PE File Format [1]

Preface
-------

The PE ("portable executable") file format is the format of executable
Binaries (DLLs and programs) for MS Windows NT, Windows 95 and
Win32s; in Windows NT, the drivers are in this format, too.
It can also be used for object files and libraries.

The format is designed by Microsoft and standardized by the TIs (Tool
Interface Standard) Committee (Microsoft, Intel, Borland, Watcom, IBM
And others) in 1993, apparently based on a good knowledge of coff,
"Common Object File Format" used for object files and executables on
Several unixes and on VMS.

The Win32 SDK schemdes a header file <winnt. h> containing # defines and
Typedefs for the pe-format. I will mention the struct-member-names and
# Defines as we go.

You may also find the DLL "imagehelp. dll" to be helpful. It is part
Windows NT, but documentation is scarce. Some of its functions are
Described in the "Developer Network"

========================================================== =====

Preface

-------

PE (executable) files are binary executable files on Microsoft's WINNT, Win95, and Win32 platforms.
On WINNT, the driver is in this format and can be used as an OBJ file or library.
This format was designed by Microsoft and standardized by the TIs (tool interface standard) Alliance (including Microsoft, Intel, Borland, Watcom, IBM, etc.) in 1993.
Obviously, we need to know who the coff (General OBJ file format) is used on UNIX and virtual machines and the executable files.

Win32sdk has a <winnt. h> header file. definde and typedef have some PE formats. I will refer to struct Member names and define items.

You can also find an imagehelp. dll that is part of WINNT, but there is no documentation, and some functions can be found in msdn.

 

General Layout
--------------

At the start of a PE file we find an MS-DOS executable ("stub"); this
Makes any PE file a valid MS-DOS executable.

After the DOS-stub there is a 32-bit-signature with the magic number
0x00004550 (image_nt_signature ).

Then there is a file header (in the coff-format) That tells on which
Machine the binary is supposed to run, how many sections are in it,
Time it was linked, whether it is an executable or a DLL and so on. (
Difference between executable and DLL in this context is: a DLL can not
Be started but only be used by another binary, and a binary cannot link
To an executable ).

After that, we have an optional Header (it is always there but still
Called "optional"-coff uses an "optional Header" for libraries but not
For objects, that's why it is called "optional"). This tells us more
About how the binary shocould be loaded: the starting address, the amount
Of stack to reserve, the size of the Data Segment Etc ..

An interesting part of the optional Header is the trailing array
'Data directories '; these directories contain pointers to data in
'Sets'. If, for example, the binary has an export directory, you
Will find a pointer to that directory in the array Member
Image_directory_entry_export, And it will point into one of
Sections.

Following the headers we find the 'sets', introduced by the 'section
Headers '. Essential, The sets' contents is what you really need
Execute a program, and all the header and directory stuff is just there
To help you find it.
Each section has some flags about alignment, what kind of data it
Contains ("initialized data" and so on), whether it can be shared Etc .,
And the data itself. Most, but not all, sections contain one or more
Directories referenced through the entries of the optional Header's
"Data directory" array, like the directory of exported functions or
Directory of base relocations. directoryless types of contents are,
Example, "executable code" or "initialized data ".

========================================================== =====

Overview
--------------

At the beginning of the PE file, there is a MS-dos executable tag ("stub"), which enables any PE file to be executed on MS-dos.
After stub, there is a 32-bit number 0x00004550 (image_nt_signature ).
Then there is a file-header (coff format) that tells us which hardware platforms the PE supports, how many sections there are, the link time, and whether it is an executable file or DLL.
(The difference between an executable file and a DLL is that a DLL cannot be started by itself and can only be called by other binary files. A binary file cannot be linked to an executable file ).
Then there is an "optional Header"
(This is actually always there, but it is still called "optional". coff uses an "Optional File Header" as the database rather than OBJ, which is why it is called "optional ").
It tells us how to load the binary file: the starting address, the number of retained stacks, and the size of the Data zone.
"Optional Header" has an interesting part, which is called the following array of Data Directories; directories contains the pointer of data in sections.
For example, this binary file exports directories. You can find the data in the array named image_directory_entry_export pointing to the exported directories pointer.
Next is section headers. Used to describe the functions.
In fact, sections actually contains the content of the execution program, which can be found in the file header and directory.

Each section has some alignment labels, including the data type and whether to share them.
The vast majority of data itself (not all sections have more or less directories references.
For example, to export the function directory and the redirection directory, the content without the directory is executable code or initial data.

Shows the structure.
+ ------------------- +
| DOS-stub |
+ ------------------- +
| File-header |
+ ------------------- +
| Optional Header |
|---|
|
| Data Directories |
|
+ ------------------- +
|
| Section headers |
|
+ ------------------- +
|
| Section 1 |
|
+ ------------------- +
|
| Section 2 |
|
+ ------------------- +
|
|... |
|
+ ------------------- +
|
| Section N |
|
+ ------------------- +