PE File Structure

Introduction

PE (Portable Executable) is a file format used in the Windows Operating system. It's is based of the file format (Common Object File Format).

Executables .exe, Dynamic Link Libraries .dll, kernel modules .srv, Control Panel Applications .cpl and many others are all PE files.

PE Structure

A typical PE structure is as follows:

• Text Section (.text): The hub where the executable code of the program resides.

• Data Section (.data): A storage for initialized global and static data variables.

• Read-only initialized data (.rdata): Houses read-only data such as constant values, string literals, and initialized global and static variables.

• Exception information (.pdata): A collection of function table entries utilized for exception handling.

• BSS Section (.bss): Holds uninitialized global and static data variables.

• Resource Section (.rsrc): Safeguards resources such as images, icons, strings, and version information.

• Import Section (.idata): Details about functions imported from other DLLs.

• Export Section (.edata): Information about functions exported by the executable.

• Relocation Section (.reloc): Details for relocating the executable's code and data when loaded at a different memory address.

DOS Header

DOS Stub

The DOS stub comes after the DOS header, it is a small MS-DOS 2.0 compatible executable that prints “This program cannot be run in DOS mode” when the program is run in DOS mode.

NT Headers

The NT Headers contains three main parts:

• PE Signature - 4 Byte signature that identifies the file as a PE

• File Header - A standard COFF file header. (Hold some info on PE)

• Optional Header - The MOST important header of NT headers.

-> It's required for image files (like .exe). It provides important information on the OS loader.

Section Table

Sections

Sections are where the actual contents of the files are stored. These include the actual code the program uses, dependencies, and data.