Int 21 Fn 4B  - DOS 2+ - "exec" - Load And/or Execute Program              [D]

   AH = 4Bh
   AL = type of load
       00h load and execute
       01h load but do not execute
       03h load overlay
       04h load and execute in background (European MS-DOS 4.0 only)
       "Exec & Go" (see also AH=80h)
   DS:DX -> ASCIZ program name (must include extension)
   ES:BX -> parameter block (see below)
   CX = mode (subfunction 04h only)
       0000h child placed in zombie mode after termination
       0001h child's return code discarded on termination

Return: CF clear if successful
       BX,DX destroyed
       if subfunction 01h, process ID set to new program's PSP; get with
       INT 21/AH=62h
   CF set on error
       AX = error code (01h,02h,05h,08h,0Ah,0Bh) (see AH=59h)

Notes: DOS 2.x destroys all registers, including SS:SP
   under ROM-based DOS, if no disk path characters (colons or slashes)
     are included in the program name, the name is searched for in the
     ROM module headers (see below) before searching on disk
   for functions 00h and 01h, the calling process must ensure that there
     is enough unallocated memory available; if necessary, by releasing
     memory with AH=49h or AH=4Ah
   for function 01h, the AX value to be passed to the child program is put
     on top of the child's stack
   for function 03h, DOS assumes that the overlay is being loaded into
     memory allocated by the caller
   function 01h was undocumented prior to the release of DOS 5.0
   some versions (such as DR-DOS 6.0) check the parameters and parameter
     block and return an error if an invalid value (such as an offset of
     FFFFh) is found
   background programs under European MS-DOS 4.0 must use the new
     executable format
   new executables begin running with the following register values
       AX = environment segment
       BX = offset of command tail in environment segment
       CX = size of automatic data segment (0000h = 64K)
       ES,BP = 0000h
       DS = automatic data segment
       SS:SP = initial stack
     the command tail corresponds to an old executable's PSP:0081h and
     following, except that the 0Dh is turned into a NUL (00h); new
     format executables have no PSP
   under the FlashTek X-32 DOS extender, only function 00h is supported
     and the pointers are passed in DS:EDX and ES:EBX
   DR-DOS 6 always loads .EXE-format programs with no fixups above the
     64K mark to avoid the EXEPACK bug
   names for the various executable type understood by various
     environments:
       MZ  old-style DOS executable
       NE  Windows or OS/2 1.x segmented ("new") executable
       LE  Windows virtual device driver (VxD) linear executable
       LX  variant of LE used in OS/2 2.x
       W3  Windows WIN386.EXE file; a collection of LE files
       PE  Win32 (Windows NT and Win32s) portable executable based on
           Unix COFF
BUGS:  DOS 2.00 assumes that DS points at the current program's PSP
   Load Overlay (subfunction 03h) loads up to 512 bytes too many if the
     file contains additional data after the actual overlay

See Also: AX=4B05h,AH=4Ch,AH=4Dh,AH=64h"OS/2",AH=8Ah,INT 2E

Format of EXEC parameter block for AL=00h,01h,04h:
Offset Size    Description
 00h   WORD    segment of environment to copy for child process (copy caller's
       environment if 0000h)
 02h   DWORD   pointer to command tail to be copied into child's PSP
 06h   DWORD   pointer to first FCB to be copied into child's PSP
 0Ah   DWORD   pointer to second FCB to be copied into child's PSP
 0Eh   DWORD   (AL=01h) will hold subprogram's initial SS:SP on return
 12h   DWORD   (AL=01h) will hold entry point (CS:IP) on return

Format of EXEC parameter block for AL=03h:
Offset Size    Description
 00h   WORD    segment at which to load overlay
 02h   WORD    relocation factor to apply to overlay if in .EXE format

Format of EXEC parameter block for FlashTek X-32:
Offset Size    Description
 00h   PWORD   48-bit far pointer to environment string
 06h   PWORD   48-bit far pointer to command tail string

Format of .EXE file header:
Offset Size    Description
 00h  2 BYTEs  .EXE signature, either "MZ" or "ZM" (5A4Dh or 4D5Ah)
 02h   WORD    number of bytes in last 512-byte page of executable
 04h   WORD    total number of 512-byte pages in executable (includes any
       partial last page)
 06h   WORD    number of relocation entries
 08h   WORD    header size in paragraphs
 0Ah   WORD    minimum paragraphs of memory to allocation in addition to
       executable's size
 0Ch   WORD    maximum paragraphs to allocate in addition to executable's size
 0Eh   WORD    initial SS relative to start of executable
 10h   WORD    initial SP
 12h   WORD    checksum (one's complement of sum of all words in executable)
 14h   DWORD   initial CS:IP relative to start of executable
 18h   WORD    offset within header of relocation table
       40h or greater for new-format (NE,LE,LX,W3,PE,etc.) executable
 1Ah   WORD    overlay number (normally 0000h = main program)
---new executable---
 1Ch  4 BYTEs  ???
 20h   WORD    behavior bits
 22h 26 BYTEs  reserved for additional behavior info
 3Ch   DWORD   offset of new executable (NE,LE,etc) header within disk file,
       or 00000000h if plain MZ executable
---Borland TLINK---
 1Ch  2 BYTEs  ??? (apparently always 01h 00h)
 1Eh   BYTE    signature FBh
 1Fh   BYTE    TLINK version (major in high nybble, minor in low nybble)
 20h  2 BYTEs  ??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h)
---ARJ self-extracting archive---
 1Ch  4 BYTEs  signature "RJSX" (older versions, new signature is "aRJsfX" in
       the first 1000 bytes of the file)
---LZEXE 0.90 compressed executable---
 1Ch  4 BYTEs  signature "LZ09"
---LZEXE 0.91 compressed executable---
 1Ch  4 BYTEs  signature "LZ91"
---PKLITE compressed executable---
 1Ch   BYTE    minor version number
 1Dh   BYTE    bits 0-3: major version
       bit 4: extra compression
       bit 5: huge (multi-segment) file
 1Eh  6 BYTEs  signature "PKLITE" (followed by copyright message)
---LHarc 1.x self-extracting archive---
 1Ch  4 BYTEs  unused???
 20h  3 BYTEs  jump to start of extraction code
 23h  2 BYTEs  ???
 25h 12 BYTEs  signature "LHarc's SFX "
---LHA 2.x self-extracting archive---
 1Ch  8 BYTEs  ???
 24h 10 BYTEs  signature "LHa's SFX " (v2.10) or "LHA's SFX " (v2.13)
---TopSpeed C 3.0 CRUNCH compressed file---
 1Ch   DWORD   018A0001h
 20h   WORD    1565h
---PKARCK 3.5 self-extracting archive---
 1Ch   DWORD   00020001h
 20h   WORD    0700h
---BSA (Soviet archiver) self-extracting archive---
 1Ch   WORD    000Fh
 1Eh   BYTE    A7h
---LARC self-extracting archive---
 1Ch  4 BYTEs  ???
 20h 11 BYTEs  "SFX by LARC "
---LH self-extracting archive---
 1Ch  8 BYTEs  ???
 24h  8 BYTEs  "LH's SFX "
---other linkers---
 1Ch   var optional information
---
  N   N DWORDs relocation items

Notes: if word at offset 02h is 4, it should be treated as 00h, since pre-1.10
     versions of the MS linker set it that way
   if both minimum and maximum allocation (offset 0Ah/0Ch) are zero, the
     program is loaded as high in memory as possible
   the maximum allocation is set to FFFFh by default

Format of ROM Module Header:
Offset Size    Description
 00h  2 BYTEs  ROM signature 55h, AAh
 02h   BYTE    size of ROM in 512-byte blocks
 03h  3 BYTEs  POST initialization entry point (near JMP instruction)
 06h   ROM Program Name List [array]
   Offset  Size    Description
    00h    BYTE    length of ROM program's name (00h if end of name list)
    01h  N BYTEs   program name
    N+1  3 BYTEs   program entry point (near JMP instruction)

Format of new executable header:
Offset Size    Description
 00h  2 BYTEs  "NE" (4Eh 45h) signature
 02h  2 BYTEs  linker version (major, then minor)
 04h   WORD    offset from start of this header to entry table (see below)
 06h   WORD    length of entry table in bytes
 08h   DWORD   file load CRC (0 in Borland's TPW)
 0Ch   BYTE    program flags
       bits 0-1 DGROUP type
         0 = none
         1 = single shared
         2 = multiple (unshared)
         3 = (null)
       bit 2:  global initialization
       bit 3:  protected mode only
       bit 4:  8086 instructions
       bit 5:  80286 instructions
       bit 6:  80386 instructions
       bit 7:  80x87 instructions
 0Dh   BYTE    application flags
       bits 0-2: application type
           001 full screen (not aware of Windows/P.M. API)
           010 compatible with Windows/P.M. API
           011 uses Windows/P.M. API
       bit 3: is a Family Application (OS/2)
       bit 5: 0=executable, 1=errors in image
       bit 6: non-conforming program (valid stack is not maintained)
       bit 7: DLL or driver rather than application
           (SS:SP info invalid, CS:IP points at FAR init routine
            called with AX=module handle which returns AX=0000h
            on failure, AX nonzero on successful initialization)
 0Eh   WORD    auto data segment index
 10h   WORD    initial local heap size
 12h   WORD    initial stack size (added to data seg, 0000h if SS <> DS)
 14h   DWORD   program entry point (CS:IP), "CS" is index into segment table
 18h   DWORD   initial stack pointer (SS:SP), "SS" is segment index
       if SS=automatic data segment and SP=0000h, the stack pointer is
         set to the top of the automatic data segment, just below the
         local heap
 1Ch   WORD    segment count
 1Eh   WORD    module reference count
 20h   WORD    length of nonresident names table in bytes
 22h   WORD    offset from start of this header to segment table (see below)
 24h   WORD    offset from start of this header to resource table
 26h   WORD    offset from start of this header to resident names table
 28h   WORD    offset from start of this header to module reference table
 2Ah   WORD    offset from start of this header to imported names table
       (array of counted strings, terminated with a string of length
        00h)
 2Ch   DWORD   offset from start of file to nonresident names table
 30h   WORD    count of moveable entry point listed in entry table
 32h   WORD    file alignment size shift count
       0 is equivalent to 9 (default 512-byte pages)
 34h   WORD    number of resource table entries
 36h   BYTE    target operating system
       00h unknown
       01h OS/2
       02h Windows
       03h European MS-DOS 4.x
       04h Windows 386
       05h BOSS (Borland Operating System Services)
 37h   BYTE    other EXE flags
       bit 0: supports long filenames
       bit 1: 2.X protected mode
       bit 2: 2.X proportional font
       bit 3: gangload area
 38h   WORD    offset to return thunks or start of gangload area
 3Ah   WORD    offset to segment reference thunks or length of gangload area
 3Ch   WORD    minimum code swap area size
 3Eh  2 BYTEs  expected Windows version (minor version first)

Note:  this header is documented in detail in the Windows 3.1 SDK Programmer's
     Reference, Vol 4.

Format of Codeview trailer (at end of executable):
Offset Size    Description
 00h   WORD    signature 4E42h ('NB')
 02h   WORD    Microsoft debug info version number
 04h   DWORD   Codeview header offset

Format of new executable segment table record:
 00h   WORD    offset in file (shift left by alignment shift to get byte offs)
 02h   WORD    length of image in file (0000h = 64K)
 04h   WORD    segment attributes (see below)
 06h   WORD    number of bytes to allocate for segment (0000h = 64K)

Note:  the first segment table entry is entry number 1

Bitfields for segment attributes:
 bit 0 data segment rather than code segment
 bit 1 unused???
 bit 2 real mode
 bit 3 iterated
 bit 4 movable
 bit 5 sharable
 bit 6 preloaded rather than demand-loaded
 bit 7 execute-only (code) or read-only (data)

.NG limit reached, continued in next section...