MBlog
Back to blog
Feb 15, 2025
5 min read

PE Overview Part 1

PE Overview

What is a PE?

PE stands for Portable Executable. It represents a file structure for executables used in Windows OS, based on the Common Object File Format (COFF).

  • The Common Object File Format (COFF) is a file format used to store object code, typically as the output of a compiler before linking into an executable. It was originally developed for Unix-like systems but has been used in various environments, including Windows.

PE Files:

  • .exe – Executable files
  • .dll – Dynamic Link Libraries
  • .srv – System Services
  • .cpl – Control Panel Extensions
  • etc
chunk

DOS HEADER

Each PE has something called DOS header which contains on offset 0x0 the value 4D or MZ which is called “MZ Signature” being used by MS-DOS relocatable 16-bit EXE format.

Let’s take a deeper look inside the DOS header and we got IMAGE_DOS_HEADER, made out of :

     WORD e_magic;
     WORD e_cblp;
     WORD e_cp;
     WORD e_crlc;
     WORD e_cparhdr;
     WORD e_minalloc;
     WORD e_maxalloc;
     WORD e_ss;
     WORD e_sp;
     WORD e_csum;
     WORD e_ip;
     WORD e_cs;
     WORD e_lfarlc;
     WORD e_ovno;
     WORD e_res[4];
     WORD e_oemid;
     WORD e_oeminfo;
     WORD e_res2[10];
     LONG e_lfanew;

There are a few important things we should observe at the beginning. The e_magic field, as we can see, is the first member of the struct and has a fixed value of 5A4D, which represents the signature.

...
PIMAGE_DOS_HEADER pdh = GetDosHeader();
...
return pdh->e_magic == IMAGE_DOS_SIGNATURE;
...
//Checks if our PE is a valid DOS

DOS Stub

DOS-STUB is a of MS-DOS [it runs under MS_DOS]. It is by default set at the beginning of an executable file. Its primary role is to serve as a placeholder for a certain processing before the program starts.

chunk chunk

NT_HEADERS:

It’s made out of 3 main parts:

PE Signature:

After the MS-DOS stub, a 4-byte signature located at offset 0x3C identifies the file as a PE executable. This signature, PE\0\0 serves as a key marker for the Windows loader to recognize and process the file.

File Header:

Known as the COFF File Header, it contains essential metadata about the PE file, including details such as the Machine Type (which specifies the target architecture), TimeDateStamp (indicating when the file was created or last modified), Number of Symbols (used for debugging), Characteristics (defining file attributes like whether it is executable or supports large addresses), and several other crucial fields that help the operating system and linker interpret the file correctly.

Optional Header:

The last main part of the PE file is the Optional Header, which provides information to the loader. However, it is optional, so not every file has it. The size of this header is not fixed.

The SizeOfOptionalHeader field in the COFF header helps ensure that any access to a specific data directory does not exceed its size.

Another key component is the NumberOfRvaAndSizes field, which ensures that no data directory entry extends beyond the optional header. Additionally, validating the optional header magic number is important for format compatibility.

There is a magic number too that determines if the image is a PE32 or PE32+ executable. 0x10b or 0x20b.

Sections:

This part follows the Optional Header, as the file header doesn’t contain any data related to the section table. The location of the section table is determined by calculating the first byte after the headers, considering the size of the Optional Header, which is specified in the file header.

The number of entries in the section table is defined by the NumberOfSections field found in the File Header, starting from 1. The entries for code and data sections are ordered based on the linker’s choices.

The section’s Virtual Addresses (VAs) are assigned by the linker in ascending and adjacent order. These VAs must be aligned to the SectionAlignment value from the Optional Header, ensuring they are a multiple of that alignment.

chunk chunk

As you can see each VA is a multiple of the SectionAlignment.

In the next post I will talk more about DOS_Header, NT_Headers and Sections andi will try as much as i can to explain in detail.

Would you like to support me?

If you find my content helpful and would like to support my work, consider visiting my Patreon page.
Your support means the world to me and helps keep this work going!

Prev
GDB Basics
Next
WinAntiDbg0x100