Overview
PE Files
PE stands for Portable Executable, it's a file format for executables used in Windows operating systems, it's based on COFF (Common Object File Format).
Not only .exe files are PE files, dynamic link libraries (.dll), kernel modules (.srv), Control Panel applications (.cpl) and many others are also PE files.
A PE file is a data structure that holds information necessary for the OS loader to be able to load that executable into memory and execute it.
Structure Overview
A typical PE file follows the structure outlined in the following figure:
In PEBear:
DOS header
Every PE file starts with a 64-bytes-long structure called the DOS header, it's what makes the PE file an MS-DOS executable.
DOS stub
After the DOS header comes the DOS stub which is a small MS-DOS 2.0 compatible executable that just prints an error message saying "This program cannot be run in DOS mode" when the program is run in DOS mode.
NT headers
The NT Headers part contains three main parts:
Signature
A 4-byte signature that identifies the file as a PE file.
File Header
A standard COFF File Header. It holds some information about the PE file.
Optional Header
The most important header of the NT Headers, its name is the Optional Header because some files like object files don't have it, however it's required for image files (files like
.exefiles). This header provides important information to the OS loader.
Section table
The section table follows the Optional Header immediately, it is an array of Image Section Headers, there's a section header for every section in the PE file.
Each header contains information about the section it refers to.
Sections
Sections are where the actual contents of the file are stored, these include things like data (
.data) and resources (.rsrc) that the program uses, and also the actual code of the program (.text), there are several sections each one with its own purpose.
Reference
Last updated
