meta: id: microsoft_pe title: Microsoft PE (Portable Executable) file format application: Microsoft Windows file-extension: - exe - dll - sys xref: justsolve: Portable_Executable pronom: x-fmt/411 wikidata: Q1076355 tags: - executable - windows license: CC0-1.0 ks-version: 0.7 endian: le doc-ref: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format seq: - id: mz type: mz_placeholder instances: pe: pos: mz.ofs_pe type: pe_header enums: pe_format: 0x107: rom_image 0x10b: pe32 0x20b: pe32_plus types: mz_placeholder: seq: - id: magic contents: "MZ" - id: data1 size: 0x3a - id: ofs_pe type: u4 doc: In PE file, an offset to PE header pe_header: seq: - id: pe_signature contents: ["PE", 0, 0] - id: coff_hdr type: coff_header - id: optional_hdr type: optional_header size: coff_hdr.size_of_optional_header - id: sections repeat: expr repeat-expr: coff_hdr.number_of_sections type: section instances: certificate_table: pos: optional_hdr.data_dirs.certificate_table.virtual_address size: optional_hdr.data_dirs.certificate_table.size type: certificate_table if: optional_hdr.data_dirs.certificate_table.virtual_address != 0 coff_header: doc-ref: 3.3. COFF File Header (Object and Image) seq: - id: machine type: u2 enum: machine_type - id: number_of_sections type: u2 - id: time_date_stamp type: u4 - id: pointer_to_symbol_table type: u4 - id: number_of_symbols type: u4 - id: size_of_optional_header type: u2 - id: characteristics type: u2 instances: symbol_table_size: value: number_of_symbols * 18 symbol_name_table_offset: value: pointer_to_symbol_table + symbol_table_size symbol_name_table_size: pos: symbol_name_table_offset type: u4 symbol_table: pos: pointer_to_symbol_table type: coff_symbol repeat: expr repeat-expr: number_of_symbols enums: # Don't forget to update the `machine_type` enum in `executable/uefi_te.ksy` when # you modify this one. # # https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types machine_type: 0x0: id: unknown doc: The content of this field is assumed to be applicable to any machine type 0x184: id: alpha doc: Alpha AXP, 32-bit address space 0x284: id: alpha64_or_axp64 -orig-id: - IMAGE_FILE_MACHINE_ALPHA64 - IMAGE_FILE_MACHINE_AXP64 doc: | > Alpha 64, 64-bit address space or > AXP 64 (Same as Alpha 64) 0x1d3: id: am33 doc: Matsushita AM33 0x8664: id: amd64 doc: x64 0x1c0: id: arm doc: ARM little endian 0xaa64: id: arm64 doc: ARM64 little endian 0x1c4: id: arm_nt -orig-id: IMAGE_FILE_MACHINE_ARMNT doc: ARM Thumb-2 little endian 0xebc: id: ebc doc: EFI byte code 0x14c: id: i386 doc: Intel 386 or later processors and compatible processors 0x200: id: ia64 doc: Intel Itanium processor family 0x6232: id: loongarch32 doc: LoongArch 32-bit processor family 0x6264: id: loongarch64 doc: LoongArch 64-bit processor family 0x9041: id: m32r doc: Mitsubishi M32R little endian 0x266: id: mips16 doc: MIPS16 0x366: id: mips_fpu -orig-id: IMAGE_FILE_MACHINE_MIPSFPU doc: MIPS with FPU 0x466: id: mips16_fpu -orig-id: IMAGE_FILE_MACHINE_MIPSFPU16 doc: MIPS16 with FPU 0x1f0: id: powerpc doc: Power PC little endian 0x1f1: id: powerpc_fp -orig-id: IMAGE_FILE_MACHINE_POWERPCFP doc: Power PC with floating point support 0x166: id: r4000 doc: MIPS little endian 0x5032: id: riscv32 doc: RISC-V 32-bit address space 0x5064: id: riscv64 doc: RISC-V 64-bit address space 0x5128: id: riscv128 doc: RISC-V 128-bit address space 0x1a2: id: sh3 doc: Hitachi SH3 0x1a3: id: sh3_dsp -orig-id: IMAGE_FILE_MACHINE_SH3DSP doc: Hitachi SH3 DSP 0x1a6: id: sh4 doc: Hitachi SH4 0x1a8: id: sh5 doc: Hitachi SH5 0x1c2: id: thumb doc: Thumb 0x169: id: wce_mips_v2 -orig-id: IMAGE_FILE_MACHINE_WCEMIPSV2 doc: MIPS little-endian WCE v2 coff_symbol: seq: - id: name_annoying type: annoyingstring size: 8 #- id: name_zeroes # type: u4 #- id: name_offset # type: u4 - id: value type: u4 - id: section_number type: u2 - id: type type: u2 - id: storage_class type: u1 - id: number_of_aux_symbols type: u1 instances: #effective_name: # value: name_zeroes == 0 ? name_from_offset : '"fixme"' #name_from_offset: # io: _root._io # pos: name_zeroes == 0 ? _parent.symbol_name_table_offset + name_offset : 0 # type: str # terminator: 0 # encoding: ascii section: value: _root.pe.sections[section_number - 1] data: pos: section.pointer_to_raw_data + value size: 1 annoyingstring: -webide-representation: '{name}' instances: name_zeroes: pos: 0 type: u4 name_offset: pos: 4 type: u4 name_from_offset: io: _root._io pos: 'name_zeroes == 0 ? _parent._parent.symbol_name_table_offset + name_offset : 0' type: str terminator: 0 eos-error: false encoding: ascii if: name_zeroes == 0 name_from_short: pos: 0 type: str terminator: 0 eos-error: false encoding: ascii if: name_zeroes != 0 name: value: 'name_zeroes == 0 ? name_from_offset : name_from_short' optional_header: seq: - id: std type: optional_header_std - id: windows type: optional_header_windows - id: data_dirs type: optional_header_data_dirs optional_header_std: seq: - id: format type: u2 enum: pe_format - id: major_linker_version type: u1 - id: minor_linker_version type: u1 - id: size_of_code type: u4 - id: size_of_initialized_data type: u4 - id: size_of_uninitialized_data type: u4 - id: address_of_entry_point type: u4 - id: base_of_code type: u4 - id: base_of_data type: u4 if: format == pe_format::pe32 optional_header_windows: seq: - id: image_base_32 type: u4 if: _parent.std.format == pe_format::pe32 - id: image_base_64 type: u8 if: _parent.std.format == pe_format::pe32_plus - id: section_alignment type: u4 - id: file_alignment type: u4 - id: major_operating_system_version type: u2 - id: minor_operating_system_version type: u2 - id: major_image_version type: u2 - id: minor_image_version type: u2 - id: major_subsystem_version type: u2 - id: minor_subsystem_version type: u2 - id: win32_version_value type: u4 - id: size_of_image type: u4 - id: size_of_headers type: u4 - id: check_sum type: u4 - id: subsystem type: u2 enum: subsystem_enum - id: dll_characteristics type: u2 - id: size_of_stack_reserve_32 type: u4 if: _parent.std.format == pe_format::pe32 - id: size_of_stack_reserve_64 type: u8 if: _parent.std.format == pe_format::pe32_plus - id: size_of_stack_commit_32 type: u4 if: _parent.std.format == pe_format::pe32 - id: size_of_stack_commit_64 type: u8 if: _parent.std.format == pe_format::pe32_plus - id: size_of_heap_reserve_32 type: u4 if: _parent.std.format == pe_format::pe32 - id: size_of_heap_reserve_64 type: u8 if: _parent.std.format == pe_format::pe32_plus - id: size_of_heap_commit_32 type: u4 if: _parent.std.format == pe_format::pe32 - id: size_of_heap_commit_64 type: u8 if: _parent.std.format == pe_format::pe32_plus - id: loader_flags type: u4 - id: number_of_rva_and_sizes type: u4 enums: subsystem_enum: 0: unknown 1: native 2: windows_gui 3: windows_cui 7: posix_cui 9: windows_ce_gui 10: efi_application 11: efi_boot_service_driver 12: efi_runtime_driver 13: efi_rom 14: xbox 16: windows_boot_application optional_header_data_dirs: seq: - id: export_table type: data_dir - id: import_table type: data_dir - id: resource_table type: data_dir - id: exception_table type: data_dir - id: certificate_table type: data_dir - id: base_relocation_table type: data_dir - id: debug type: data_dir - id: architecture type: data_dir - id: global_ptr type: data_dir - id: tls_table type: data_dir - id: load_config_table type: data_dir - id: bound_import type: data_dir - id: iat type: data_dir - id: delay_import_descriptor type: data_dir - id: clr_runtime_header type: data_dir data_dir: seq: - id: virtual_address type: u4 - id: size type: u4 section: -webide-representation: "{name}" seq: - id: name type: str encoding: UTF-8 size: 8 pad-right: 0 - id: virtual_size type: u4 - id: virtual_address type: u4 - id: size_of_raw_data type: u4 - id: pointer_to_raw_data type: u4 - id: pointer_to_relocations type: u4 - id: pointer_to_linenumbers type: u4 - id: number_of_relocations type: u2 - id: number_of_linenumbers type: u2 - id: characteristics type: u4 instances: body: pos: pointer_to_raw_data size: size_of_raw_data certificate_table: seq: - id: items type: certificate_entry repeat: eos certificate_entry: doc-ref: 'https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only' enums: certificate_revision: 0x0100: id: revision_1_0 doc: | Version 1, legacy version of the Win_Certificate structure. It is supported only for purposes of verifying legacy Authenticode signatures 0x0200: id: revision_2_0 doc: Version 2 is the current version of the Win_Certificate structure. certificate_type_enum: 0x0001: id: x509 doc: | bCertificate contains an X.509 Certificate Not Supported 0x0002: id: pkcs_signed_data doc: 'bCertificate contains a PKCS#7 SignedData structure' 0x0003: id: reserved_1 doc: 'Reserved' 0x0004: id: ts_stack_signed doc: | Terminal Server Protocol Stack Certificate signing Not Supported seq: - id: length -orig-id: dwLength type: u4 doc: Specifies the length of the attribute certificate entry. - id: revision -orig-id: wRevision type: u2 enum: certificate_revision doc: Contains the certificate version number. - id: certificate_type -orig-id: wCertificateType type: u2 enum: certificate_type_enum doc: Specifies the type of content in bCertificate - id: certificate_bytes -orig-id: bCertificate size: length - 8 doc: Contains a certificate, such as an Authenticode signature.