1.5 KiB
1.5 KiB
Portable Executable
- Windows PE doc
- An executable binary in the windows world
The file format consists of
- PE Header
- Data Sections
Headers
- IMAGE_DOS_HEADER, 0x00 to 0x63 of the binary
e_magicas the Magic Bytes: 'MZ' -> 0x4D5A (0x5A4D in little endian)e_lfanewcontains the starting offset ofIMAGE_NT_HEADERS
- DOS_STUB
- Contains
!This program cannot be run in DOS mode
- Contains
- .ntdata
- FILE_HEADER
- OPTIONAL_HEADER
- IMAGE_SECTION_HEADER
- IMAGE_NT_HEADERS
- NT_HEADERS
- Signature
- FILE_HEADER
- OPTIONAL_HEADER
- NT_HEADERS
Data Section
The data section consists of
- .text, program code
- .data, initialized variables
- .bss, unanitialized variables
- .edata, exportable objects and related table info
- .idata, imported objects and related table info
- .reloc, image relocation info
- .rsrc, links external resources, e.g. icons, images, manifests
Starting a PE
If a process starts, the PE is read in the following order
- Header sections
- File signatue is MZ, and magic number are read
- Architecture of the platform
- timestamp
- Section table details is parsed
- Content is mapped into memory based on
- Entry point address and offset of ImageBase
- Relative Virtual Address (RVA), addresses related to Imagebase
- Libraries and imports are loaded
- Entrypoint address of the main function is run