Portable Executable
From Just Solve the File Format Problem
(Difference between revisions)
(→Other links: Updating Forensics Wiki links) |
|||
(18 intermediate revisions by 5 users not shown) | |||
Line 2: | Line 2: | ||
|formattype=electronic | |formattype=electronic | ||
|subcat=Executables | |subcat=Executables | ||
− | |extensions={{ext|exe}}, others | + | |extensions={{ext|exe}}, {{ext|dll}}, {{ext|cpl}}, {{ext|efi}}, {{ext|ocx}}, {{ext|scr}}, {{ext|sys}}, {{ext|lib}}, others |
+ | |pronom={{PRONOM|x-fmt/411}}, {{PRONOM|fmt/899}}, {{PRONOM|fmt/900}} | ||
+ | |kaitai struct=microsoft_pe | ||
}} | }} | ||
− | ''' | + | '''Portable Executable''' ('''PE''', '''PE/COFF''', '''PE32''', '''PE32+''') is a member of the [[EXE]] family of executable file formats. It is used by the Microsoft Windows family of operating systems (starting with Windows 95 and [[wikipedia:Win32s|Win32s]]), EFI and sometimes in other environments. It is an extension/hybrid of [[MS-DOS EXE]], and a successor to [[NE]]. Parts of it are derived from [[COFF]]. |
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc. | Despite the name, not all PE files are executable. Some contain only icons, fonts, etc. | ||
Line 15: | Line 17: | ||
A PE file begins with the ASCII signature "<code>MZ</code>". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with <code>'P' 'E' 0x00 0x00</code>. For more information, see [[MS-DOS EXE]]. | A PE file begins with the ASCII signature "<code>MZ</code>". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with <code>'P' 'E' 0x00 0x00</code>. For more information, see [[MS-DOS EXE]]. | ||
− | == | + | == See also == |
− | * [[ | + | * [[Dynamic-link library (Windows)]] |
− | + | ||
+ | == Specifications and technical information == | ||
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification] | * [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification] | ||
+ | * [http://wiki.osdev.org/PE PE], from the OSDev Wiki | ||
* [http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html Article on the PE format as used by Windows NT 3], by Johannes Plachy | * [http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html Article on the PE format as used by Windows NT 3], by Johannes Plachy | ||
− | * [http://www. | + | * [http://pe.corkami.com/ PE] (corkami.com) |
+ | ** [http://pe102.corkami.com/ PE102 - a Windows executable format overview] | ||
+ | ** [https://github.com/corkami/pics/blob/master/PE101.png PE101 - a Windows executable walkthrough] | ||
+ | * [http://bytepointer.com/articles/the_microsoft_rich_header.htm The Undocumented Microsoft "Rich" Header] | ||
+ | |||
+ | == Software and tools == | ||
+ | * [http://www.mitec.cz/exe.html EXE Explorer utility] | ||
+ | * [https://github.com/katjahahn/PortEx/tree/master/progs PortEx Analyzer] | ||
+ | * [http://bytepointer.com/tools/index.htm#pelook pelook] | ||
+ | * [https://implib.sourceforge.io/ ImpLib SDK] | ||
+ | |||
+ | == Other links == | ||
+ | * [[Wikipedia:Portable Executable|Wikipedia article]] | ||
+ | * [{{ForensicsWikiURL|portable_executable_format}} Forensics Wiki: Portable Executable Format] | ||
+ | * [http://blog.didierstevens.com/2015/01/22/converting-peid-signatures-to-yara-rules/ Converting PEiD Signatures To YARA Rules] | ||
[[Category:Microsoft]] | [[Category:Microsoft]] | ||
+ | [[Category:Windows]] |
Latest revision as of 14:54, 3 September 2023
Portable Executable (PE, PE/COFF, PE32, PE32+) is a member of the EXE family of executable file formats. It is used by the Microsoft Windows family of operating systems (starting with Windows 95 and Win32s), EFI and sometimes in other environments. It is an extension/hybrid of MS-DOS EXE, and a successor to NE. Parts of it are derived from COFF.
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.
Contents |
[edit] Formats
- PE32 format is used by 32-bit Windows.
- PE32+ format is used by 64-bit Windows.
[edit] Identification
A PE file begins with the ASCII signature "MZ
". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with 'P' 'E' 0x00 0x00
. For more information, see MS-DOS EXE.
[edit] See also
[edit] Specifications and technical information
- Microsoft PE and COFF Specification
- PE, from the OSDev Wiki
- Article on the PE format as used by Windows NT 3, by Johannes Plachy
- PE (corkami.com)
- The Undocumented Microsoft "Rich" Header
[edit] Software and tools
[edit] Other links
Categories:
- File Formats
- Electronic File Formats
- Executables
- File formats with extension .exe
- File formats with extension .dll
- File formats with extension .cpl
- File formats with extension .efi
- File formats with extension .ocx
- File formats with extension .scr
- File formats with extension .sys
- File formats with extension .lib
- Microsoft
- Windows