Portable Executable

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
(Other links: Updating Forensics Wiki links)
 
(18 intermediate revisions by 5 users not shown)
Line 2: Line 2:
 
|formattype=electronic
 
|formattype=electronic
 
|subcat=Executables
 
|subcat=Executables
|extensions={{ext|exe}}, others
+
|extensions={{ext|exe}}, {{ext|dll}}, {{ext|cpl}}, {{ext|efi}}, {{ext|ocx}}, {{ext|scr}}, {{ext|sys}}, {{ext|lib}}, others
 +
|pronom={{PRONOM|x-fmt/411}}, {{PRONOM|fmt/899}}, {{PRONOM|fmt/900}}
 +
|kaitai struct=microsoft_pe
 
}}
 
}}
'''PE''' ('''Portable Executable''', also called '''PE/COFF''') is a member of the [[EXE]] family of executable file formats. It is used mainly used by 32- and 64-bit Microsoft Windows operating systems. It is an extension/hybrid of [[MS-DOS EXE]], and a successor to [[NE]]. Parts of it are derived from [[COFF]].  
+
'''Portable Executable''' ('''PE''', '''PE/COFF''', '''PE32''', '''PE32+''') is a member of the [[EXE]] family of executable file formats. It is used by the Microsoft Windows family of operating systems (starting with Windows 95 and [[wikipedia:Win32s|Win32s]]), EFI and sometimes in other environments. It is an extension/hybrid of [[MS-DOS EXE]], and a successor to [[NE]]. Parts of it are derived from [[COFF]].  
  
 
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.
 
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.
Line 15: Line 17:
 
A PE file begins with the ASCII signature "<code>MZ</code>". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with <code>'P' 'E' 0x00 0x00</code>. For more information, see [[MS-DOS EXE]].
 
A PE file begins with the ASCII signature "<code>MZ</code>". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with <code>'P' 'E' 0x00 0x00</code>. For more information, see [[MS-DOS EXE]].
  
== Links ==
+
== See also ==
* [[Wikipedia:Portable Executable|Wikipedia article]]
+
* [[Dynamic-link library (Windows)]]
* [http://wiki.osdev.org/PE PE], from the OSDev Wiki
+
 
 +
== Specifications and technical information ==
 
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
 
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
 +
* [http://wiki.osdev.org/PE PE], from the OSDev Wiki
 
* [http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html Article on the PE format as used by Windows NT 3], by Johannes Plachy
 
* [http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html Article on the PE format as used by Windows NT 3], by Johannes Plachy
* [http://www.forensicswiki.org/wiki/Portable_Executable_Format Forensics Wiki: Portable Executable Format]
+
* [http://pe.corkami.com/ PE] (corkami.com)
 +
** [http://pe102.corkami.com/ PE102 - a Windows executable format overview]
 +
** [https://github.com/corkami/pics/blob/master/PE101.png PE101 - a Windows executable walkthrough]
 +
* [http://bytepointer.com/articles/the_microsoft_rich_header.htm The Undocumented Microsoft "Rich" Header]
 +
 
 +
== Software and tools ==
 +
* [http://www.mitec.cz/exe.html EXE Explorer utility]
 +
* [https://github.com/katjahahn/PortEx/tree/master/progs PortEx Analyzer]
 +
* [http://bytepointer.com/tools/index.htm#pelook pelook]
 +
* [https://implib.sourceforge.io/ ImpLib SDK]
 +
 
 +
== Other links ==
 +
* [[Wikipedia:Portable Executable|Wikipedia article]]
 +
* [{{ForensicsWikiURL|portable_executable_format}} Forensics Wiki: Portable Executable Format]
 +
* [http://blog.didierstevens.com/2015/01/22/converting-peid-signatures-to-yara-rules/ Converting PEiD Signatures To YARA Rules]
  
 
[[Category:Microsoft]]
 
[[Category:Microsoft]]
 +
[[Category:Windows]]

Latest revision as of 14:54, 3 September 2023

File Format
Name Portable Executable
Ontology
Extension(s) .exe, .dll, .cpl, .efi, .ocx, .scr, .sys, .lib, others
PRONOM x-fmt/411, fmt/899, fmt/900
Kaitai Struct Spec microsoft_pe.ksy

Portable Executable (PE, PE/COFF, PE32, PE32+) is a member of the EXE family of executable file formats. It is used by the Microsoft Windows family of operating systems (starting with Windows 95 and Win32s), EFI and sometimes in other environments. It is an extension/hybrid of MS-DOS EXE, and a successor to NE. Parts of it are derived from COFF.

Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.

Contents

[edit] Formats

  • PE32 format is used by 32-bit Windows.
  • PE32+ format is used by 64-bit Windows.

[edit] Identification

A PE file begins with the ASCII signature "MZ". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with 'P' 'E' 0x00 0x00. For more information, see MS-DOS EXE.

[edit] See also

[edit] Specifications and technical information

[edit] Software and tools

[edit] Other links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox