Understanding The PE Header

The PE header contains the information the OS requires to run the executable.

This information is very useful, as it can give us more information about the functionality of the malware and how the malware interacts with the OS.

Why is the PE header important ?

  1. It contains all of the important and necessary information required by the OS to execute the executable.

  2. It contains information that specifies where the executable needs to be loaded into memory.

  3. It contains the libraries that the executable requires to be loaded (dll).

  4. It contains information that specifies where the execution begins.

Structure

Names
Function

MZ Header / DOS Header

Defines the file as an executable binary

DOS Stub (Program cannot be run in DOS mode)

Prints a message when run in DOS (Exists for compatibility)

PE File Header (Signature)

Defines the executable as a PE

Image Optional Header

Stores important informtion about the executable: Like the subsystem and the entry point.

Sections Table

Instructions on how to load the executable into memory

Sections

Executable sections of code and data used by the executable

Sections

Section Name
Function

.code / .text

Executable code

.data

Stores Data (R/W)

.rdata

Stores Data (Read Only)

.idata

Stores The Import Table

.edata

Stores Export Data

.rsrc

Stores Resources (Strings, icons)

PreviousPackers & UnpackingNextAnalyzing

Last updated