PE File NT-Headers

The NT-Headers are an important part of portable executables. They contain a great deal of information about the PE.

There are two versions of the NT_Headers struct depending on the machine architecture (32 bit or 64 bit). In either case the struct has three elements: a Signature, FileHeader, and OptionalHeader.

The only difference between them is that the 64-bit version is named _IMAGE_NT_HEADERS64 and uses IMAGE_OPTIONAL_HEADER64 for its OptionalHeader while the 32-bit version is named _IMAGE_NT_HEADERS and uses IMAGE_OPTIONAL_HEADER32 for its’ optional header.

Architecture	Name	OptionalHeader
32-bit	_IMAGE_NT_HEADERS	IMAGE_OPTIONAL_HEADER32
64-bit	_IMAGE_NT_HEADERS64	IMAGE_OPTIONAL_HEADER64

The following sections go over each one.

64-bit NT-Header

typedef struct _IMAGE_NT_HEADERS64 {
    DWORD                   Signature;
    IMAGE_FILE_HEADER       FileHeader;
    IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;

32-bit NT-Header

typedef struct _IMAGE_NT_HEADERS {
  DWORD                   Signature;
  IMAGE_FILE_HEADER       FileHeader;
  IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;