The PE file header consists of an MS-DOS stub, the PE signature, the COFF File Header, and an Optional header. A COFF object file header consists of a COFF File Header and an Optional Header. In both cases, the file headers are followed immediately by section headers. 3.1 MS-DOS Stub (Image Only) The MS-DOS Stub is a valid application that runs under MS-DOS and is placed at the front of the .EXE image. The linker places a default stub here, which prints out the message "This program cannot be run in DOS mode" when the image is run in MS-DOS. The user can specify another stub by using the /STUB linker option. At location 0x3c, the stub has the file offset to the Portable Executable (PE) signature. This information enables Windows to properly execute the image file, even though it has a DOS Stub. This file offset is placed at location 0x3c during linking. 3.2 Signature (Image Only) After the MS-DOS stub, at the file offset specified at offset 0x3c, there is a 4-byte signature identifying the file as a PE format image file. Currently, this signature is "PE\0\0" (the letters "P" and "E" followed by two null bytes). 3.3 COFF File Header (Object & Image) At the beginning of an object file, or immediately after the signature of an image file, there is a standard COFF header of the following format. Note that the Windows loader limits the Number of Sections to 96. Offset | Size | Field | Description |
---|
0 | 2 | Machine | Number identifying type of target machine. See Section 3.3.1, "Machine Types," for more information. | 2 | 2 | NumberOfSections | Number of sections; indicates size of the Section Table, which immediately follows the headers. | 4 | 4 | TimeDateStamp | The low 32-bits of the number of seconds since 00:00 January 1, 1970 (a C Runtime time_t value) when the file was created. | 8 | 4 | PointerToSymbolTable | File offset of the COFF symbol table or 0 if none is present. Should be zero for an image as COFF debugging information is deprecated. | 12 | 4 | NumberOfSymbols | Number of entries in the symbol table. This data can be used in locating the string table, which immediately follows the symbol table. Should be zero for an image as COFF debugging information is deprecated. | 16 | 2 | SizeOfOptionalHeader | Size of the optional header, which is required for executable files but not for object files. An object file should have a value of 0 here. The format is described in the section "Optional Header." | 18 | 2 | Characteristics | Flags indicating attributes of the file. See Section 3.3.2, "Characteristics," for specific flag values. | 3.3.1 Machine Types The Machine field has one of the following values, defined below, which specify its machine (CPU) type. An image file can be run only on the specified machine, or a system emulating it. Constant | Value | Description |
---|
IMAGE_FILE_MACHINE_UNKNOWN | 0x0 | Contents assumed to be applicable to any machine type. | IMAGE_FILE_MACHINE_AM33 | 0x1d3 | Matsushita AM33 | IMAGE_FILE_MACHINE_AMD64 | 0x8664 | AMD AMD64 | IMAGE_FILE_MACHINE_ARM | 0x1c0 | ARM little endian | IMAGE_FILE_MACHINE_CEE | 0xc0ee | clr pure MSIL (object only) | IMAGE_FILE_MACHINE_EBC | 0xebc | EFI Byte Code | IMAGE_FILE_MACHINE_I386 | 0x14c | Intel 386 or later, and compatible processors | IMAGE_FILE_MACHINE_IA64 | 0x200 | Intel IA64 | IMAGE_FILE_MACHINE_M32R | 0x9041 | Mitsubishi M32R little endian | IMAGE_FILE_MACHINE_MIPS16 | 0x266 | | IMAGE_FILE_MACHINE_MIPSFPU | 0x366 | MIPS with FPU | IMAGE_FILE_MACHINE_MIPSFPU16 | 0x466 | MIPS16 with FPU | IMAGE_FILE_MACHINE_POWERPC | 0x1f0 | Power PC, little endian | IMAGE_FILE_MACHINE_POWERPCFP | 0x1f1 | Power PC with floating point support | IMAGE_FILE_MACHINE_R4000 | 0x166 | MIPS little endian | IMAGE_FILE_MACHINE_SH3 | 0x1a2 | Hitachi SH3 | IMAGE_FILE_MACHINE_SH3DSP | 0x1a3 | Hitachi SH3 DSP | IMAGE_FILE_MACHINE_SH4 | 0x1a6 | Hitachi SH4 | IMAGE_FILE_MACHINE_SH5 | 0x1a8 | Hitachi SH5 | IMAGE_FILE_MACHINE_THUMB | 0x1c2 | Thumb | IMAGE_FILE_MACHINE_WCEMIPSV2 | 0x169 | MIPS little endian WCE v2 | 3.3.2 Characteristics The Characteristics field contains flags that indicate attributes of the object or image file. The following flags are currently defined: Flag | Value | Description |
---|
IMAGE_FILE_RELOCS_STRIPPED | 0x0001 | Image only, Windows CE, Windows NT and above. Indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from EXEs. | IMAGE_FILE_EXECUTABLE_IMAGE | 0x0002 | Image only. Indicates that the image file is valid and can be run. If this flag is not set, it indicates a linker error. | IMAGE_FILE_LINE_NUMS_STRIPPED | 0x0004 | COFF line numbers have been removed. Deprecated and should be zero. | IMAGE_FILE_LOCAL_SYMS_STRIPPED | 0x0008 | COFF symbol table entries for local symbols have been removed. Deprecated and should be zero. | IMAGE_FILE_AGGRESSIVE_WS_TRIM | 0x0010 | Obsolete. Aggressively trim working set. Deprecated in Windows 2000 and later. Must be zero. | IMAGE_FILE_LARGE_ADDRESS_AWARE | 0x0020 | App can handle > 2gb addresses. | | 0x0040 | Use of this flag is reserved for future use. | IMAGE_FILE_BYTES_REVERSED_LO | 0x0080 | Little endian: LSB precedes MSB in memory. Deprecated and should be zero. | IMAGE_FILE_32BIT_MACHINE | 0x0100 | Machine based on 32-bit-word architecture. | IMAGE_FILE_DEBUG_STRIPPED | 0x0200 | Debugging information removed from image file. | IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP | 0x0400 | If image is on removable media, fully load it and copy it to the swap file. | IMAGE_FILE_NET_RUN_FROM_SWAP | 0x0800 | If image is on network media, fully load it and copy it to the swap file. | IMAGE_FILE_SYSTEM | 0x1000 | The image file is a system file, not a user program. | IMAGE_FILE_DLL | 0x2000 | The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run. | IMAGE_FILE_UP_SYSTEM_ONLY | 0x4000 | File should be run only on a UP machine. | IMAGE_FILE_BYTES_REVERSED_HI | 0x8000 | Big endian: MSB precedes LSB in memory. Deprecated and should be zero. | 3.4 Optional Header (Image Only) Every image file has an Optional Header that provides information to the loader. This header is optional in the sense that some files (specifically, object files) do not have it. For image files, this header is required. An object file may have an optional header, but generally this header has no function in an object file except to increase size. Note that the size of the optional header is not fixed. The SizeOfOptionalHeader field in the COFF Header (see Section 3.3, "COFF File Header (Object & Image)") must be used to validate that a probe into the file for a particular Data Directory does not go beyond the SizeOfOptionalHeader. The NumberOfRvaAndSizes field of the Optional Header should also be used to ensure that no probe for a particular Data Directory entry goes beyond the Optional Header. In addition, it is important to validate the Optional Header's Magic number for format compatibility. The Optional Header's Magic number determines whether an image is a PE32 or PE32+ executable: Magic Number | PE Format |
---|
0x10b | PE32 | 0x20b | PE32+ | PE32+ images allow for a 64-bit address space while limiting the image size to 2 Gigabytes. Other PE32+ modifications are addressed in their respective sections. The Optional Header itself has three major parts: Offset (PE32/PE32+) | Size (PE32/PE32+) | Header Part | Description |
---|
0 | 28/24 | Standard fields | These are defined for all implementations of COFF, including UNIX. | 28/24 | 68 / 88 | Windows specific fields | These include additional fields to support specific features of Windows (for example, subsystem). | 96/112 | Variable | Data directories | These fields are address/size pairs for special tables, found in the image file and used by the operating system (for example, Import Table and Export Table). | 3.4.1 Optional Header Standard Fields (Image Only) The first eight fields of the Optional Header are standard fields, defined for every implementation of COFF. These fields contain general information useful for loading and running an executable file, and are unchanged for the PE32+ format. Offset | Size | Field | Description |
---|
0 | 2 | Magic | Unsigned integer identifying the state of the image file. The most common number is 0x10B, identifying it as a normal executable file, 0x107 identifies a ROM image, and 0x20B identifies it as a PE32+ executable. | 2 | 1 | MajorLinkerVersion | Linker major version number. | 3 | 1 | MinorLinkerVersion | Linker minor version number. | 4 | 4 | SizeOfCode | Size of the code (text) section, or the sum of all code sections if there are multiple sections. | 8 | 4 | SizeOfInitializedData | Size of the initialized data section, or the sum of all such sections if there are multiple data sections. | 12 | 4 | SizeOfUninitializedData | Size of the uninitialized data section (BSS), or the sum of all such sections if there are multiple BSS sections. | 16 | 4 | AddressOfEntryPoint | Address of entry point, relative to image base, when executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function. An entry point is optional for DLLs. When none is present this field must be 0. | 20 | 4 | BaseOfCode | Address, relative to image base, of beginning of code section, when loaded into memory. | PE32 contains this additional field, absent in PE32+, following BaseOfCode: 24 | 4 | BaseOfData | Address, relative to image base, of beginning of data section, when loaded into memory. | 3.4.2 Optional Header Windows-Specific Fields (Image Only) The next twenty-one fields are an extension to the COFF Optional Header format and contain additional information needed by the linker and loader in Windows. Offset (PE32/PE32+) | Size (PE32/PE32+) | Field | Description |
---|
28 / 24 | 4 / 8 | ImageBase | Preferred address of first byte of image when loaded into memory; must be a multiple of 64K. The default for DLLs is 0x10000000. The default for Windows CE EXEs is 0x00010000. The default for Windows NT, Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is 0x00400000. | 32 / 32 | 4 | SectionAlignment | Alignment (in bytes) of sections when loaded into memory. Must [be] greater or equal to File Alignment. Default is the page size for the architecture. | 36 / 36 | 4 | FileAlignment | Alignment factor (in bytes) used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K inclusive. The default is 512. If the SectionAlignment is less than the architecture's page size, then this must match the SectionAlignment. | 40 / 40 | 2 | MajorOperatingSystemVersion | Major version number of required OS. | 42 / 42 | 2 | MinorOperatingSystemVersion | Minor version number of required OS. | 44 / 44 | 2 | MajorImageVersion | Major version number of image. | 46 / 46 | 2 | MinorImageVersion | Minor version number of image. | 48 / 48 | 2 | MajorSubsystemVersion | Major version number of subsystem. | 50 / 50 | 2 | MinorSubsystemVersion | Minor version number of subsystem. | 52 / 52 | 4 | Win32VersionValue | Reserved, must be zero. | 56 / 56 | 4 | SizeOfImage | Size, in bytes, of the image, including all headers as it is loaded in memory; must be a multiple of Section Alignment. | 60 / 60 | 4 | SizeOfHeaders | Combined size of MS-DOS stub, PE Header, and section headers rounded up to a multiple of FileAlignment. | 64 / 64 | 4 | CheckSum | Image file checksum. The algorithm for computing is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that ends up in the server. | 68 / 68 | 2 | Subsystem | Subsystem required to run this image. See "Windows Subsystem" below for more information. | 70 / 70 | 2 | DllCharacteristics | See "DLL Characteristics" below for more information. | 72 / 72 | 4 / 8 | SizeOfStackReserve | Size of stack to reserve. Only the Stack Commit Size is committed; the rest is made available one page at a time, until reserve size is reached. | 76 / 80 | 4 / 8 | SizeOfStackCommit | Size of stack to commit. | 80 / 88 | 4 / 8 | SizeOfHeapReserve | Size of local heap space to reserve. Only the Heap Commit Size is committed; the rest is made available one page at a time, until reserve size is reached. | 84 / 96 | 4 / 8 | SizeOfHeapCommit | Size of local heap space to commit. | 88 / 104 | 4 | LoaderFlags | Reserved, must be zero. | 92 / 108 | 4 | NumberOfRvaAndSizes | Number of data-directory entries in the remainder of the Optional Header. Each describes a location and size. | Windows Subsystem The following values, defined for the Subsystem field of the Optional Header, determine what, if any, Windows subsystem is required to run the image. Constant | Value | Description |
---|
IMAGE_SUBSYSTEM_UNKNOWN | 0 | Unknown subsystem. | IMAGE_SUBSYSTEM_NATIVE | 1 | Used for device drivers and native Windows processes. | IMAGE_SUBSYSTEM_WINDOWS_GUI | 2 | Image runs in the Windows graphical user interface (GUI) subsystem. | IMAGE_SUBSYSTEM_WINDOWS_CUI | 3 | Image runs in the Windows character subsystem. | IMAGE_SUBSYSTEM_POSIX_CUI | 7 | Image runs in the Posix character subsystem. | IMAGE_SUBSYSTEM_WINDOWS_CE_GUI | 9 | Image runs in Windows CE. | IMAGE_SUBSYSTEM_EFI_APPLICATION | 10 | Image is an EFI (Extensible Firmware Interface) application. | IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER | 11 | Image is an EFI driver with boot services. | IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER | 12 | Image is an EFI driver with runtime services. | IMAGE_SUBSYSTEM_EFI_ROM | 13 | Image is an EFI ROM image. | IMAGE_SUBSYSTEM_XBOX | 14 | Image runs in XBOX. | IMAGE_SUBSYSTEM_NEXUS_AGENT | 15 | | DLL Characteristics The following values are defined for the DllCharacteristics field of the Optional Header. Constant | Value | Description |
---|
| 0x0001 | Reserved. | | 0x0002 | Reserved. | | 0x0004 | Reserved. | | 0x0008 | Reserved. | IMAGE_DLLCHARACTERISTICS_NO_ISOLATION | 0x0200 | Image understands isolation and doesn't want it. | IMAGE_DLLCHARACTERISTICS_NO_SEH | 0x0400 | Image does not use SEH. No SE handler may be called in this image. | IMAGE_DLLCHARACTERISTICS_NO_BIND | 0x0800 | Do not bind image. | | 0x1000 | Reserved, must be zero. | IMAGE_DLLCHARACTERISTICS_WDM_DRIVER | 0x2000 | Driver is a WDM Driver. | IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE | 0x8000 | Image is Terminal Server aware. | 3.4.3 Optional Header Data Directories (Image Only) Each data directory gives the address and size of a table or string used by Windows. These data directory entries are all loaded into memory so that they can be used by the system at run time. A data directory is an eight-byte field that has the following declaration: typedef struct _IMAGE_DATA_DIRECTORY { DWORD VirtualAddress; DWORD Size; } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY; The first field, VirtualAddress, is actually the relative virtual address of the table. The RVA is the address of the table, when loaded, relative to the base address of the image. The second field gives the size in bytes. The data directories, which form the last part of the Optional Header, are listed below. Note that the number of directories is not fixed. The NumberOfRvaAndSizes field in the optional header should be checked before looking for a specific directory. Do not assume that the RVAs given in this table point to the beginning of a section or that the sections containing specific tables have specific names. Offset (PE/PE32+) | Size | Field | Description |
---|
96/112 | 8 | Export Table | Export Table address and size. | 104/120 | 8 | Import Table | Import Table address and size. | 112/128 | 8 | Resource Table | Resource Table address and size. | 120/136 | 8 | Exception Table | Exception Table address and size. | 128/144 | 8 | Certificate Table | Attribute Certificate Table address and size. | 136/152 | 8 | Base Relocation Table | Base Relocation Table address and size. | 144/160 | 8 | Debug | Debug data starting address and size. | 152/168 | 8 | Architecture | Architecture-specific data address and size. | 160/176 | 8 | Global Ptr | Relative virtual address of the value to be stored in the global pointer register. Size member of this structure must be set to 0. | 168/184 | 8 | TLS Table | Thread Local Storage (TLS) Table address and size. | 176/192 | 8 | Load Config Table | Load Configuration Table address and size. | 184/200 | 8 | Bound Import | Bound Import Table address and size. | 192/208 | 8 | IAT | Import Address Table address and size. | 200/216 | 8 | Delay Import Descriptor | Address and size of the Delay Import Descriptor. | 208/224 | 8 | clr Runtime Header | clr Runtime Header address and size. | 216/232 | 8 | Reserved | The Certificate Table entry points to a table of attribute certificates. These certificates are not loaded into memory as part of the image. As such, the first field of this entry, which is normally an RVA, is a File Pointer instead. |