The Forgotten Stub: Exploring Malicious Use of the PE DOS Header

Abstract

Malicious actors increasingly employ sophisticated concealment techniques within Windows Portable Executable (PE) files to evade static and dynamic detection, complicating incident response and digital forensics. Detecting malware in PE files has become a central challenge in modern security research, leading to a mix of complementary analysis methods. Current approaches range from traditional signature-based scanning, which identifies known byte patterns, to heuristic systems that flag unusual structural traits such as abnormal section sizes, entropy spikes, and inconsistent header values. Machine learning models now play a role, using features like opcode sequences, imported API functions, and metadata patterns to classify files at scale. Deep learning models, including convolutional and recurrent networks, learn higher-level representations directly from raw binaries or extracted features. However, many or most systems designed to detect malicious software in PE files deal with the portion of the file structure specific to Windows. A section of the file called the “DOS Header” is generally ignored by malware analysis. This paper describes a method whereby hand-crafted malware can be hidden in the DOS Header of the PE file, thus evading detection by many analysis methods.