PE Signature
The PE signature identifies the file as a PE image. It’s the first member of an NT Headers struct in a PE file and is a DWORD (4 bytes) with a fixed value of 0x50450000, or ASCII ‘PE\0\0’.
The following image shows the PE signature in PE-Bear:
Here’s the full NT Header struct for 64-bit architecture:
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
Note that the Signature is the first member of the _IMAGE_NT_HEADER64 struct. The PE Signature is identical for 32-bit architecture.