# Portable Executable * [Windows PE doc](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format) * An executable binary in the windows world The file format consists of * PE Header * Data Sections ## Headers 1. IMAGE_DOS_HEADER, 0x00 to 0x63 of the binary * `e_magic` as the Magic Bytes: 'MZ' -> 0x4D5A (0x5A4D in little endian) * `e_lfanew` contains the starting offset of `IMAGE_NT_HEADERS` 2. DOS_STUB * Contains `!This program cannot be run in DOS mode` 3. .ntdata 3. FILE_HEADER 4. OPTIONAL_HEADER 5. IMAGE_SECTION_HEADER 6. IMAGE_NT_HEADERS * NT_HEADERS * Signature * FILE_HEADER * OPTIONAL_HEADER ## Data Section The data section consists of * __.text__, program code * __.data__, initialized variables * __.bss__, unanitialized variables * __.edata__, exportable objects and related table info * __.idata__, imported objects and related table info * __.reloc__, image relocation info * __.rsrc__, links external resources, e.g. icons, images, manifests ## Starting a PE If a process starts, the PE is read in the following order 1. Header sections * File signatue is __MZ__, and magic number are read * Architecture of the platform * timestamp 2. Section table details is parsed 3. Content is mapped into memory based on * Entry point address and offset of ImageBase * Relative Virtual Address (RVA), addresses related to Imagebase 4. Libraries and imports are loaded 5. Entrypoint address of the main function is run ## Tools [pe-tree](https://github.com/blackberry/pe_tree)