PE File Structure

Introduction

PE (Portable Executable) is a file format used in the Windows Operating system. It's is based of the COFF file format (Common Object File Format).

Executables .exe, Dynamic Link Libraries .dll, kernel modules .srv, Control Panel Applications .cpl and many others are all PE files.

PE Structure

A typical PE structure is as follows:

From 0xRicks blog post

  • Text Section (.text): The hub where the executable code of the program resides.

  • Data Section (.data): A storage for initialized global and static data variables.

  • Read-only initialized data (.rdata): Houses read-only data such as constant values, string literals, and initialized global and static variables.

  • Exception information (.pdata): A collection of function table entries utilized for exception handling.

  • BSS Section (.bss): Holds uninitialized global and static data variables.

  • Resource Section (.rsrc): Safeguards resources such as images, icons, strings, and version information.

  • Import Section (.idata): Details about functions imported from other DLLs.

  • Export Section (.edata): Information about functions exported by the executable.

  • Relocation Section (.reloc): Details for relocating the executable's code and data when loaded at a different memory address.

We can see the same thing in hasherezade's PE-bear:

DOS Header

Every PE file starts with a DOS Header, it's a 64 bytes long structure. It makes the PE file a MS-DOS executable. It contains the magic bytes 4D 5A that signifies the file is in the DOS family. Named after Mark Zbikowski.

DOS Stub

The DOS stub comes after the DOS header, it is a small MS-DOS 2.0 compatible executable that prints “This program cannot be run in DOS mode” when the program is run in DOS mode.

NT Headers

The NT Headers contains three main parts:

  • PE Signature - 4 Byte signature that identifies the file as a PE

  • File Header - A standard COFF file header. (Hold some info on PE)

  • Optional Header - The MOST important header of NT headers.

-> It's required for image files (like .exe). It provides important information on the OS loader.

Section Table

The section table immediately follows the the Optional Header. It is an array of Image Section Headers (IMAGE_SECTION_HEADER). Each header contains information about the section it refers to.

Sections

Sections are where the actual contents of the files are stored. These include the actual code the program uses, dependencies, and data.

PreviousPE File FormatNextDOS Header, DOS Stub, & Rich Header

Last updated