This document provides an overview of the Portable Executable (PE) file format by exploring examples of simple, compiled, DLL, driver, and .NET binaries. It discusses the key components of a PE including the DOS header, PE header, optional header, data directories, sections, imports, and resources. It also briefly explains how the format is similar on 64-bit and ARM architectures with only minor changes needed.

1. Exploring
the Portable Executable
format
London, England
Ange Albertini 2013/09/13

2. Workshop package
(PoCs+docs)
http://www.xchg.info/corkami/workshop.zip
Recommended PE viewer:
http://icerbero.com/peinsider

16. a handmade PE
simple.exe
a first real example
working minimal

20. detailed
walkthrough

22. DOS header
unused in PE mode

24. PE header
PE signature

26. Optional Header
NOT optional in executables

28. DataDirectories
end of OptionalHeader
16 (max) * [RVA, Size]
each entry interpreted differently

30. Sections
memory mapping

33. Imports
standard loader mechanism
NOT required
load DLL, locate APIs

35. compiled PE
compiled.exe
closer to reality
extra non-critical structure

39. DLL
exports
relocations

42. driver
subsystem, checksum
low alignments mapping
different imports

44. resources
structure
version, manifest/icon, APIs

47. Thread Local Storage
callback list
before EntryPoint & after ExitProcess

49. .Net
different and integrated binary
2nd loader

51. what about 64b?
very few changes
● 2 magic constants
● a few elements become QWord
○ ImageBase, Imports thunks, callbacks
● Exceptions have their own DataDirectory
○ no need for LoadConfig (SafeSEH)

52. and ARM
● a different magic constant
● still 16b DOS Stub !
● nothing special, PE wise
○ the beauty of ‘Portability’

53. trivial