PE File Format


The following image illustrates DOS HEADER.
(2) DOS Stub
This part is no longer using after 32 bit mode. The following image shows an example of DOS Stub.


(3) IMAGE_NT_HEADERS (Size:0xF8)

An example of NT Headers is as following. Note that the starting address matches the value “0x000000E0” with the one from e_lfanew field in DOS Header. NT Header contains both Image File Header and Image Optional Header.
  • Machine field specifies the architecture; 0x14c means x86 and 0x8664 means x86-64.
  • TimeDateStamp field has Unix timestamp whose epoc is 00:00:00 UTC on Jan. 1st, 1970 at link time.
  • SizeOfOptionalHeader field indicates the number of section headers.
  • Characteristics field shows the property of an executable file. See the below.

Note that Optional header is not all optional!!
  • AddressOfEntryPoint specifies the RVA which the loader starts code execution
  • SizeOfImage tells the amount of contiguous memory reserved to load the binary into memory.
  • SectionAlignment specifies that sections should be aligned on boundaries of multiples of this value.
  • FileAlignment field tells that data has to be written to a file in chucks no smaller than this value.
    i.e 0x200 or 512 in HDD sector size
  • ImageBase field specifies the preferred virtual memory address for the beginning of the binary.
  • DLLCharateristics field provides the loader with security options like ASLR and DEP NX memory regions.
    -> Not limited to DLLs, IDE compiler with the /DYNAMICBASE option
  • DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES] has two fields: VirtualAddress and Size

Each directory has similar structure as following:

(6) IMAGE_SECTION_HEADER (.text, .data, .rsrc, .reloc, …)
  • VirtualAddress specifies the RVA (Relative Virtual Address) of the section relative to ImageBase.
  • PointerToRawData specifies a relative offset to store the actual section data from the file .
  • SizeOfRawData indicates the size of memory allocation for the section. The value is Mics.VirtualSize which is rounded up to the multiple of alignment.
  • PointerToRawData field indicates the actual file offset from the section.
  • See the below for a characteristics field.


