PE Signature

The PE signature identifies the file as a PE image. It’s the first member of an NT Headers struct in a PE file and is a DWORD (4 bytes) with a fixed value of 0x50450000, or ASCII ‘PE\0\0’.

The following image shows the PE signature in PE-Bear:

Here’s the full NT Header struct for 64-bit architecture:

typedef struct _IMAGE_NT_HEADERS64 {
    DWORD                   Signature;
    IMAGE_FILE_HEADER       FileHeader;
    IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;

Note that the Signature is the first member of the _IMAGE_NT_HEADER64 struct. The PE Signature is identical for 32-bit architecture.

Scroll to Top