Portable Executable
From Just Solve the File Format Problem
(Difference between revisions)
Dan Tobias (Talk | contribs) (→Links) |
Dan Tobias (Talk | contribs) (→Links) |
||
| Line 30: | Line 30: | ||
* [http://www.mitec.cz/exe.html EXE Explorer utility] | * [http://www.mitec.cz/exe.html EXE Explorer utility] | ||
* [https://github.com/katjahahn/PortEx/tree/master/progs PortEx Analyzer] | * [https://github.com/katjahahn/PortEx/tree/master/progs PortEx Analyzer] | ||
| + | * [http://blog.didierstevens.com/2015/01/22/converting-peid-signatures-to-yara-rules/ Converting PEiD Signatures To YARA Rules] | ||
[[Category:Microsoft]] | [[Category:Microsoft]] | ||
Revision as of 04:38, 4 March 2015
PE (Portable Executable, also called PE/COFF) is a member of the EXE family of executable file formats. It is mainly used by 32- and 64-bit Microsoft Windows operating systems. It is an extension/hybrid of MS-DOS EXE, and a successor to NE. Parts of it are derived from COFF.
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.
Contents |
Formats
- PE32 format is used by 32-bit Windows.
- PE32+ format is used by 64-bit Windows.
Identification
A PE file begins with the ASCII signature "MZ". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with 'P' 'E' 0x00 0x00. For more information, see MS-DOS EXE.
See also
Links
- Wikipedia article
- PE, from the OSDev Wiki
- Microsoft PE and COFF Specification
- Article on the PE format as used by Windows NT 3, by Johannes Plachy
- Forensics Wiki: Portable Executable Format
- PE (corkami.com)
- EXE Explorer utility
- PortEx Analyzer
- Converting PEiD Signatures To YARA Rules
