RIXED_LABS
Published in

RIXED_LABS

A brief introduction to PE format

Introduction

As a nerd being enthusiastic about Reverse Engineering & malware stuffs understanding various file formats is quite a important info because it will clear up some concepts about different sections of the file/executable , which can be helpful during reverse engineering or debugging the executable or further analysis of the binary. In this blog the context will mostly befocused on Portable Executable(PE) file format which are commonly used & discussing them might be useful.

Glimpse of PE File & it’s format

As per the MSDN documentation, This specification describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) or in layman terms PE file is a type of format that is used in Windows (both x86 and x64) architecture based on COFF (Common Object File Format) specification.

We loaded a simple file.exe onto a hex editor(010) . The PE Data Structure contains various parts like the DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Dictionaries and Sections.

We will brief about each one of them .

DOS Header :

The first 64 bytes of the PE File is occupied by the DOS header one can see the starting of the file with MZ which occupies the first two bytes 4D 5A which are initials of Mark Zbikowski , This field can also be called e_magic or the magic number which is one such important field to identify an MS-DOS- compatible file type.

DOS Stub :

During the execution of the application, if your program cannot be run on windows, this section involves the string which warns you that your program cannot be run on windows. When a Windows loader maps a PE file into the memory, the first byte of the file that gets mapped corresponds to the first byte of the MS-Dos stub.

PE File Header :

PE File header is a structure type named IMAGE_NT_HEADER which consists of three parts :

  1. Signature
  2. IMAGE_FILE_HEADER
  3. IMAGE _OPTIONAL_HEADER

Signature : According to MSDN, DWORD signature is a 4-byte signature that identifies the file as a PE format image file. This signature is “PE\0\0” (the letters “P” and “E” followed by two null bytes, where P and E are 50 & 45 in hex followed by two null bytes 0x00, 0x00.

IMAGE_FILE_HEADER : The file header consists of 20 bytes and contains basic info about the PE file like number of sections, architecture type, time stamp and a lot of info, you can check that out the members of this structure from the official docs .

IMAGE_OPTIONAL_HEADER : The image optional header contains a lot of important information beyond basic and brief information about some of its members can be quite helpful.

Magic : This field tells about the value of the image whether it is an 32-bit or 64-bit or an ROM image, for a 32-bit executable it will be represented as 0x10b, for 64-bit executable it will be represented as 0x20b and for an ROM image it will be represented as 0x107b.

Major Linker version & Minor Linker version tells about the version of the linker.

Address of EntryPoint : According to MSDN, it is a pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero.

BaseOfCode : This is the pointer to the beginning of the code section.

SizeOfImage : This tells about the size occupied by the executable during runtime.

Size of Header : According to MSDN, the combined size of the following items, rounded to a multiple of the value specified in the FileAlignment member.

  • e_lfanew member of IMAGE_DOS_HEADER
  • 4 byte signature
  • size of IMAGE_FILE_HEADER
  • size of optional header
  • size of all section headers

Image_Subsystem : According to MSDN , it can be defined as the subsystem required to run this image, here the value is (3) which means windows character mode user interface(CUI) subsystem is needed to run this image. The table can be accessed here.

DLL_Character : This field defines the DLL characteristics of the image, the table with the values and their meaning can be accessed from here.

Image_Data_Directory : This field indicates important components of executable information in the file. The current executable has 16 data structures.

Image_Section-Header: This field represents the image section header format,the info about it’s members can be found out from here.

SECTIONS

.text : This section of an executable contains the executable code and has more than one section.

.rdata : This table lists the Windows API used by the executable, along DLLs

.data : Contains initialized data.

.bss : This section contains uninitialized data

.pdata : Contains info on exception handling functions sections.

.reloc : Contains info on relocation.

.rsrc : Contains info like images and other necessary for application’s UI.

References :

Thanks to Cobra Baghdad for helping me out a minor issue 😄!

That was a small brief info on the Portable Executable file format, the next blog I will be writing a small info on ELF format. Till then happy learning.

Blog by Nerd of AX1AL. Join our Discord.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store