Advanced Analysis of the Windows Executable File Header (PE Header) – Binary-Level Dissection with Detailed Explanation

Intended Audience:

• Professional developers

• Security researchers

• Low-level engineers

• OS developers

• Reverse engineers

1. Overview of the PE File Format

The EXE file format on Windows uses the Portable Executable (PE) format, which is based on the COFF structure. The file consists of the following sections:

+--------------------------+
| MS-DOS Header           | ← 64 bytes starting with "MZ"
+--------------------------+
| DOS Stub                | ← Displays a message in DOS mode
+--------------------------+
| PE Signature ("PE\0\0") | ← Always starts at e_lfanew offset
+--------------------------+
| COFF File Header        |
+--------------------------+
| Optional Header         | ← Contains the entry point address
+--------------------------+
| Section Headers         | ← For sections like .text, .data, etc.
+--------------------------+
| Section Data            |
+--------------------------+

2. Real Hex + Binary Example

Let's analyze the first 1024 bytes of a sample executable using a Hex editor:

4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
...
50 45 00 00 4C 01 03 00 00 00 00 00 00 00 00 00
E0 00 02 01 0B 01 06 00 00 10 00 00 00 20 00 00
...

3. Section One: DOS Header (IMAGE_DOS_HEADER)

Structure:

typedef struct _IMAGE_DOS_HEADER {
  WORD e_magic;      // 0x00: "MZ" = 0x5A4D
  WORD e_cblp;       // 0x02: Bytes on last page of file
  WORD e_cp;         // 0x04: Pages in file
  WORD e_crlc;       // 0x06: Relocations
  ...
  LONG e_lfanew;     // 0x3C: Offset to PE Header (critical)
};

Binary Breakdown:

4D 5A           = e_magic      = 0x5A4D ("MZ")
90 00           = e_cblp       = 0x0090
03 00           = e_cp         = 0x0003
00 00           = e_crlc       = 0x0000
...
80 00 00 00     = e_lfanew     = 0x00000080 → PE Header starts here

Explanation:

• e_lfanew is the offset in the file where the PE header starts, typically at offset 0x80 or 0xF8 depending on the linker.

4. Section Two: PE Header (IMAGE_NT_HEADERS)

1. Signature

50 45 00 00 = "PE\0\0" = 0x00004550

2. COFF File Header (IMAGE_FILE_HEADER)

typedef struct _IMAGE_FILE_HEADER {
  WORD  Machine;
  WORD  NumberOfSections;
  DWORD TimeDateStamp;
  DWORD PointerToSymbolTable;
  DWORD NumberOfSymbols;
  WORD  SizeOfOptionalHeader;
  WORD  Characteristics;
};

Hex Representation:

4C 01           = Machine             = 0x014C (Intel 386)
03 00           = NumberOfSections    = 3
78 56 34 12     = TimeDateStamp       = Build timestamp
00 00 00 00     = PointerToSymbols    = Usually 0
00 00 00 00     = NumberOfSymbols     = Usually 0
E0 00           = SizeOfOptionalHeader= 0x00E0
02 01           = Characteristics     = 0x0102 → Executable | 32-bit

5. Section Three: Optional Header (IMAGE_OPTIONAL_HEADER)

Despite its name, this section is mandatory and contains essential runtime information:

typedef struct _IMAGE_OPTIONAL_HEADER {
  WORD  Magic;                    // PE32 (0x10B) or PE32+ (0x20B)
  BYTE  MajorLinkerVersion;
  BYTE  MinorLinkerVersion;
  DWORD SizeOfCode;
  DWORD SizeOfInitializedData;
  DWORD SizeOfUninitializedData;
  DWORD AddressOfEntryPoint;
  DWORD BaseOfCode;
  ...
};

Hex Example:

0B 01           = Magic               = 0x010B → PE32
06              = MajorLinkerVersion = v6
00              = MinorLinkerVersion = v0
00 10 00 00     = SizeOfCode         = 0x00001000
00 20 00 00     = SizeOfInitializedData = 0x2000
...
10 00 00 00     = AddressOfEntryPoint = 0x00001000

Entry Point Execution:

When executed, the Windows loader begins execution at:

xxxxxxxxxx
ImageBase + AddressOfEntryPoint

If ImageBase = 0x400000 (default), the entry point is 0x401000.

6. Section Four: Section Table (IMAGE_SECTION_HEADER)

Each section like .text or .data is defined by:

typedef struct _IMAGE_SECTION_HEADER {
  BYTE  Name[8];            // Example: ".text"
  DWORD VirtualSize;
  DWORD VirtualAddress;
  DWORD SizeOfRawData;
  DWORD PointerToRawData;
  ...
};

Example:

2E 74 65 78 74 00 00 00     = ".text"
00 10 00 00                 = VirtualSize       = 0x1000
00 10 00 00                 = VirtualAddress    = 0x1000
00 10 00 00                 = SizeOfRawData     = 0x1000
00 04 00 00                 = PointerToRawData  = 0x400

7. How Linking Works

Running a command like:

cl main.cpp /link /ENTRY:main /SUBSYSTEM:CONSOLE

The linker performs:

1. Creates section headers

2. Inserts compiled code into .text section

3. Sets the entry point address

4. Builds the PE header and updates e_lfanew

5. Calculates padding and alignment

6. Merges objects and resolves symbols

8. Tools to Inspect PE Files

• dumpbin /headers your.exe

• sigcheck (from Sysinternals)

• PEview, CFF Explorer

• IDA Pro, Ghidra (for reverse engineering)

9. Advanced Project: Reading the PE Header in C++

#include <windows.h>
#include <iostream>

int main() {
    HANDLE hFile = CreateFile("yourfile.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
    HANDLE hMapping = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
    BYTE* base = (BYTE*)MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);

    IMAGE_DOS_HEADER* dos = (IMAGE_DOS_HEADER*)base;
    IMAGE_NT_HEADERS* pe = (IMAGE_NT_HEADERS*)(base + dos->e_lfanew);

    std::cout << "PE Signature: " << std::hex << pe->Signature << "\n";
    std::cout << "Entry Point: " << std::hex << pe->OptionalHeader.AddressOfEntryPoint << "\n";
    std::cout << "Image Base : " << std::hex << pe->OptionalHeader.ImageBase << "\n";

    UnmapViewOfFile(base);
    CloseHandle(hMapping);
    CloseHandle(hFile);
}

10. Conclusion

• The PE header is the core structure that enables Windows to load and execute an executable file.

• It contains crucial information such as the entry point, section layout, memory configuration, and dependencies.

• Mastery of this format is critical for:

  • Building custom linkers or loaders

  • Designing reverse engineering tools

  • Implementing security or anti-tampering techniques

  • Developing embedded or custom operating systems