liminfo

PE Format Reference

Free reference guide: PE Format Reference

25 results

About PE Format Reference

The PE File Format Reference provides a structured, searchable guide to the Portable Executable format used by Windows executables (.exe), dynamic-link libraries (.dll), and drivers (.sys). It covers MZ/DOS headers, COFF file headers, Optional Headers with ImageBase and EntryPoint, Data Directories, and all major section types.

This reference details the Import Directory Table, Import Address Table (IAT), Import Name Table (INT), Export Directory with name/ordinal exports, export forwarding, and resource directory tree structures including RT_VERSION and RT_MANIFEST entries.

Built for reverse engineers, malware analysts, and security researchers, each entry includes C struct definitions, offset values, and practical pefile Python code examples for programmatic PE analysis. Topics also cover Rich Headers, PDB debug paths, and bound imports.

Key Features

  • Complete PE header hierarchy from DOS MZ stub through Optional Header and Data Directories
  • Section reference covering .text, .data, .bss, .rdata, and .rsrc with characteristics flags
  • Import table details including IAT, INT, bound imports, and pefile Python enumeration
  • Export table reference with name exports, ordinal exports, and DLL forwarding mechanisms
  • Resource directory 3-level tree structure with RT_VERSION and RT_MANIFEST examples
  • Debug directory entries including PDB path extraction and Rich Header decoding
  • Searchable by keyword with category filtering across Headers, Sections, Imports, Exports, Resources, and Debug
  • Practical C struct definitions and Python pefile code snippets for every entry

Frequently Asked Questions

What is the PE file format?

The Portable Executable (PE) format is the standard file format for executables, DLLs, and object code on Windows. It begins with a DOS MZ header at offset 0x00, followed by a PE signature, COFF file header, Optional Header, section table, and section data. This reference covers every major component with struct definitions and field-level details.

How do I find the PE header offset in a binary?

The DOS header field e_lfanew at offset 0x3C contains a 4-byte pointer to the PE signature ("PE\0\0" or 0x50450000). From there, the COFF File Header immediately follows, then the Optional Header with ImageBase, AddressOfEntryPoint, and the Data Directory array.

What is the Import Address Table (IAT) and how does it work?

The IAT is populated by the Windows loader at runtime with actual function addresses resolved from imported DLLs. Before loading, it mirrors the Import Name Table (INT). The Import Directory Table links each DLL name to its OriginalFirstThunk (INT) and FirstThunk (IAT) arrays. You can enumerate imports using Python pefile with pe.DIRECTORY_ENTRY_IMPORT.

How do I distinguish PE32 from PE32+ (64-bit) files?

The Optional Header Magic field determines the format: 0x10B indicates PE32 (32-bit) and 0x20B indicates PE32+ (64-bit). The COFF File Header Machine field further specifies the architecture: 0x14C for x86 and 0x8664 for x64. This reference documents both variants.

What are the common PE section names and their purposes?

The .text section holds executable code with IMAGE_SCN_MEM_EXECUTE flag. The .data section stores initialized global/static variables, .bss holds uninitialized data, .rdata contains read-only data including import/export directories, and .rsrc stores resources like icons, version info, and manifests.

How do I extract version information from a PE file?

Version information is stored in the .rsrc section under the RT_VERSION resource type. It contains VS_FIXEDFILEINFO with FileVersion and ProductVersion, plus StringFileInfo with CompanyName, FileDescription, and other metadata. Tools like pefile can parse this automatically.

What is export forwarding in PE files?

Export forwarding allows a DLL to redirect an exported function to another DLL without implementing it. For example, kernel32.dll can forward HeapAlloc to NTDLL.RtlAllocateHeap. The AddressOfFunctions entry for a forwarded export contains an RVA pointing to a "DLL.FunctionName" ASCII string instead of code.

How can I analyze PE files programmatically with Python?

The pefile library is the standard Python tool for PE analysis. Use pe = pefile.PE("sample.exe") to load a file, then access pe.OPTIONAL_HEADER.ImageBase, pe.OPTIONAL_HEADER.AddressOfEntryPoint, pe.sections for section enumeration, and pe.DIRECTORY_ENTRY_IMPORT for import listing. This reference includes pefile examples throughout.