32 bits Windows PE Image structure

Note : the PE structure is also used for object files (ie .obj ones) and can also be used for non Windows images files. This page describes only 32 bits Windows PE Image (ie linked executable files) structure.

Summary of Image file structure

Name	C Structure
DOS header	IMAGE_DOS_HEADER
NT Headers	IMAGE_NT_HEADERS32	DWORD Signature;
		IMAGE_FILE_HEADER FileHeader;
		IMAGE_OPTIONAL_HEADER32 OptionalHeader;
Sections Table	IMAGE_SECTION_HEADER[FileHeader.NumberOfSections];
Sections Data	Content depends on section type. Known sections names.

Detailed Image file structure

Note : Fields often used by malwares are in bold and blue.

Offset from DOS Header	Offset from NT Headers	Offset from current header	C Declaration	Comments
DOS Header
0x0000			char signature[2]="MZ";	`"MZ"` or `4D 5A` or `0x5A4D` Mark Zbikowsi's initials
0x0002			short lastsize;	Only used by MS-DOS executables.
0x0004			short nblocks;
0x0006			short nreloc;
0x0008			short hdrsize;
0x000A			short minalloc;
0x000C			short maxalloc;
0x000E			void *ss;
0x0010			void *sp;
0x0012			short checksum;
0x0014			void *ip;
0x0016			void *cs;
0x0018			short relocops;
0x001A			short noverlay;
0x001C			short reserved[4];
0x0024			short oem_id;
0x0026			short oem_info;
0x0028			short reserved[10];
0x003C			long e_lfanew = ;	NT headers offset from the beginning of the file
0x0040			; Stub DOS : 16 bits code printing "This program cannot be run in DOS mode" ; ------------------------------------------------------------------------- 0x00 0E push cs 0x01 1F pop ds 0x02 BA 0E 00 mov dx, 0Eh ; ds:dx -> string address 0x05 B4 09 mov ah, 9 ; print string 0x07 CD 21 int 21h ; call MS-DOS 0x09 B8 01 4C mox ax, 4C01h ; ah=4Ch -> quit and al=1 -> exit code 0x0C CD 21 int 21h ; call MS-DOS 0x0E 'This program cannot be run in DOS mode.\r\r\n$' 0x39 align 10h ; There are usually more bytes there
NT Headers (PE header)
0x78	0x0000		PE signature	`"PE\0\0"` or `50 45 00 00` or `0x00004550`
File Header
0x7c	0x0	0x0	short Machine;
0x7e	0x2	0x2	short NumberOfSections;
0x80	0x4	0x4	long TimeDateStamp;
0x84	0x8	0x8	long PointerToSymbolTable;
0x88	0xc	0xc	long NumberOfSymbols;
0x8c	0x10	0x10	short SizeOfOptionalHeader;
0x8e	0x12	0x12	short Characteristics;
Optional Header
0x90	0x14	0x0	short signature;	`267` for 32 bit and `253` for 64 bit
0x92	0x16	0x2	char MajorLinkerVersion;
0x93	0x17	0x3	char MinorLinkerVersion;
0x94	0x18	0x4	long SizeOfCode;
0x98	0x1c	0x8	long SizeOfInitializedData;
0x9c	0x20	0xc	long SizeOfUninitializedData;
0xa0	0x24	0x10	long AddressOfEntryPoint;
0xa4	0x28	0x14	long BaseOfCode;
0xa8	0x2c	0x18	long BaseOfData;
0xac	0x30	0x1c	long ImageBase;
0xb0	0x34	0x20	long SectionAlignment;
0xb4	0x38	0x24	long FileAlignment;
0xb8	0x3c	0x28	short MajorOSVersion;
0xba	0x3e	0x2a	short MinorOSVersion;
0xbc	0x40	0x2c	short MajorImageVersion;
0xbe	0x42	0x2e	short MinorImageVersion;
0xc0	0x44	0x30	short MajorSubsystemVersion;
0xc2	0x46	0x32	short MinorSubsystemVersion;
0xc4	0x48	0x34	long Reserved;
0xc8	0x4c	0x38	long SizeOfImage;
0xcc	0x50	0x3c	long SizeOfHeaders;
0xd0	0x54	0x40	long Checksum;
0xd4	0x58	0x44	short DLLCharacteristics;
0xd6	0x5a	0x46	long SizeOfStackReserve;
0xda	0x64		long SizeOfStackCommit;
0xde	0x68		long SizeOfHeapReserve;
0xe2	0x6c		long SizeOfHeapCommit;
0xe6	0x70		long LoaderFlags;
0xea	0x74		long NumberOfRvaAndSizes;	Number of image directories (usually 16).
0xee	0x78		data_directory DataDirectory[16];	The number of directories can be different than 16
0xee	0x0078		IMAGE_DIRECTORY_ENTRY_EXPORT
0xf6	0x80		IMAGE_DIRECTORY_ENTRY_IMPORT
0xfe	0x88		IMAGE_DIRECTORY_ENTRY_RESOURCE
0x106	0x90		IMAGE_DIRECTORY_ENTRY_EXCEPTION
0x10e	0x98		IMAGE_DIRECTORY_ENTRY_SECURITY	Certificates table
0x116	0x00A0		IMAGE_DIRECTORY_ENTRY_BASERELOC	Used by droppers, loaders or packers. When they load a PE by themselves, they have to do relocations.
0x11e	0xa8		IMAGE_DIRECTORY_ENTRY_DEBUG
0x124	0xb0		IMAGE_DIRECTORY_ENTRY_COPYRIGHT
0x12c	0xb8		IMAGE_DIRECTORY_ENTRY_GLOBALPTR
0x134	0xc0		IMAGE_DIRECTORY_ENTRY_TLS
0x13c	0xc8		IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
0x144	0xd0		IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT
0x14c	0xd8		IMAGE_DIRECTORY_ENTRY_IAT
0x154	0xe0		IMAGE_DIRECTORY_DELAY_IMPORT
0x15c	0xe8		IMAGE_DIRECTORY_COM_DESCRIPTOR
Sections Table (IMAGE_SECTION_HEADER ish[FileHeader.NumberOfSections];)
First IMAGE_SECTION_HEADER
0x0	0x00	0x00	BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
0x0	0x0	0x08	union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc;
0x0	0x0	0x0c	DWORD VirtualAddress;
0x0	0x0	0x10	DWORD SizeOfRawData;
0x0	0x0	0x14	DWORD PointerToRawData;
0x0	0x0	0x18	DWORD PointerToRelocations;
0x0	0x0	0x1c	DWORD PointerToLineNumbers;
0x0	0x0	0x20	WORD NumberOfRelocations;
0x0	0x0	0x22	WORD NumberOfLineNumbers;
0x0	0x0	0x24	DWORD Characteristics;	0x20 = IMAGE_SCN_CNT_CODE : la section contient du code 0x40 = IMAGE_SCN_CNT_INITIALIZED_DATA : la section contient des données initialisées 0x80 = IMAGE_SCN_CNT_UNINITIALIZED_ DATA : la section contient des données non initialisées
others IMAGE_SECTION_HEADER
...
Sections Data
Section 0 data
Content depends on section type. Aligned on `OptionalHeader.FileAlignment` for a disk image, and `OptionalHeader.SectionAlignment` in memory (mapped image).
Section 1 data
Content depends on section type. Aligned on `OptionalHeader.FileAlignment` for a disk image, and `OptionalHeader.SectionAlignment` in memory (mapped image).
Section n data
Content depends on section type. Aligned on `OptionalHeader.FileAlignment` for a disk image, and `OptionalHeader.SectionAlignment` in memory (mapped image).

Liens https://msdn.microsoft.com/en-us/library/windows/desktop/aa813708%28v=vs.85%29.aspx

Known Sections Names