Undocumented PECOFF 1.1

The Portable Executable (PE) format is a file format for executables, object code and DLLs. It is used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to format's versatility within numerous environments of operating system software architecture. The PE format is a data structure that encapsulates necessary information so that Windows OS loader can manage wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS (device driver), and other file types. The Extensible Firmware Interface (EFI) specification states that PE is the standard executable format in EFI environments.

PE is a modified version of the Unix COFF file format. PE/COFF is an alternative term in Windows development.

On Windows NT operating systems, PE currently supports the IA-32, IA-64, and x86-64 (AMD64/Intel64) instruction set architectures (ISAs). Prior to Windows 2000, Windows NT (and thus PE) supported the MIPS, Alpha, and PowerPC ISAs. Because PE is used on Windows CE, it continues to support several variants of the MIPS, ARM (including Thumb), and SuperH ISAs.

One constant challenge of modern security will always be the difference between published and implemented specifications. Evolving projects, by their very nature, open up a host of exploit areas and implementation ambiguities that cannot be fixed. As such, complex documentation such as that for PECOFF opens up a window of opportunity for misinterpretation and mistakes in parsing implementation.

This document will focus on all aspects of PE file format parsing that leads to undesired behaviour or prevents security and reverse engineering tools from inspecting malformed files due to incorrect parsing. Special attention will be given to differences between PECOFF documentation and the actual implementation done by the operating system loader. With respect to these differences it will describe the existence of files that can't possibly be considered valid from a documentation standpoint but which are still correctly processed and loaded by the operating system. These differences and numerous design logic flaws can lead to PE processing errors that have serious and hardly detectable security implications. Effects of these PE file format malformations will be compared against several reverse engineering tools, security applications and unpacking systems.

Due to the nature of this document it is recommended that it's read in parallel with the official Microsoft PECOFF documentation.