrect. • Use DOSBox to run the hidden 16-bit DOS app, the DOS stub. • Quick example of 16-bit DOS int 21h API calls. • Quick example of 16-bit debug.exe, its resemblance to today's Windows debuggers... the beauty of back-compat respect. Clickable Table of Contents 00:00 Start 00:15 Overview 01:21 Visual Studio 2022 setup 02:03 VS Code setup 02:19 Hex viewer setup 02:37 Start of tutorial (after setup) 02:50 Recap, IMAGE_DOS_HEADER 03:36 Build Debug x64 console app 03:50 Open exe in hex viewer 04:11 Recap of raw MZ header 04:41 Create Ghidra project 04:57 Add .exe as PE to Ghidra project 05:30 Analyze header via Ghidra/PE 06:01 View hidden DOS program as bytes 06:18 Add .exe as DOS exe (MZ) 06:41 Analyze header via Ghidra/MZ 06:53 Sanity check program bytes 07:11 DOS program ""$"" terminated string 07:29 Examine 16-bit DOS program 08:55 DOS int 21h API calls 09:08 API AH=9 print ""$"" terminated string 09:26 Segment/offset example 09:55 DOS API call high level overview 11:55 Ghidra, please interpret as string, not code 12:33 Making use of existing zeros 13:16 Prep to run 1980s DOS program 13:27 DOSBox 13:38 Mount Windows dir as DOS drive 14:04 Copy x64 Windows .exe to DOS drive 14:40 Long File Names vs Short File Names 15:43 Run the 1980s DOS program!?!? 16:22 Dual-personality .exe files 16:57 Debug Windows .exe using 1980s debugger 17:06 'r' for registers 17:16 'u' unassemble 17:53 push CS, pop DS to assign DS=CS 18:12 'r' for next instruction 18:23 't' to trace one instruction 18:42 honoring back compat 19:29 DOS int 21h, stepping over with 'g [addr]' 21:45 DOS int 21h AH=4C terminate program 22:33 end of program 23:10 outro, wrap up Tutorial source code: git clone https://github.com/AshleyT3/tutorial-sample-code.git (For simplicity/consistency, this video uses SimpleMessageBox.exe from the prior video.) Prior videos which you might find helpful: • dumpbin.exe, link /dump, and the Portable Executable Format (PE Format) https://www.youtube.com/watch?v=ZF9QTM87H4Q • Create/Assemble/Link x64 Windows asm exe, Debugging Tools for Windows (WinDbg), stack shadow store. https://www.youtube.com/watch?v=I8TL2BbKnbQ Buy Me a Coffee https://www.buymeacoffee.com/ricochettech Subscribe to the the RicochetTech email list: https://ricochettech.net/subscribe