Portable Executable Format (PE)
33 files
-
PECOFF Revision 11.0
By Teddy Rogers
This specification describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) and Common Object File Format (COFF) files, respectively.
83 downloads
0 comments
Submitted
-
PE102 - A Windows Executable Format Overview
By Teddy Rogers
This graphic is a Windows executable format overview that shows its dissected structure.
110 downloads
0 comments
Submitted
-
PE101 - A Windows Executable Walkthrough
By Teddy Rogers
This graphic is a walk through of a simple windows executable that shows its dissected structure and explains how it's loaded by the operating system.
131 downloads
0 comments
Submitted
-
PE File Structure
By Teddy Rogers
Detailed information on the makeup of the PE file structure.
100 downloads
0 comments
Submitted
-
PE Brief Notes
By Teddy Rogers
Brief notes and details on the layout and structure of the PE format.
78 downloads
0 comments
Submitted
-
PE File Formats Offsets
By Teddy Rogers
There are many tuts about the PE file format with detailed explanations of the structure and of the meaning of each value in the PE. But sometimes you just want to know the offset of a special value in the file so I created this simple listing of the offsets of the data.
93 downloads
0 comments
Submitted
-
PE File Format Top To Bottom
By Teddy Rogers
This document was edited and released by Microsoft Developer Support. It describes the binary portable executable format for NT. The information is provided at this point because we feel it will make the work of application development easier. Unfortunately, the information in this document may change before the final release of Windows NT. Microsoft is NOT committing to stay with these formats by releasing this document. Questions or follow-ups for any of the information presented here should be posted to CompuServe MSWIN32 forum, section 6.
94 downloads
0 comments
Submitted
-
PE File Format Compendium v11
By Teddy Rogers
PE is the native Win32 file format. Every win32 executable (except VxDs and 16-bit DLLs) uses PE file format. 32bit DLLs, COM files, OCX controls, Control Panel Applets (.CPL files) and .NET executables are all PE format. Even NT's kernel mode drivers use PE file format.
Why do we need to know about it? 2 main reasons. Adding code to executables (e.g. keygen injection or adding functionality) and manually unpacking executables. With respect to the latter, most shareware nowadays comes "packed" in order to reduce size and to provide an added layer of protection.
In a packed executable, the import tables are usually destroyed and data is often encrypted. The packer inserts code to unpack the file in memory upon execution, and then jumps to the original entry point of the file (where the original program actually starts executing). If we manage to dump this memory region after the packer finished unpacking the executable, we still need to fix the sections and import tables before our app will run. How will we do that if we don�t even know what the PE format is?
The example executable I have used throughout this text is BASECALC.exe, a very useful app from fravia's site for calculating and converting decimal, hex, binary and octal. It is coded in Borland Delphi 2.0 which makes it ideal as an example to illustrate how Borland compilers leave the OriginalFirstThunks null (more of this later).
288 downloads
0 comments
Submitted
-
Download Statistics