Portable Executable File Structure (.exe)

In this article, I’ll explain what I learn about the Portable Executable(PE) file format.

PE file structure:

Portable Executable (PE) file format is a file format for executables(.exe) and dynamic link library(.dll) used in 32-bit and 64-bit versions of the Windows operating system. It encapsulates the information for the Windows OS loader to manage the wrapped executable code. This includes Dynamic library references for linking, import table, API export, TLS, and resource management data.

Structure of portable Executable(PE) file format:

The given below image is the full structure of the portable Executable file structure.

DOS Header:

It occupies the first 64 bytes of the PE file. In this article, we’ll not examine all bytes, we just focus on only e-magic, and e-ifanew of the PE file.

You can see the ASCII column, it shows “MZ”, which means Magic number. All executable files have a magic number with the value 0x5A4D, it mentioned at the beginning of the PE file.

Another field is e-ifanew. it has a 4-byte offset. It is the pointer to the PE header.

In the given below image, I explained the dos header with mspaint.exe file using the PeBear tool.

DOS stub:

If we run 64-bit PE inside DOS, the stub will execute, and we get this message “This program cannot run in dos mode”. this message is used to find whether this program is compatible or not compatible with windows.

You can see this in the given below image.

PE Header:

The e-ifanew field will give the offset of the PE header. It contains FILE_SIGNATURE, IMG_FILE_HEADER, and IMG_OPTIONAL_HEADER.

FILE_SIGNATURE - the first four bytes include the signatures. For Example, in our sample program mspaint.exe program shows the first 4 bytes(00 00 45 50) and the signature value is 0x5045. In the ASCII column, it shows the string PE. so, we confirm it is a portable executable.

IMG_FILE_HEADER - It occupies 20 bytes of the PE file and it contains the basic information about the file layout such as Machine, NumerOfSections, TimeDateStamp, PointerToSymbolTable, NumberOfSymbols, SizeOfOptionalHeader, and Characteristics.

IMG_OPTIONAL_HEADER - It’s not optional, it’s an important one. Because it contains critical information about the pe file.

Some of the important fields are listed below:

(i) Magic - it defines whether an executable is 32-bit or 64-bit. If the value is 0x10b, it is a 32-bit application and if the value is 0x20b, it is a 64-bit application.

(ii) Entry point - it’s the execution of the first instruction

(iii) BaseOfCode and BaseOfData - It holds the Relative Virtual Address(RVA) of the beginning of the code and data section, respectively.

(iv) ImageBase - Default base address 0x400000 for applications and 0x10000000 for Dynamic Link Library.

(v) Size of Image - It indicates memory size occupied by PE in runtime

(vi) SectionAlignment - It indicates the alignment of the section of PE in the memory

(vii) FileAlignment - It indicates the file alignment in PE

(viii) SubSystem - This field is used to identify the target subsystem for an executable file

Data Directory:

It indicates where to find the other important components of the executable file. Mostly, the PE file format defines 16 possible data structures. You can see the data directory in the given below image.

Some of the important data directories:

(i) Export Directory - it contains a table of exported functions

(ii) Important Directory - It contains a table of imported functions

(iii) Resource Directory - it contains a table of resources such as images embedded in the PE, icon, etc

(iv) Import Address Table - Which stores the runtime address of the imported functions.

IMG_SECTION_HEADER:

It contains information related to the various sections available in this executable file. You can see this in the given below image.

Some of the important fields are given below:

(i) VirtualSize - It indicates the size of the section in memory

(ii) VirtualAddress - It is the offset from the base address where the section should start. for example, if The base address is 40000 and the virtual address is 200, then the section starts at 40200.

(iii)SizeOfRawDate - It specifies the size of the section in the PE file.

(iv) PointerToRawData - It uses offset to find where the section starts in the PE file.

(v)Characteristics - It denoted by flags(R-Readable, RW- Readable and Writeable, RWX- Readable, Writable and executable) to tell about the memory access rights for the section in memory

Sections:

You can see the sections of the PE file in the given below image.

(i) .text section - This .text section contains the program’s instructions

(ii) .data section - This .data section is generally used for writable data with some initialized non-zero content.

(iii) .rdata section - This .rdata section contains read-only data in an executable file

(iv) .edata section - This .edata section contains an export directory, descriptors, and handles.

(v) .rsrc section - This .rsrc section contains resources for an executable file such as icons, images, etc.

(vi) .debug section - This .debug section contains debug information.