PE Format Walkthrough PDF

PE Header Walkthrough
0x0000
0x0010
0x0020
0x0030
0x0040
0x0050
0x0060
0x0070
0x0080
0x0090
0x00a0
0x00b0
0x00c0
0x00d0
0x00e0
0x00f0
0x0100
0x0110
0x0120
0x0130
0x0140
0x0150
0x0160
0x0170
0x0180
0x0190
0x01a0
0x01b0
0x01c0
0x01d0
0x01e0
0x01f0
0x0200
0x0210
0x0220
0x0230
0x0240
0x0250
0x0260
4d
b8
00
00
0e
69
74
6d
a5
1b
1b
76
1b
00
00
0d
0b
e0
00
04
55
00
00
00
00
40
00
00
00
00
2e
00
00
a8
00
2e
00
00
0f
5a
00
00
00
1f
73
20
6f
6d
2f
2f
2f
2f
00
00
84
01
6a
10
00
d8
00
00
a0
00
13
00
00
10
00
74
6e
00
1b
00
72
8a
00
fe
90
00
00
00
ba
20
62
64
16
38
61
3d
45
00
00
7d
07
00
00
00
01
10
00
00
00
00
00
00
00
00
65
00
00
00
00
73
00
00
7d
00
00
00
00
0e
70
65
65
9b
c8
c8
c8
c8
00
00
3b
00
00
00
00
00
00
00
00
00
00
00
00
00
00
78
00
00
00
00
72
00
00
3b
03 00 00
00 00 00
00 00 00
00 00 00
e_magic
00
b4 09
72 6f 67
20 72 75
2e 0d 0d
e1 0c 78
e0 0c 78
f2 0c 78
e0 0c 78
e0 0c 78
00 00 00
00 00 00
00 00 00
00 6e 00
00 10 00
00 02 00
00 00 00
02 00 00
00 10 00
00 00 00
48 89 00
00 00 00
1c 00 00
00 00 00
00 00 00
24 03 00
00 00 00
74 00 00
00 04 00
20 00 00
00 80 00
00 00 00
63 00 00
00 78 00
40 00 00
65 00 00
00
00
00
00
cd
72
6e
0a
c8
c8
c8
c8
c8
00
00
00
00
00
00
00
80
00
00
00
00
00
00
00
00
00
00
00
60
00
00
00
00
40
00
04
40
00
00
21
61
20
24
e1
e1
e1
3b
52
00
50
00
00
00
05
00
00
00
20
00
00
00
00
58
00
00
72
00
2e
00
00
48
00
16
29
00 00 00
00 00 00
00 00 00
00 00 00
b8 01 4c
6d 20 63
69 6e 20
00 e_lfanew
00 00
0c 78 c8
0c 78 c8
0c 79 c8
2f 64 c8
69 63 68
00 00 00
45 00 00
00 00 00
a6 00 00
80 00 00
00 01 00
30 01 00
00 04 00
00 00 00
6d 00 00
00 00 00
00 00 00
00 00 00
00 00 00
02 00 00
00 00 00
00 00 00
6d 00 00
00 00 00
64 61 74
06 00 00
00 00 00
89 00 00
00 00 00
fe 7d 3b
fe 7d 3b
ff
00
00
e8
cd
61
44
00
e1
e0
23
f2
e1
00
4c
e0
00
00
05
00
00
10
c8
00
00
00
00
d0
00
00
00
00
61
00
40
00
00
58
71
ff
00
00
00
21
6e
4f
00
0c
0c
0c
0c
0c
00
01
00
00
00
00
04
10
00
00
00
00
00
00
00
00
00
10
00
00
72
00
a0
00
00
00
00
00
00
00
54
6e
53
00
78
78
78
78
78
00
03
0f
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
68
6f
20
00
c8
c8
c8
c8
c8
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
c0
00
00
00
00
MZ..............
........@.......
................
................
........!..L.!Th
is.program.canno
t.be.run.in.DOS.
mode....$.......
.m....x...x...x.
./8...x...x...x.
./a...x...y.#.x.
v/=...x.;/d...x.
./E...x.Rich..x.
................
........PE..L...
..};............
.....n..........
.j..............
................
.........0......
U...............
................
.........m......
....H...........
................
@...............
................
........X.......
....$...........
................
.text...rm......
.n..............
.......`.data...
.............r..
............@...
.rsrc...H.......
.....x..........
....@..@..};X...
..};e...).};q...
0x0000
0x0010
0x0020
0x0030
0x0040
0x0050
0x0060
0x0070
0x0080
0x0090
0x00a0
0x00b0
0x00c0
0x00d0
0x00e0
0x00f0
0x0100
0x0110
0x0120
0x0130
0x0140
0x0150
0x0160
0x0170
0x0180
0x0190
0x01a0
0x01b0
0x01c0
0x01d0
0x01e0
0x01f0
0x0200
0x0210
0x0220
0x0230
0x0240
0x0250
0x0260
4d
b8
00
00
0e
69
74
6d
a5
1b
1b
76
1b
00
00
0d
0b
e0
00
04
55
00
00
00
00
40
00
00
00
00
2e
00
00
a8
00
2e
00
00
0f
5a
00
00
00
1f
73
20
6f
6d
2f
2f
2f
2f
00
00
84
01
6a
10
00
d8
00
00
a0
00
13
00
00
10
00
74
6e
00
1b
00
72
8a
00
fe
90
00
00
00
ba
20
62
64
16
38
61
3d
45
00
00
7d
07
00
00
00
01
10
00
00
00
00
00
00
00
00
65
00
00
00
00
73
00
00
7d
00 03 00
00 00 00
00 00 00
00 00 00
0e 00 b4
70 72 6f
65 20 72
65 2e 0d
9b e1 0c
c8 e0 0c
c8 f2 0c
c8 e0 0c
c8 e0 0c
00 00 00
00 00 00
3b 00 00
00 00 6e
00 00 10
00Signature
00 02
00 00 00
00 02 00
00 00 10
00 00 00
00 48 89
00 00 00
00 1c 00
00 00 00
00 00 00
00 24 03
00 00 00
78 74 00
00 00 04
00 20 00
00 00 80
00 00 00
72 63 00
00 00 78
00 40 00
3b 65 00
00
00
00
00
09
67
75
0d
78
78
78
78
78
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00 04 00 00 00 ff
00 40 00 00 00 00
00 00 00 00 00 00
00 00 00 00 00 e8
cd 21 b8 01 4c cd
72 61 6d 20 63 61
6e 20 69 6e 20 44
0a 24 00 00 00 00
c8 e1 0c 78 c8 e1
c8 e1 0c 78 Machine
c8 e0
c8 e1 0c 79 c8 23
c8 3b 2f 64 c8 f2
c8 52 69 63 68 e1
00 00 00 00 00 00
00 50 45 00 00 4c
00 00 00 00 00 e0
00 00 a6 00 00 00
00 00 80 00 00 00
SizeOfOptionalHeader
00 05 00 01 00 05
00 00 30 01 00 00
80 00 00 04 00 00
00 00 00 00 00 10
00 20 6d 00 00 c8
00 00 00 00 00 00
00 00 00 00 00 00
00 00 00 00 00 00
00 00 00 00 00 00
00 58 02 00 00 d0
00 00 00 00 00 00
00 00 00 00 00 00
00 72 6d 00 00 00
00 00 00 00 00 00
60 2e 64 61 74 61
00 00 06 00 00 00
00 00 00 00 00 40
00 48 89 00 00 00
00 00 00 00 00 00
40 16 fe 7d 3b 58
00 29 fe 7d 3b 71
ff 00 00
MZ..............
00 00 00
........@.......
00 00 00
................
00 00 00
................
21 54 68
........!..L.!Th
6e 6e 6f
is.program.canno
4f 53 20
t.be.run.in.DOS.
00 00 00
mode....$.......
0c 78 c8
.m....x...x...x.
0c 78 c8
./8...x...x...x.
0c 78 c8
./a...x...y.#.x.
0c 78 c8
v/=...x.;/d...x.
0c 78 c8
./E...x.Rich..x.
00 00 00
................
01 03 00
........PE..L...
00 0f 01
..};............
00 00 00
.....n..........
00 00 01
.j..............
00 01 00
................
04 00 00
.........0......
10
01
00
U...............
NumberOfSections
00 00 00
................
00 00 00
.........m......
00 00 00
....H...........
00 00 00
................
00 00 00
@...............
00 00 00
................
00 00 00
........X.......
00 00 00
....$...........
00 00 00
................
10 00 00
.text...rm......
00 00 00
.n..............
00 00 00
.......`.data...
72 00 00
.............r..
00 00 c0
............@...
a0 00 00
.rsrc...H.......
00 00 00
.....x..........
00 00 00
....@..@..};X...
00 00 00
..};e...).};q...
0x0000
4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
0x0010
b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
0x0020
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0030
00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00
0x0040
0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68
0x0050
69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f
0x0060
74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20
0x0070
6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
0x0080
a5 6d 16 9b e1 0c 78 c8 e1 0c 78 c8 e1 0c 78 c8
0x0090
1b 2f 38 c8 e0 0c 78 c8 e1 0c 78 c8 e0 0c 78 c8
0x00a0
1b 2f 61 c8 f2 0c 78 c8 e1 0c 79 c8 23 0c 78 c8
0x00b0
76 2f 3d c8 e0 0c 78 c8 3b 2f 64 c8 f2 0c 78 c8
0x00c0
1b 2f Magic
45 c8 e0 AddressOfEntryPoint
0c 78 c8 52 69 63ImageBase
68 e1 0c 78 c8
0x00d0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00e0
00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00
0x00f0
0d 84 7d 3b 00 00 00 00 00 00 00 00 e0 00 0f 01
0x0100
0b 01 07 00 00 6e 00 00 00 a6 00 00 00 00 00 00
0x0110
e0 6a 00 00 00 10 00 00 00 80 00 00 00 00 00 01
0x0120
00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00
0x0130
04 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00
0x0140
55 d8 01 00 02 00 00 80 00 00 04 00 00 10 01 00
0x0150
00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00
0x0160
00 00 00 00 00 00 00 00 20 6d 00 00 c8 00 00 00
SectionAlignment
0x0170
00 a0 00 FileAlignment
00 48 89 00 00SizeOfImage
00 00 00 00 00 00 00 00
0x0180
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0190
40 13 00 00 1c 00 00 00SizeOfHeaders
00 00 00 00 00 00 00 00
0x01a0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x01b0
00 00 00 00 00 00 00 00 58 02 00 00 d0 00 00 00
0x01c0
00 10 00 00 24 03 00 00 00 00 NumberOfRvaAndSizes
00 00 00 00 00 00
0x01d0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x01e0
2e 74 65 78 74 00 00 00 72 6d 00 00 00 10 00 00
0x01f0
00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00
0x0200
00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00
0x0210
a8 1b 00 00 00 80 00 00 00 06 00 00 00 72 00 00
0x0220
00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0
0x0230
2e 72 73 72 63 00 00 00 48 89 00 00 00 a0 00 00
0x0240
00 8a 00 00 00 78 00 00 00 00 00 00 00 00 00 00
0x0250
00 00 00 00 40 00 00 40 16 fe 7d 3b 58 00 00 00
0x0260
0f fe 7d 3b 65 00 00 00 29 fe 7d 3b 71 00 00 00
MZ..............
........@.......
................
................
........!..L.!Th
is.program.canno
t.be.run.in.DOS.
mode....$.......
.m....x...x...x.
./8...x...x...x.
./a...x...y.#.x.
v/=...x.;/d...x.
./E...x.Rich..x.
................
........PE..L...
..};............
.....n..........
.j..............
................
.........0......
U...............
................
.........m......
....H...........
................
@...............
................
........X.......
....$...........
................
.text...rm......
.n..............
.......`.data...
.............r..
............@...
.rsrc...H.......
.....x..........
....@..@..};X...
..};e...).};q...
0x0000
0x0010
0x0020
0x0030
0x0040
0x0050
0x0060
0x0070
0x0080
0x0090
0x00a0
0x00b0
0x00c0
0x00d0
0x00e0
0x00f0
0x0100
0x0110
0x0120
0x0130
0x0140
Export
0x0150
0x0160
Resource
0x0170
0x0180
Security
0x0190
Debug
0x01a0
GlobalPtr
0x01b0
LoadConfig 0x01c0
0x01d0
IAT
0x01e0
0x01f0
0x0200
COM Descriptor
0x0210
0x0220
0x0230
0x0240
0x0250
0x0260
4d 5a 90 00
b8 00 00 00
00 00 00 00
00 00 00 00
0e 1f ba 0e
69 73 20 70
74 20 62 65
6d 6f 64 65
a5 6d 16 9b
1b 2f 38 c8
1b 2f 61 c8
76 2f 3d c8
1b 2f 45 c8
00 00 00 00
00 00 00 00
0d
84 7d 3b
VirtualAddress
0b 01 07 00
e0 6a 00 00
00 10 00 00
04 00 00 00
55 d8 01 00
00 00 10 00
00 00 00 00
00 a0 00 00
00 00 00 00
40 13 00 00
00 00 00 00
00 00 00 00
00 10 00 00
00 00 00 00
2e 74 65 78
00 6e 00 00
00 00 00 00
a8 1b 00 00
00 00 00 00
2e 72 73 72
00 8a 00 00
00 00 00 00
0f fe 7d 3b
03
00
00
00
00
72
20
2e
e1
e0
f2
e0
e0
00
00
00
00
00
00
00
02
00
00
48
00
1c
00
00
24
00
74
00
20
00
00
63
00
40
65
00
00
00
00
b4
6f
72
0d
0c
0c
0c
0c
0c
00
00
00
6e
10
02
00
00
10
00
89
00
00
00
00
03
00
00
04
00
80
00
00
78
00
00
00
00
00
00
09
67
75
0d
78
78
78
78
78
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
cd
72
6e
0a
c8
c8
c8
c8
c8
00
00
00
00
00
00
00
80
00
00
00
00
00
00
00
00
00
00
00
60
00
00
00
00
40
00
04 00
40 00
00 00
00 00
21 b8
61 6d
20 69
24 00
e1 0c
e1 0c
e1 0c
3b 2f
52 69
00 00
50 Size
45
00 00
00 a6
00 80
05 00
00 30
00 00
00 00
20 6d
00 00
00 00
00 00
00 00
58 02
00 00
00 00
72 6d
00 00
2e 64
00 06
00 00
48 89
00 00
16 fe
29 fe
00
00
00
00
01
20
6e
00
78
78
79
64
63
00
00
00
00
00
01
01
04
00
00
00
00
00
00
00
00
00
00
00
61
00
00
00
00
7d
7d
00
00
00
00
4c
63
20
00
c8
c8
c8
c8
68
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
74
00
00
00
00
3b
3b
ff
00
00
e8
cd
61
44
00
e1
e0
23
f2
e1
00
4c
e0
00
00
05
00
00
10
c8
00
00
00
00
d0
00
00
00
00
61
00
40
00
00
58
71
ff
00
00
00
21
6e
4f
00
0c
0c
0c
0c
0c
00
01
00
00
00
00
04
10
00
00
00
00
00
00
00
00
00
10
00
00
72
00
a0
00
00
00
00
00
00
00
54
6e
53
00
78
78
78
78
78
00
03
0f
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
68
6f
20
00
c8
c8
c8
c8
c8
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
c0
00
00
00
00
MZ..............
........@.......
................
................
........!..L.!Th
is.program.canno
t.be.run.in.DOS.
mode....$.......
.m....x...x...x.
./8...x...x...x.
./a...x...y.#.x.
v/=...x.;/d...x.
./E...x.Rich..x.
................
........PE..L...
..};............
.....n..........
.j..............
................
.........0......
Import
U...............
................
Exception
.........m......
....H...........
Basereloc
................
Copyright
@...............
................
TLS
........X.......
BoundImport
....$...........
................
Delayimport
.text...rm......
.n..............
.......`.data...
.............r..
............@...
.rsrc...H.......
.....x..........
....@..@..};X...
..};e...).};q...
The DOS Header
NT Headers
Optional Header
The Data Directories
The DOS header can be found starting at offset zero in all Portable Executable
files. Nowadays its main objective is to indicate the offset of the main headers
containing the actual information about the PE file, the NT headers. The offset
where to find those headers is stored in the e_lfanew member.
The NT headers contain three members, a signature and two other structures
defining the File header and the Optional header. The signature is the
standard doubleword 0x50450000 with ASCII representation "PE". Some of the
important members of the File header are Machine, specifying the target
architecture for which this PE file is compiled, and the self-describing
SizeOfOptionalHeader and NumberOfSections.
The Optional header member describes elements of the file such as the import
and export directories that make possible to locate and link DLL libraries (which
are PE files as well). Other entries provide structural information about the
layout of the file, such as the alignment of its sections.
5a 90 the
00 03
00 Optional
00 00 04 (00it 00
00 ff affwealth
00 00 of critical
MZ..............
The0x0000
slight irony4dbehind
name
contains
0x0010 about
b8 an
00EXE
00 00
00) comes
00 40 00
00the
00 fact
00 00
........@.......
information
or 00
DLL00file
from
that00the00PE format
0x0020
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
can 0x0030
also describe
that
meant
to be
or otherwise
need
00 object
00 00 files
00 00
00 are
00 not
00 00
00 00
00 run
e8 00
00 00
................
any 0x0040
of the information
by09
thiscdheader.
0e 1f contributed
ba 0e 00 b4
21 b8 01 4c cd 21 54 68
........!..L.!Th
These entries, contained within the Optional header, point to a wide selection
of miscellaneous information about the file. Imported and exported symbols,
debug information, resource information (icon data, version information) and
others.
All of these are optional, but few PE files go without having a symbol import or
export table that would allow them to link to (or have its symbols used by) other
PE files.
0x0000
4d 5a 90 00 03 00 00 00 04 00
0x0010
b8 00 00 00 00 00 00 00 40 00
0x0020
00 00 00 00 00 00 00 00 00 00
0x0030
00 00 00 00 00 00 00 00 00 00
0x0040
0e 1f ba 0e 00 b4 09 cd 21 b8
0x0050
69 73 20 70 72 6f 67 72 61 6d
0x0060
74 20 62 65 20 72 75 6e 20 69
0x0070
6d 6f 64 65 2e 0d 0d 0a 24 00
0x0080
a5 6d 16 9b e1 0c 78 c8 e1 0c
0x0090
1b 2f 38 c8 e0 0c 78 c8 e1 0c
0x00a0
1b 2f 61 c8 f2 0c 78 c8 e1 0c
0x00b0
76 2f 3d c8 e0 0c 78 c8 3b 2f
0x00c0
1b 2f 45 c8 e0 0c 78 c8 52 69
0x00d0
00 00 00 00 00 00 00 00 00 00
0x00e0
00 00 00 00 00 00 00 00 50 45
0x00f0
0d 84 7d 3b 00 00 00 00 00 00
0x0100
0b 01 07 00 00 6e 00 00 00 a6
0x0110
e0 6a 00 00SizeOfOptionalHeader
00 10 00 00 00 80
0x0120
00 10 00 00 00 02 00 00 05 00
0x0130
04 00 00 00 00 00 00 00 00 30
0x0140
55 d8 01 00 02 00 00 80 00 00
0x0150
00 00 10 00 00 10 00 00 00 00
0x0160
00 00 00 00 00 00 00 00 20 6d
0x0170
00 a0 00 00 48 89 00 00 00 00
0x0180
00 00 00 00 00 00 00 00 00 00
0x0190
40 13 00 00 1c 00 00 00 00 00
Beginning
Headers
0x01a0of Section
00 00
00 00 00 00 00 00 00 00
0x01b0
00 00 00 00 00 00 00 00 58 02
0x01c0
00 10 00 00 24 03 00 00 00 00
0x01d0
00 00 00 00 00 00 00 00 00 00
0x01e0
2e 74 65 78 74 00 00 00 72 6d
0x01f0
00 6e 00 00 00 04 00 00 00 00
0x0200
00 00 00 00 20 00 00 60 2e 64
0x0210
a8 1b 00 00 00 80 00 00 00 06
0x0220
00 00 00 00 00 00 00 00 00 00
0x0230
2e 72 73 72 63 00 00 00 48 89
0x0240
00 8a 00 00 00 78 00 00 00 00
0x0250
00 00 00 00 40 00 00 40 16 fe
0x0260
0f fe 7d 3b 65 00 00 00 29 fe
00
00
00
00
01
20
6e
00
78
78
79
64
63
00
00
00
00
00
01
01
04
00
00
00
00
00
00
00
00
00
00
00
61
00
00
00
00
7d
7d
00
00
00
00
4c
63
20
00
c8
c8
c8
c8
68
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
74
00
00
00
00
3b
3b
ff
00
00
e8
cd
61
44
00
e1
e0
23
f2
e1
00
4c
e0
00
00
05
00
00
10
c8
00
00
00
00
d0
00
00
00
00
61
00
40
00
00
58
71
ff
00
00
00
21
6e
4f
00
0c
0c
0c
0c
0c
00
01
00
00
00
00
04
10
00
00
00
00
00
00
00
00
00
10
00
00
72
00
a0
00
00
00
00
00
00
00
54
6e
53
00
78
78
78
78
78
00
03
0f
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
68
6f
20
00
c8
c8
c8
c8
c8
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
c0
00
00
00
00
MZ..............
........@.......
................
................
........!..L.!Th
is.program.canno
t.be.run.in.DOS.
mode....$.......
.m....x...x...x.
./8...x...x...x.
./a...x...y.#.x.
v/=...x.;/d...x.
./E...x.Rich..x.
................
........PE..L...
..};............
.....n..........
.j..............
................
.........0......
U...............
................
.........m......
....H...........
................
@...............
................
........X.......
....$...........
................
.text...rm......
.n..............
.......`.data...
.............r..
............@...
.rsrc...H.......
.....x..........
....@..@..};X...
..};e...).};q...
0x0000
4d 5a 90 00 03 00 00 00 04 00
0x0010
b8 00 00 00 00 00 00 00 40 00
0x0020
00 00 00 00 00 00 00 00 00 00
0x0030
00 00 00 00 00 00 00 00 00 00
0x0040
0e 1f ba 0e 00 b4 09 cd 21 b8
0x0050
69 73 20 70 72 6f 67 72 61 6d
0x0060
74 20 62 65 20 72 75 6e 20 69
0x0070
6d 6f 64 65 2e 0d 0d 0a 24 00
0x0080
a5 6d 16 9b e1 0c 78 c8 e1 0c
0x0090
1b 2f 38 c8 e0 0c 78 c8 e1 0c
0x00a0
1b 2f 61 c8 f2 0c 78 c8 e1 0c
0x00b0
76 2f 3d c8 e0 0c 78 c8 3b 2f
0x00c0
1b 2f 45 c8 e0 0c 78 c8 52 69
0x00d0
00 00 00 00 00 00 00 00 00 00
0x00e0
00 00 00 00 00 00 00 00 50 45
0x00f0
0d 84 7d 3b 00 00 00 00 00 00
0x0100
0b 01 07 00 00 6e 00 00 00 a6
0x0110
e0 6a 00 00SizeOfOptionalHeader
00 10 00 00 00 80
0x0120
00 10 00 00 00 02 00 00 05 00
0x0130
04 00 00 00 00 00 00 00 00 30
0x0140
55 d8 01 00 02 00 00 80 00 00
0x0150
00 00 10 00 00 10 00 00 00 00
0x0160
00 00 00 00 00 00 00 00 20 6d
0x0170
00 a0 00 00 48 89 00 00 00 00
0x0180
00 00 00 00 00 00 00 00 00 00
0x0190
40 13 00 00 1c 00 00 00 00 00
Beginning
Headers
0x01a0of Section
00 00
00 00 00 00 00 00 00 00
0x01b0
00 00 00 00 00 00 00 00 58 02
0x01c0
00 10 00 00 24 03 00 00 00 00
0x01d0
00 00 00 00 00 00 00 00 00 00
0x01e0
2e 74 65 78 74 00 00 00 72 6d
0x01f0
00 6e 00 00 00 04 00 00 00 00
0x0200
00 00 00 00 20 00 00 60 2e 64
0x0210
a8 1b 00 00 00 80 00 00 00 06
0x0220
00 00 00 00 00 00 00 00 00 00
0x0230
2e 72 73 72 63 00 00 00 48 89
0x0240
00 8a 00 00 00 78 00 00 00 00
0x0250
00 00 00 00 40 00 00 40 16 fe
0x0260
0f fe 7d 3b 65 00 00 00 29 fe
00
00
00
00
01
20
6e
00
78
78
79
64
63
00
00
00
00
00
01
01
04
00
00
00
00
00
00
00
00
00
00
00
61
00
00
00
00
7d
7d
00
00
00
00
4c
63
20
00
c8
c8
c8
c8
68
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
74
00
00
00
00
3b
3b
ff
00
00
e8
cd
61
44
00
e1
e0
23
f2
e1
00
4c
e0
00
00
05
00
00
10
c8
00
00
00
00
d0
00
00
00
00
61
00
40
00
00
58
71
ff
00
00
00
21
6e
4f
00
0c
0c
0c
0c
0c
00
01
00
00
00
00
04
10
00
00
00
00
00
00
00
00
00
10
00
00
72
00
a0
00
00
00
00
00
00
00
54
6e
53
00
78
78
78
78
78
00
03
0f
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
68
6f
20
00
c8
c8
c8
c8
c8
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
c0
00
00
00
00
MZ..............
........@.......
................
................
........!..L.!Th
is.program.canno
t.be.run.in.DOS.
mode....$.......
.m....x...x...x.
./8...x...x...x.
./a...x...y.#.x.
v/=...x.;/d...x.
./E...x.Rich..x.
................
........PE..L...
..};............
.....n..........
.j..............
................
.........0......
U...............
................
.........m......
....H...........
................
@...............
................
........X.......
....$...........
................
.text...rm......
.n..............
.......`.data...
.............r..
............@...
.rsrc...H.......
.....x..........
....@..@..};X...
..};e...).};q...
0x0050
69 73 20
0x0060
74 20 62
0x0070
6d 6f 64
0x0080
a5 6d 16
0x0090
1b 2f 38
0x00a0
1b 2f 61
0x00b0
76 2f 3d
0x00c0
1b 2f 45
0x00d0
00 00 00
0x00e0
00 00 00
0x00f0
0d 84 7d
0x0100
0b 01 07
0x0110
e0 6a 00
0x0120
00 10 00
0x0130
04 00 00
0x0140
55 d8 01
0x0150
00 00 10
0x0160
00 00 00
0x0170
00 Name
a0 00
0x0180
00 00 00
0x0190
40 13 00
0x01a0
00 00 00
0x01b0 SizeOfRawData
00 00 00
0x01c0
00 10 00
0x01d0
00 00 00
0x01e0
2e 74 65
0x01f0
00 6e 00
0x0200
00 00 00
0x0210
a8 1b 00
0x0220
00 00 00
0x0230
2e 72 73
0x0240
00 8a 00
0x0250
00 00 00
0x0260
0f fe 7d
70 72 6f 67 72 61
65 20 72 75 6e 20
65 2e 0d 0d 0a 24
9b e1 0c 78 c8 e1
c8 e0 0c 78 c8 e1
c8 f2 0c 78 c8 e1
c8 e0 0c 78 c8 3b
c8 e0 0c 78 c8 52
00 00 00 00 00 00
00 00 00 00 00 50
3b 00 00 00 00 00
00 00 6e 00 00 00
00 00 10 00 00 00
00 00 02 00 00 05
00 00 00 00 00 00
00 02 00 00 80 00
00 00 10 00 00 00
00 00 00 00 00 20
00 48 89 00
00 00
VirtualSize
00 00 00 00 00 00
00 1c 00 00 00 00
00 00 00 00 00 00
PointerToRawData
00
00 00 00 00 58
00 24 03 00 00 00
00 00 00 00 00 00
78 74 00 00 00 72
00 00 04 00 00 00
00 20 00 00 60 2e
00 00 80 00 00 00
00 00 00 00 00 00
72 63 00 00 00 48
00 00 78 00 00 00
00 40 00 00 40 16
3b 65 00 00 00 29
6d
69
00
0c
0c
0c
2f
69
00
45
00
a6
80
00
30
00
00
6d
00
00
00
00
02
00
00
6d
00
64
06
00
89
00
fe
fe
20
6e
00
78
78
79
64
63
00
00
00
00
00
01
01
04
00
00
00
00
00
00
00
00
00
00
00
61
00
00
00
00
7d
7d
63 61 6e 6e
20 44 4f 53
00 00 00 00
c8 e1 0c 78
c8 e0 0c 78
c8 23 0c 78
c8 f2 0c 78
68 e1 0c 78
00 00 00 00
00 4c 01 03
00 e0 00 0f
00 00 00 00
00 00 00 00
00 05 00 01
00 00 04 00
00 00 10 01
00 10 00 00
00 c8 00 00
00
00 00 00
VirtualAddress
00 00 00 00
00 00 00 00
00 00 00 00
00 d0 00 00
00 00 00 00
00 00 00 00
00 00 10 00
00 00 00 00
74 61 00 00
00 00 72 00
00 40 00 00
00 00 a0 00
00 00 00 00
3b 58 00 00
3b 71 00 00
6f
20
00
c8
c8
c8
c8
c8
00
00
01
00
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
c0
00
00
00
00
is.program.canno
t.be.run.in.DOS.
mode....$.......
.m....x...x...x.
./8...x...x...x.
./a...x...y.#.x.
v/=...x.;/d...x.
./E...x.Rich..x.
................
........PE..L...
..};............
.....n..........
.j..............
................
.........0......
U...............
................
.........m......
....H...........
................
@...............
................
........X.......
....$...........
................
.text...rm......
.n..............
.......`.data...
.............r..
............@...
.rsrc...H.......
.....x..........
....@..@..};X...
..};e...).};q...
A Walk Through the PE32 Format

Display of the main headers describing the basic information contained in a
Portable Executable file and how it maps to the data in a simple executable.
More details about the Portable Executable format can be found at:
http://en.wikipedia.org/wiki/Portable_Executable
PointerToRelocations
NumberOfLinenumbers
Characteristics
PointerToLineNumbers
NumberOfRelocations
Locating the Section Headers
The Section Headers
The Section Headers
The Section headers follow immediately after the Optional header. The
procedure to find their starting offset is to add the value from the File header
member SizeOfOptionalHeader to the starting offset of the Optional header.
The resulting value will point to the first section header. The number of sections
is specified by the field NumberOfSections in the File header.
The Section headers describe each of the sections making up the file. Sections
can contain code (often referred to as text, hence the common section name
'.text'), initialized and uninitialized data, more information describing the PE file
itself such as resources or any other data the developer wishes to add.
There can be an arbitrary number of sections in a PE file.
Each Section header structure contains the details needed to find it within the
file (PointerToRawData), its size on disk (SizeOfRawData) and once loaded
(VirtualSize) and where to load it in memory (VirtualAddress) relative to the
Optional header field ImageBase. Whether the section contains executable
code, can be read from, written to or has other properties is specified by the
Characteristics field.
2007 Ero Carrera

http://dkbza.org
http://blog.dkbza.org

PE Format Walkthrough PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PE Format Walkthrough PDF

Uploaded by

Copyright:

Available Formats

PE Header Walkthrough

The DOS Header

The Data Directories

A Walk Through the PE32 Format

Locating the Section Headers

The Section Headers

The Section Headers

2007 Ero Carrera

You might also like