PE File Format

By Saurabh & Chinmaya

Definition

The Portable Executable (PE) format is a file

format for executables, object code, and

DLLs, used in 32-bit and 64-bit versions of

Windows operating systems.

The term "portable" refers to the format's

versatility in numerous environments of

operating system software architecture.

Basic Structure

•Executable Code Section,

named .text (Microsoft) or CODE

(Borland)

•Data Sections, named .data,

.rdata, or .bss (Microsoft) or

DATA (Borland)

•Resources Section, named .rsrc

•Export Data Section, named

.edata

•Import Data Section, named

.idata

•Debug Information Section,

named .debug

Mapping Into Memory

Tools Of Trade

Lord PE

PEid

PEView

OllyDbg

DOS ‘MZ’ Header

64 Byte Header

First two bytes of DOS header contain the value 4Dh, 5Ah (The letters "MZ" for Mark Zbikowsky one of the original architects of MS-DOS) which signifies a valid DOS header.

Last 4 bytes point towards PE Header

DOS Stub

If the program is run from DOS, DOS can recognize it as a valid executable and run the DOS stub which is stored immediately after the header.

The DOS stub usually just prints a string something like "This program must be run under Microsoft Windows" but it can be a full-blown DOS program.

When building an application for Windows, the linker links a default stub program called WINSTUB.EXE into the executable. We can override the default linker behavior by substituting your own valid MS-DOS-based program in place of WINSTUB and using the -STUB: linker option when linking the executable file.

PE File Header

Also called as Image_NT_Header

Consists of

Signature

Image_File_Header

Image_Optional_Header

Signature

4 bytes (Dword) Signature

Value is ‘00004550’ representing

characters ‘PE’

Image File Header

20 bytes header

Starting Byte Type Information

1 WORD Machine

3 WORD Number of sections

5 DWORD Time Date stamp

9 DWORDPointer to symbol

table

13 DWORD Number of symbols

17 WORDSize of optional

header

19 WORD Characteristics

Optional Header

It contains following important fields:

Address Of Entry Point

Image Base

Section Alignment

File Alignment

Subsystem

Data directory

○ An array of 16 IMAGE_DATA_DIRECTORY structures, each relating to an important data structure in the PE file such as the import address table etc.

Image_Section_Header

It contains information about various

sections.

It contains following important fields

Name of section

Relative Virtual Address (RVA)

Virtual Size

Characteristics of Section

Sections

.text

• Contains the executable code

• Also known as .code

.data• Contains initialized data

.reloc

• Contains relocation information

Sections

.rsrc

• Contains resource information of a module

.debug

• Contains debug information

.edata,.

idata

• Contains export and import data

Thank You