PE102 - a Windows executable format overview v1.01
00
image/svg+xml
PE102 - a Windows executable format overview v1.01
2009-2013
Ange Albertini
http://corkami.com
Creative Common Attribution
IMAGE_DELAY_IMPORT_DESCRIPTOR
00+4 dd grAttrs04+4 szName08+4 phmod0c+4 pIAT10+4 pINT14+4 pBoundIAT18+4 pUnloadIAT1c+4 dwTimeStamp
IMAGE_DEBUG_DIRECTORY
00+4 Characteristics04+4 TimeDateStamp08+2 MajorVersion0a+2 MinorVersion0c+4 Type 1 Coff/2 CV-PDB/9 Borland10+4 SizeOfData14+4 AddressOfRawData18+4 PointerToRawData
D Delay imports
6 Debug symbols
Relative Virtual Address
offset
relative offset
Virtual Address (requires relocation)
3 Signature
7 Copyright
B Bound imports
00+4 Characteristics04+4 TimeDateStamp08+2 MajorVersion0a+2 MinorVersion0c+4 Name10+4 Base14+4 NumberOfFunctions18+4 NumberOfNames1c+4 AddressOfFunctions20+4 AddressOfNames24+4 AddressOfNameOrdinals
IMAGE_EXPORT_DIRECTORY
00+4 NameOrdinal
00+4 Name
00+4 Function
<address>: <api> <ordinal>or "<dll>.<name>"for imports forwarding)
“Export Table”
0 Exports
<dll>
<copyright string>
IMAGE_BOUND_IMPORT_DESCRIPTOR
00+4 TimeDateStamp04+2 OffsetModuleName06+2 NumberOfModuleForwarderRefs
00+4 dwLength04+2 wRevision06+2 wCertificateType08+? bCertificate []
WIN_CERTIFICATE
00+4 cb04+2 MajorRuntimeVersion06+2 MinorRuntimeVersion08+8 MetaData10+4 Flags14+4 EntryPointToken/RVA18+8 Resources30+8 StrongNameSignature38+8 CodeManagerTable40+8 VTableFixups48+8 ExportAddressTableJumps50+8 ManagedNativeHeader
IMAGE_COR20_HEADER
00+4 Signature BSJB04+2 MajorVersion06+2 MinorVersion08+4 Reserved0C+4 VersionLength10+? Version +2 Flags =0 +2 Streams
METADATAHDR
Size1
00+4 Reserved104+1 MajorVersion05+1 MinorVersion06+2 HeapOffsetSizes07+1 Reserved2 08+8 MaskValid which tables are present 10+8 MaskSorted which tables are sorted +4 NumRows[≤64] how many rows in each table
00+4 offset04+4 size08+? string Stream name +? padding
METADATATABLESHDR
METADATASTREAMHDR
00+2 ResolutionScope02+2 Name04+2 Namespace
TYPEREFTABLE
00+4 Flags04+2 Name06+2 Namespace08+2 Extends0A+2 FieldList0C+2 MethodList
TYPEDEFTABLE
00+4 RVA04+2 ImplFlags06+2 Flags08+2 Name0A+2 Signature0C+2 ParamList
METHODDEFTABLE
00+2 Class02+2 Name04+2 Signature
MEMBERREFTABLE
ASSEMBLYTABLE
00+4 HashAlgId04+2 MajorVersion06+2 MinorVersion08+2 BuildNumber0A+2 RevisionNumber0C+4 Flags10+2 PublicKey12+2 Name14+2 Culture
00+2 Generation02+2 Name04+2 Mvid06+2 EncId08+2 EncBaseId
MODULETABLE
ASSEMBLYREFTABLE
00+2 MajorVersion02+2 MinorVersion04+2 BuildNumber06+2 RevisionNumber08+4 Flags0c+2 PublickKeyOrToken0e+2 Name10+2 Culture12+2 HashValue
CUSTOMATTRIBUTETABLE
00+2 Parent02+2 Type04+2 Value
CUSTOMATTRIBUTETABLE
E .NET
mdtModulemdtTypeRefmdtTypeDef...mdtMethodDef...mdtMemberRefmdtCustomAttribute...mdtAssemblymdtAssemblyRef...
MetaStream (#~)
String (#Strings)
¨mscorlib\0¨¨System\0¨¨Object\0¨...
User String (#US)
¨Hello World!\0¨...
Blob (#Blob)
publickeytokensignature...
Stream
<Stream content>
always 1st
Disclamer: this is only a subset of .Net structures - the required ones to make a working executable.
Size1
Size1
<Resource data>
Icons RT_ICON 3
<header-less .ICO data>
Manifest RT_MANIFEST 24
<XML file>example: <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0' />
Resources (data itself)
Version information RT_VERSION 16
VS_VERSION_INFO
VS_FIXEDFILEINFO
StringFileInfo
StringTable
String
VarFileInfo
Var
00+02 wLength02+02 wValueLength04+02 wType 0:bin/1:text06+2*? szKey[] "VS_VERSION_INFO" +[0-3] Padding1??+34 Value ??+[0-3] Padding2??+? Children
00+4 dwSignature 0xFEEF04BD04+4 dwStrucVersion08+4 dwFileVersionMS0c+4 dwFileVersionLS10+4 dwProductVersionMS14+4 dwProductVersionLS18+4 dwFileFlagsMask1c+4 dwFileFlags20+4 dwFileOS24+4 dwFileType28+4 dwFileSubtype2c+4 dwFileDateMS30+4 dwFileDateLS
00+2 wLength02+2 wValueLength 0: no value04+2 wType 0: children are binary08+2*? szKey "StringFileInfo" +[0-3] Padding??+? Children
00+2 wLength02+2 wValueLength 0 = no value04+2 wType 108+2*? szKey "<language ID>" +[0-3] Padding??+? Children
00+2 wLength02+2 wValueLength04+2 wType 1 text08+2*? szKey ex:"ProductName" +[0-3] Padding +2*? Value[] ex:"Notepad"
00+2 wLength02+2 wValueLength 0 = no value04+2 wType08+2*? szKey "VarFileInfo" +[0-3] Padding??+? Children
00+2 wLength02+2 wValueLength04+2 wType08+2*? szKey "Translation" +[0-3] Padding +4*? Value[] 04b00h << 16 + 409h
wValueLength
wLength
wLength
wLength
wLength
wLength
wLength
00+2 length null=no string 02+? string
16 (always)
Strings RT_STRING 6
Group Icons RT_GROUP_ICON 14
GRPICONDIR
00+2 idReserved always 0 - enforced02+2 idType always 1 for icons04+2 idCount
GRPICONDIRENTRY
00+1 bWidth01+1 bHeight02+1 bColorCount03+1 bReserved04+2 wPlanes06+2 wBitCount08+4 dwBytesInRes0C+2 nId Icon Id
A LoadConfig
IMAGE_LOAD_CONFIG_DIRECTORY(32/64)
HandlerTable
00+4 Handler
<exception handler code>
00+4 Size04+4 TimeDateStamp08+2 MajorVersion0A+2 MinorVersion0C+4 GlobalFlagsClear10+4 GlobalFlagsSet14+4 CriticalSectionDefaultTimeout18+4 DeCommitFreeBlockThreshold1C+4 DeCommitTotalFreeThreshold20+4 LockPrefixTable24+4 MaximumAllocationSize28+4 VirtualMemoryThreshold2C+4 ProcessHeapFlags30+4 ProcessAffinityMask34+2 CSDVersion36+2 Reserved138+4 EditList3C+4 SecurityCookie40+4 SEHandlerTable44+4 SEHandlerCount48+4 GuardCFCheckFunctionPointer4c+4 Reserved250+4 GuardCFFunctionTable54+4 GuardCFFunctionCount58+4 GuardFlags
18+820+828+830+838+840+848+44C+24E+250+858+8| 60+8|68+8|70+878+880+888+890+464b 32b
SafeSEH
<callback code>
64b 32b00+8 00+4 StartAddressOfRawData08+8 04+4 EndAddressOfRawData10+8 08+4 AddressOfIndex18+8 0c+4 AddressOfCallBacks20+4 10+4 SizeOfZeroFill24+4 14+4 Characteristics
+8 +4 Callback
IMAGE_TLS_DIRECTORY(32/64)
9 Thread Local Storage
pointer to TLS index
00000000
IMAGE_TLS_CALLBACK(32/64)
00+2 e_magic MZ02+2 e_cblp04+2 e_cp exe size06+2 e_crlc08+2 e_cparhdr exe start0a+2 e_minalloc0c+2 e_maxalloc0e+2 e_ss initial ss10+2 e_sp initial sp12+2 e_csum14+2 e_ip16+2 e_cs18+2 e_lfarlc1a+2 e_ovno1c+2 e_res[4]24+2 e_oemid26+2 e_oeminfo28+2 e_res2[10]3c+4 e_lfanew
IMAGE_DOS_HEADER
OFFSET 0
00+1 Name[8]08+4 VirtualSize0c+4 VirtualAddress10+4 SizeOfRawData14+4 PointerToRawData18+4 PointerToRelocations1c+4 PointerToLinenumbers20+2 NumberOfRelocations22+2 NumberOfLinenumbers24+4 Characteristics RWX
NumberOfSections
IMAGE_SECTION_HEADER
Section Table
00+2 Machine CPU architecture02+2 NumberOfSections04+4 TimeDateStamp08+4 PointerToSymbolTable0c+4 NumberOfSymbols10+2 SizeOfOptionalHeader12+2 Characteristics exe/dll,relocs
00+04 Signature PE\0\004+14 FileHeader
SizeofOptionalHeader
IMAGE_FILE_HEADER
IMAGE_NT_HEADERS(32/64)
IMAGE_OPTIONAL_HEADER(32/64)
18+60/+70 OptionalHeader
64b 32b00+2 00+2 Magic 32b or 64b02+1 02+1 MajorLinkerVersion required with signatures03+1 03+1 MinorLinkerVersion04+4 04+4 SizeOfCode08+4 08+4 SizeOfInitializedData0c+4 0c+4 SizeOfUninitializedData10+4 10+4 AddressOfEntryPoint14+4 14+4 BaseOfCode---- 18+4 BaseOfData18+8 1c+4 ImageBase suggested address to load the file 20+4 20+4 SectionAlignment =2^y, with y≥x 24+4 24+4 FileAlignment =2^x 28+2 28+2 MajorOperatingSystemVersion2a+2 2a+2 MinorOperatingSystemVersion2c+2 2c+2 MajorImageVersion2e+2 2e+2 MinorImageVersion30+2 30+2 MajorSubsystemVersion 4:≥W95 5:≥W2000 6:≥Vista32+2 32+2 MinorSubsystemVersion34+4 34+4 Win32VersionValue overrides OS values in Thread Environment Block38+4 38+4 SizeOfImage3c+4 3c+4 SizeOfHeaders not always sizeof(Headers) 40+4 40+4 CheckSum only used for drivers44+2 44+2 Subsystem executable/driver...46+2 46+2 DllCharacteristics NX, AppContainer, integrity, GuardCF...48+8 48+4 SizeOfStackReserve50+8 4c+4 SizeOfStackCommit58+8 50+4 SizeOfHeapReserve60+8 54+4 SizeOfHeapCommit68+4 58+4 LoaderFlags6c+4 5c+4 NumberOfRvaAndSizes ≤1670+8 60+8 VirtualAddress, Size
NumberOfRvaAndSizes
Data Directories
0 EXPORT1 IMPORT2 RESOURCE icons, manifest, version...3 EXCEPTION 64bits exceptions4 SECURITY Authenticode signature5 BASERELOC relocations6 DEBUG symbols7 COPYRIGHT/Architecture useless8 GLOBALPTR only on Itanium systems9 TLS Thread Local StorageA LOAD_CONFIG SafeSEH, GlobalFlags...B BOUND_IMPORT speeds up imports loadingC IAT Import Address tableD DELAY_IMPORTE COM_DESCRIPTOR .NET headerF reserved unused<ignored>...
IMAGE_DATA_DIRECTORY[]
DOS Header
PE Header
ant :p
section startin memory
section startin file
where executionstarts
4 Exceptions
00+4 FunctionStart04+4 FunctionEnd08+4 UnwindInfo
RUNTIME_FUNCTION
UNWIND_INFO
00+1 Version/Flags :3 :501+1 SizeOfProlog02+1 CountOfCodes03+1 FrameRegister/Offset :4 :4??+4 ExceptionHandler/FunctionEntry +4 ExceptionData[]
UNWIND_CODE
00+1 CodeOffset01+1 UnwindOp/Opinfo :4 :402+2 FrameOffset
DIRECTORY.SIZE (requireD)
Size1
Section 3 (ex: uninit. data)
ImageBase
SizeOfHeaders
RelativeVirtual Address
VirtualAddress (BaseOfCode)
Section 1
0x0
Offset
PointertoRawData
Section 1 (ex:code)
SizeOfHeaders
0x400000
VirtualAddress (BaseOfData)
Section 2
VirtualSize(SizeOfInitializedData)
PointertoRawData
Section 2 (ex: data)
0x...
0x...
PointertoRawData
Section 3
SizeOfRawData
SizeOfRawData
0x40....
VirtualSize(SizeOfCode)
VirtualSize(SizeOfUninitializedData)
0x...
SizeOfHeaders
SizeOfRawData
VirtualAddress
SizeOfImage
0x40....
0x...
0x400...
0x40....
NumberOfSections
FileAlignment
SectionAlignment
0x40....
DIRECTORY.SIZE
IMAGE_BASE_RELOCATION
+2 TypeOffset Type:4 Offset:12
00+4 VirtualAddress04+4 SizeOfBlock
PUSH EBPPUSH offset szMyString
relocation block
5 Relocations
IMAGE_REL_BASED_HIGHLOW 3
offset
ROOT
IMAGE_RESOURCE_DIRECTORY
IMAGE_RESOURCE_DIRECTORY_ENTRY
00+4 Characteristics04+4 TimeDateStamp08+2 MajorVersion0a+2 MinorVersion0c+2 NumberOfNamedEntries0e+2 NumberOfIdEntries
00+4 Name/ID type (RT_*)04+4 OffsetToData
Named
Id
IMAGE_RESOURCE_DATA_ENTRY
00+4 OffsetToData04+4 Size108+4 CodePage0c+4 Reserved
2 Resources(Data Directory)
language
type
IMAGE_RESOURCE_DIRECTORY
IMAGE_RESOURCE_DIRECTORY_ENTRY
00+4 Characteristics04+4 TimeDateStamp08+2 MajorVersion0a+2 MinorVersion0c+2 NumberOfNamedEntries0e+2 NumberOfIdEntries
00+4 Name/ID Name/ID04+4 OffsetToData
Named
Id
name/IDs
IMAGE_RESOURCE_DIRECTORY
IMAGE_RESOURCE_DIRECTORY_ENTRY
00+4 Characteristics04+4 TimeDateStamp08+2 MajorVersion0a+2 MinorVersion0c+2 NumberOfNamedEntries0e+2 NumberOfIdEntries
00+4 Name/ID language04+4 OffsetToData
Named
Id
a Windows executable format overview
PE
ortable
xecutable
102
Ange Albertini
2009-2013 Corkami
a Windows executable format overview
PE
ortable
xecutable
102
IMAGE_IMPORT_DESCRIPTOR
00+4 OriginalFirstThunk/Characteristics04+4 TimeDateStamp08+4 ForwarderChain0c+4 Name10+4 FirstThunk
IMAGE_IMPORT_BY_NAME
00+2 Hint02+1 Name[*]
<address> <library> <api> <hint>
IMAGE_THUNK_DATA(32/64)
+8 +4 AddressOfData /Ordinal/ForwarderString/Function
IMAGE_THUNK_DATA(32/64)
+8 +4 AddressOfData /Ordinal/ForwarderString/Function
C IAT
1 Imports
Kernel32.dll
File headerIMAGE_FILE_MACHINE_* Machine I386 014c ARMV7 01c4 AMD64 8664IMAGE_FILE_* Characteristics RELOCS_STRIPPED 0001 EXECUTABLE_IMAGE 0002 LINE_NUMS_STRIPPED 0004 LOCAL_SYMS_STRIPPED 0008 LARGE_ADDRESS_AWARE 0020 32BIT_MACHINE 0100 DEBUG_STRIPPED 0200 DLL 2000Optional HeaderIMAGE_NT_OPTIONAL_HDR*_MAGIC Magic 32 010b 64 020bIMAGE_SUBSYSTEM_* Subsystem NATIVE (driver) 0001 WINDOWS_GUI 0002 WINDOWS_CUI (console) 0003IMAGE_DLLCHARACTERISTICS_* DllCharacteristics DYNAMIC_BASE (aslr) 0040 NX_COMPAT (dep) 0100 NO_SEH 0400 TERMINAL_SERVER_AWARE 8000
SectionIMAGE_SCN_* Characteristics CNT_* CODE 00000020 INITIALIZED_DATA 00000040 UNINITIALIZED_DATA 00000080 MEM_* DISCARDABLE 02000000 SHARED (risky!) 10000000 EXECUTE 20000000 READ 40000000 WRITE 80000000RelocationsIMAGE_REL_BASED_* TypeOffset ABSOLUTE 0 HIGHLOW 3ResourcesRT_* NameID BITMAP 02 ICON 03 MENU 04 DIALOG 05 STRING 06 GROUP_ICON 0d VERSION 10 MANIFEST 18
Constants