PE-Structure

The Anatomy of a PE

The following diagram can be described such as:

_IMAGE_DOS_HEADER:

The first header, called IMAGE_DOS_HEADER marks the file as a PE by attributing the 0x5A4D("MZ") element.

_DOS_Stub:

The second header, called DOS_Stub tells the system "Hey I am not compatible with older versions e.g. MS-DOS".

_IMAGE_NT_HEADER:

The third header, called IMAGE_NT_HEADER is composed out of the IMAGE_FILE_HEADER, IMAGE_OPTIONAL_HEADER, IMAGE_DIRECTORY_ENTRY.

Primarily the NT_HEADER will start with the signature "PE" - 0x4550.

The FILE_HEADER will contain the primary information of the PE, such as for what CPU Architecture is has been built, when it has been compiled and how many sections does it have.

In the OPTIONAL_Header we will have the OEP - AddressOfEntryPoint, where in the memory it prefers to be loaded - ImageBase.

The DIRECTORY_ENTRY tells the loader where to find the import table, export table, resources, etc...

_IMAGE_SECTION_HEADER:

The IMAGE_SECTION_HEADER[] is an array which describes each section from the right hand side of the diagram:

• .text (Code): This is where the machine language code (instructions) that the CPU executes resides.

• .data, .rdata, .bss (Data):

  • .data: Mutable data, such as global variables. (Read-Write)

  • .rdata: Immutable data, such as constant strings. (Read-Only)

  • .bss: Unititalized variables.

  • .idata (Import API): This section contains the Import Address Table (IAT). It's a list of all the functions that the program will borrow from other DLLs or libraries. E.g. CreateFile from kernel32.dll.

  • .edata (Export API): If the file is a DLL, here is the list of the functions that it provides to other programs.

  • .rsrc (Resource): Here are stored the non-executables: icons, images, menus, audios, etc...

  • .reloc (Relocation Info): Contains info to "repair" the code in memory if the file can't be loaded at the preferred memory space (ImageBase).