EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationpe-formatportable-executableiat

The Portable Executable (PE) File Format

The internal structure of Windows executables — DOS header, PE signature, File Header, Optional Header, Data Directories, section table, and the anomalies that signal malware.

Ashish Revar12 May 202618 min read4 views
Quick Bite

⚡ Quick Bite · 60s

PE File Format: Master the Malware Blueprint

The PE format blueprint for every Windows binary — DOS Header to Sections, on-disk vs in-memory layout, critical headers (EntryPoint, ImageBase, RVAs), and anomaly detection for packed binaries.

Watch this 60-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

What Uses the PE Format?

The Portable Executable format is used by multiple Windows file types — not just .exe files:

ExtensionTypeMacro Support
.exeExecutableNo (runs directly)
.dllDynamic LibraryNo (hosted by executable)
.sysKernel DriverNo
.scrScreensaverNo
.cplControl PanelNo
.ocxActiveX ControlNo
.drvDevice DriverNo
.efiUEFI ApplicationNo

Files that are not PE format: .bat, .ps1, .jar, .py, .msi.

The Book Analogy

Think of a PE file as a well-organised book:

  • DOS Header → Cover page indicating "this is an executable"
  • PE Header → Table of contents detailing what is inside and where
  • Section Table → Chapter index with page numbers
  • Sections → The actual chapters containing code, data, and resources

The PE format is a data structure roadmap — a series of headers and tables that tell the Windows loader exactly how to map the file from disk into a process's virtual address space.

Critical Distinction: Disk vs Memory Layout

On-disk file layout  ≠  In-memory layout

Sections are aligned differently on disk (typically 512-byte boundaries) versus in memory (typically 4096-byte page boundaries). The PE header contains both sets of values, and the Windows loader performs the translation during execution.

PE Structure

Refer to REMA eBook 2026, Figure 2.7 for the full PE structure diagram.

┌─────────────────────────┐
│  DOS MZ Header          │  Magic bytes: 4D 5A ("MZ")
│  DOS Stub               │  "This program cannot be run in DOS mode"
├─────────────────────────┤
│  PE Signature           │  50 45 00 00 ("PE\0\0")
│  File Header            │  Machine type, section count, timestamp
│  Optional Header        │  Entry point, image base, section alignment
│  Data Directories (16)  │  Pointers to IAT, exports, resources, TLS...
├─────────────────────────┤
│  Section Table          │  Array of section headers
├─────────────────────────┤
│  .text                  │  Executable code (R-X)
│  .rdata                 │  Read-only data, IAT, export tables (R--)
│  .data                  │  Initialised global variables (RW-)
│  .rsrc                  │  Resources: icons, dialogs, embedded files (R--)
│  .reloc                 │  Relocation data for ASLR (R--)
└─────────────────────────┘

Key Header Fields for Analysts

DOS Header

  • First two bytes are always 4D 5A (ASCII "MZ") — the magic bytes confirming a PE file
  • e_lfanew at offset 0x3C — pointer to the PE signature. Malware sometimes manipulates this to confuse parsers.

File Header (IMAGE_FILE_HEADER)

  • Machine: 0x014C = x86, 0x8664 = x64
  • TimeDateStamp: compilation time in Unix epoch. Often spoofed by malware. Genuine timestamps can reveal attribution.
  • NumberOfSections: count of sections

Optional Header (IMAGE_OPTIONAL_HEADER)

Despite the name, mandatory for executables.

  • AddressOfEntryPoint: RVA where execution begins. Packed malware points this to the unpacking stub.
  • ImageBase: preferred load address. Typically 0x00400000 for 32-bit EXEs. ASLR may relocate this.
  • Subsystem: 2 = GUI (Windows app), 3 = Console (command-line tool)

Data Directories

IndexDirectoryMalware Relevance
0Export TableMalicious DLLs export hooks
1Import TableReveals capabilities via imported functions
2Resource TablePayloads hidden in resources
9TLS TableCallbacks execute before entry point — anti-debug
5Base RelocationAbsence indicates position-dependent code

Section Characteristics

Each section has a characteristics bitmask encoding permissions:

SectionPermissionsRationale
.textR-XCode: readable and executable
.dataRW-Variables: readable and writable
.rdataR--Constants: read-only

Red flag: a section marked both Writable and Executable (RWX). Legitimate compilers rarely produce RWX sections. Malware uses VirtualProtect to change section permissions at runtime, converting a data region into executable memory for injected shellcode.

Relative Virtual Addresses (RVAs)

PE headers store addresses as Relative Virtual Addresses — offsets from the image base, not absolute addresses.

Virtual Address (VA)  =  ImageBase  +  RVA

When ASLR is active, the ImageBase changes on every load, but all RVAs remain correct relative to wherever the image is loaded.

PE Anomalies That Indicate Malware

AnomalyInterpretation
Entry point outside .text sectionPacked or injected code
RWX section permissionsSelf-modifying code, runtime unpacking
Section entropy > 7.0Encrypted or compressed content
Non-standard section names (.UPX0, .aspack)Known packer signatures
Minimal IAT (only LoadLibraryA + GetProcAddress)Dynamic import resolution hiding real imports
TLS callbacks presentPre-entry-point code execution (anti-debug)
VirtualSize >> SizeOfRawDataData populated at runtime (unpacking target)
Future or ancient timestampSpoofed compilation time

The Corkami PE101 poster by Ange Albertini provides an exhaustive visual reference mapping every PE field to its hex offset. Search "corkami PE101" — available free under Creative Commons.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

PE-Bear — Visual PE Structure Explorer

Free PE editor and viewer with graphical display of all header fields, sections, and data directories. Install in your analysis VM.

tool
Corkami PE101 — Visual PE Reference

Visual reference mapping every PE field to its hex offset. Print and keep beside your disassembler.

reference
Microsoft PE Format Specification

Official Microsoft documentation for the PE/COFF file format. Authoritative reference for all header structure definitions.

reference
More articlesTest your knowledge