Portable Executable (PE) Files for Malware Development
On Windows systems, the Portable Executable (PE) format is used for executables, including both .exe and .dll files, as well as other file types such as .sys.
Understanding the format of PE files is important when it comes to malware development, although we don’t need to become experts as a prerequisite.
This page will cover some of the more important details regarding PE files, but there are lots of other excellent online resources that I wholeheartedly recommend. You can find links to some of my favorite additional resources at the bottom of this page.
What is a PE File?
The Portable Executable (PE) file format is the file format used by the Microsoft Windows operating system for executables.
It’s a highly structured format that defines the layout and organization of executable files, making it possible for Windows to load and execute programs. PE files are a fundamental component of the Windows ecosystem and are used to store both 32-bit and 64-bit code.
General Structure of a PE File
At the highest level, a PE file can be divided into headers and sections:
PE File Headers
The headers of a PE file include:
- MS-DOS header : The DOS header is a 64-byte structure that allows the PE file to be MS-DOS compatible.
- MS-DOS stub : Although PE files are backward compatible for historical reasons, modern Windows PE files aren’t intended to run in DOS. The DOS stub defines an error message that prints when a user attempts to run a modern PE file in DOS. The default is “This program cannot be run in DOS mode.”
- Rich Header : Used in executables developed using Microsoft IDEs, the rich header can be used to identify build information. It can be used by malware developers and analysts in a variety of interesting ways.
- NT Headers
- PE Signature: A DWORD (4-bytes) that identifies the file as a PE image. It always has the value 0x50450000, or ASCII ‘PE\0\0’.
- File Header: A struct with 7 elements that contains important information about the PE file. This includes the size of the section table, the size of the optional header, machine architecture, time-date stamp, and characteristics of the PE file.
- Optional Header: The most important part of the NT Headers. It contains a lot of information critical to the execution of the PE file, including the data directories.
- Data Directories: An array containing 16 directories with important information used by the PE loader.
- Section Table / Section Headers: The Section Table contains one Section Header per row. Each Section Header contains important information about the PE file sections.
You can click on the links above to learn more about each header.
PE File Sections
The sections of a PE file include:
- .text
- .rdata
- .data
- .pdata
- .idata
- .bss
- .reloc
- .rsrc
Learn more about the sections here.
Additional Resources for Learning About Portable Executable (PE) Files
- Microsoft’s official documentation on the PE format
- OST2 Life of Binaries – A great course that covers PE and ELF file formats.
- 0xRick’s Blog Series on PE files is awesome!