Overview

PE Files

PE stands for Portable Executable, it's a file format for executables used in Windows operating systems, it's based on COFF (Common Object File Format).

Not only .exe files are PE files, dynamic link libraries (.dll), kernel modules (.srv), Control Panel applications (.cpl) and many others are also PE files.

A PE file is a data structure that holds information necessary for the OS loader to be able to load that executable into memory and execute it.

Structure Overview

A typical PE file follows the structure outlined in the following figure:

In PEBear:

DOS header
- Every PE file starts with a 64-bytes-long structure called the DOS header, it's what makes the PE file an MS-DOS executable.
DOS stub
- After the DOS header comes the DOS stub which is a small MS-DOS 2.0 compatible executable that just prints an error message saying "This program cannot be run in DOS mode" when the program is run in DOS mode.
NT headers
- The NT Headers part contains three main parts:
- Signature
  - A 4-byte signature that identifies the file as a PE file.
- File Header
  - A standard COFF File Header. It holds some information about the PE file.
- Optional Header
  - The most important header of the NT Headers, its name is the Optional Header because some files like object files don't have it, however it's required for image files (files like .exe files). This header provides important information to the OS loader.
Section table
- The section table follows the Optional Header immediately, it is an array of Image Section Headers, there's a section header for every section in the PE file.
- Each header contains information about the section it refers to.
Sections
- Sections are where the actual contents of the file are stored, these include things like data (.data) and resources (.rsrc) that the program uses, and also the actual code of the program (.text), there are several sections each one with its own purpose.

Reference

PreviousPE Format NextProcess Injection

Last updated 2 years ago

PE Files

PE stands for Portable Executable, it's a file format for executables used in Windows operating systems, it's based on COFF (Common Object File Format).

Not only .exe files are PE files, dynamic link libraries (.dll), kernel modules (.srv), Control Panel applications (.cpl) and many others are also PE files.

A PE file is a data structure that holds information necessary for the OS loader to be able to load that executable into memory and execute it.

Structure Overview

A typical PE file follows the structure outlined in the following figure:

In PEBear:

DOS header

Every PE file starts with a 64-bytes-long structure called the DOS header, it's what makes the PE file an MS-DOS executable.

DOS stub

After the DOS header comes the DOS stub which is a small MS-DOS 2.0 compatible executable that just prints an error message saying "This program cannot be run in DOS mode" when the program is run in DOS mode.

NT headers

The NT Headers part contains three main parts:
Signature
- A 4-byte signature that identifies the file as a PE file.
File Header
- A standard COFF File Header. It holds some information about the PE file.
Optional Header
- The most important header of the NT Headers, its name is the Optional Header because some files like object files don't have it, however it's required for image files (files like .exe files). This header provides important information to the OS loader.

Section table

The section table follows the Optional Header immediately, it is an array of Image Section Headers, there's a section header for every section in the PE file.
Each header contains information about the section it refers to.

Sections

Sections are where the actual contents of the file are stored, these include things like data (.data) and resources (.rsrc) that the program uses, and also the actual code of the program (.text), there are several sections each one with its own purpose.