A brief introduction to PE format

As a nerd being enthusiastic about Reverse Engineering & malware stuffs understanding various file formats is quite a important info because it will clear up some concepts about different sections of the file/executable , which can be helpful during reverse engineering or debugging the executable or further analysis of the binary. In this blog the context will mostly befocused on Portable Executable(PE) file format which are commonly used & discussing them might be useful.

As per the MSDN documentation, This specification describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) or in layman terms PE file is a type of format that is used in Windows (both x86 and x64) architecture based on COFF (Common Object File Format) specification.

We loaded a simple file.exe onto a hex editor(010) . The PE Data Structure contains various parts like the DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Dictionaries and Sections.

We will brief about each one of them .

DOS Header :

DOS Stub :

During the execution of the application, if your program cannot be run on windows, this section involves the string which warns you that your program cannot be run on windows. When a Windows loader maps a PE file into the memory, the first byte of the file that gets mapped corresponds to the first byte of the MS-Dos stub.

Signature : According to MSDN, DWORD signature is a 4-byte signature that identifies the file as a PE format image file. This signature is “PE\0\0” (the letters “P” and “E” followed by two null bytes, where P and E are 50 & 45 in hex followed by two null bytes 0x00, 0x00.

Magic : This field tells about the value of the image whether it is an 32-bit or 64-bit or an ROM image, for a 32-bit executable it will be represented as 0x10b, for 64-bit executable it will be represented as 0x20b and for an ROM image it will be represented as 0x107b.

Major Linker version & Minor Linker version tells about the version of the linker.

Address of EntryPoint : According to MSDN, it is a pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.

BaseOfCode : This is the pointer to the beginning of the code section.

SizeOfImage : This tells about the size occupied by the executable during runtime.

Size of Header : According to MSDN, the combined size of the following items, rounded to a multiple of the value specified in the FileAlignment member.

SECTIONS

.text : This section of an executable contains the executable code and has more than one section.

.rdata : This table lists the Windows API used by the executable, along DLLs

.data : Contains initialized data.

.bss : This section contains uninitialized data

.pdata : Contains info on exception handling functions sections.

.reloc : Contains info on relocation.

.rsrc : Contains info like images and other necessary for application’s UI.

References :

That was a small brief info on the Portable Executable file format, the next blog I will be writing a small info on ELF format. Till then happy learning.

Related posts:

Natural materials are an essential element of modern interior design. They bring a sense of warmth and tranquility to your home, creating a space that feels cozy and welcoming. Incorporating natural…

Among the essential qualities, the successful entrepreneur must have a sense of humor. It’s what helps keep you sane. Finding humor along life’s roller coaster ride will make the path much more fun…

First impressions can make an interview, or completely destroy all your prospects of becoming hired. What to wear to an interview depends largely on the type of business you are applying to. Whatever…