Showing posts from March, 2023

A journey into PE executables - Part 1 - Introduction to PE

PE Executables The PE stands for Portable Executable . PE is a modified version of the Common Object file format introduced in the previous post. For this reason, it is also known as PE/COFF. It's used in windows executables, drivers, dynamic libraries, etc. Like other executables, a PE file has a structure to store some features for executing in the operating system. Let's Dive into it. Structure The above picture shows a schematic of a PE executable structure defined in WinNT.h .  DOS Header and DOS Stub The first part of the PE structure is called DOS/MS-DOS header. It starts with a magic value (4D 5A), which consists of the ASCII characters 'M', and 'Z'. The "MZ" stands for "Mark Zbikowski". He is one of the original DOS developers. For this reason, it's also known as the MZ header. This header also has a stub area. An example of when the code in this sub-area is executed is when a user attempts to run the file under DOS. The followin