Reversing Portable Executable
The main aim of this blog is to understand PE file structure and how it is loaded in Windows. Here I will be showing what are the basic things that happen when a portable executable is started.
You can use any executable to deep dive into OS internals. Here I have used Microsoft's notepad.exe and to debug this I have used Microsoft's debugger called windbg, which can be downloaded from here.
Portable Executable
Portable Executable (PE) file format is organized as a linear stream of data. It begins with an MS-DOS header, a real-mode program stub and a PE file signature. Immediately after this is a PE file header and optional header. Beyond this, all section headers come followed by section bodies. In the end, a few other regions of miscellaneous information, including relocation information, symbol table information etc are present.
PE format is a file format for executables, DLLs and others used in the windows operating system. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables etc. Here we are going to understand PE structure, the concepts and various data directories inside it. Let’s get started.
