Portable Executable
From Just Solve the File Format Problem
(Difference between revisions)
(→Links) |
|||
| Line 21: | Line 21: | ||
* [http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html Article on the PE format as used by Windows NT 3], by Johannes Plachy | * [http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html Article on the PE format as used by Windows NT 3], by Johannes Plachy | ||
* [http://www.forensicswiki.org/wiki/Portable_Executable_Format Forensics Wiki: Portable Executable Format] | * [http://www.forensicswiki.org/wiki/Portable_Executable_Format Forensics Wiki: Portable Executable Format] | ||
| + | * [http://pe.corkami.com/ PE] (corkami.com) | ||
| + | ** [http://pe102.corkami.com/ PE102 - a Windows executable format overview] | ||
| + | ** [https://code.google.com/p/corkami/wiki/PE101 PE101 - a Windows executable walkthrough] | ||
[[Category:Microsoft]] | [[Category:Microsoft]] | ||
Revision as of 02:28, 14 May 2014
PE (Portable Executable, also called PE/COFF) is a member of the EXE family of executable file formats. It is used mainly used by 32- and 64-bit Microsoft Windows operating systems. It is an extension/hybrid of MS-DOS EXE, and a successor to NE. Parts of it are derived from COFF.
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.
Formats
- PE32 format is used by 32-bit Windows.
- PE32+ format is used by 64-bit Windows.
Identification
A PE file begins with the ASCII signature "MZ". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with 'P' 'E' 0x00 0x00. For more information, see MS-DOS EXE.
Links
- Wikipedia article
- PE, from the OSDev Wiki
- Microsoft PE and COFF Specification
- Article on the PE format as used by Windows NT 3, by Johannes Plachy
- Forensics Wiki: Portable Executable Format
- PE (corkami.com)
