Article by Ayman Alheraki on January 11 2026 10:38 AM

Executable Headers Across Operating Systems Full Technical Specifications for Windows, Linux, macOS, Android, and iOS

Executable Headers Across Operating Systems: Full Technical Specifications for Windows, Linux, macOS, Android, and iOS

Executable headers are crucial structures in program files that instruct an operating system how to load, link, and execute a program. Each OS uses its own format, and understanding these headers is essential for developers building cross-platform tools, compilers, loaders, or reverse engineering utilities.

This article provides full header specifications, practical C/C++ struct examples, and explains the purpose and fields of each header type.

1. Windows: PE (Portable Executable)

Extension: .exe
Structure: MS-DOS Header → PE Signature → COFF File Header → Optional Header → Section Headers → Code/Data Sections

Full Header Specifications

1.1 DOS Header (`IMAGE_DOS_HEADER`)

Purpose: Allows old DOS programs to display a message and identifies the file as PE.
Key Field: e_lfanew → offset to PE header.


typedef struct {
    unsigned short e_magic;    // "MZ" = 0x5A4D
    unsigned short e_cblp;
    unsigned short e_cp;
    unsigned short e_crlc;
    unsigned short e_cparhdr;
    unsigned short e_minalloc;
    unsigned short e_maxalloc;
    unsigned short e_ss;
    unsigned short e_sp;
    unsigned short e_csum;
    unsigned short e_ip;
    unsigned short e_cs;
    unsigned short e_lfarlc;
    unsigned short e_ovno;
    unsigned short e_res[4];
    unsigned short e_oemid;
    unsigned short e_oeminfo;
    unsigned short e_res2[10];
    int           e_lfanew;     // Offset to PE Header
} IMAGE_DOS_HEADER;

1.2 PE Header (`IMAGE_NT_HEADERS64`)

Signature: "PE\0\0"
Includes: COFF File Header + Optional Header


typedef struct {
    unsigned int Signature;              // "PE\0\0"
    IMAGE_FILE_HEADER FileHeader;        // COFF header
    IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64;

1.3 COFF File Header (`IMAGE_FILE_HEADER`)

Fields:
- Machine → target CPU (e.g., x86/x64)
- NumberOfSections
- TimeDateStamp
- PointerToSymbolTable
- NumberOfSymbols
- SizeOfOptionalHeader
- Characteristics

1.4 Optional Header (`IMAGE_OPTIONAL_HEADER64`)

Fields:
- Magic → PE32+ (0x20b)
- AddressOfEntryPoint
- ImageBase
- SectionAlignment
- FileAlignment
- SizeOfImage
- DataDirectories → export/import/debug/relocations

1.5 Section Headers (`IMAGE_SECTION_HEADER`)

Fields:
- Name → e.g., .text, .data
- VirtualAddress
- SizeOfRawData
- PointerToRawData
- Characteristics → read/write/execute

2. Linux: ELF (Executable and Linkable Format)

Extension: None
Structure: ELF Header → Program Header Table → Section Header Table → Sections

Full Header Specifications

2.1 ELF Header (`Elf64_Ehdr`)

Purpose: Identifies ELF file and provides offsets.
Fields:
- e_ident[16] → magic number and class
- e_type → executable, shared object, relocatable
- e_machine → CPU type
- e_entry → entry point virtual address
- e_phoff → program header table offset
- e_shoff → section header table offset


#define EI_NIDENT 16
typedef struct {
    unsigned char e_ident[EI_NIDENT];
    uint16_t      e_type;
    uint16_t      e_machine;
    uint32_t      e_version;
    uint64_t      e_entry;
    uint64_t      e_phoff;
    uint64_t      e_shoff;
    uint32_t      e_flags;
    uint16_t      e_ehsize;
    uint16_t      e_phentsize;
    uint16_t      e_phnum;
    uint16_t      e_shentsize;
    uint16_t      e_shnum;
    uint16_t      e_shstrndx;
} Elf64_Ehdr;

2.2 Program Header (`Elf64_Phdr`)

Purpose: Defines segments for execution
Fields:
- p_type → load, dynamic, interpreter
- p_offset → file offset
- p_vaddr → virtual address
- p_memsz → memory size


typedef struct {
    uint32_t p_type;
    uint32_t p_flags;
    uint64_t p_offset;
    uint64_t p_vaddr;
    uint64_t p_paddr;
    uint64_t p_filesz;
    uint64_t p_memsz;
    uint64_t p_align;
} Elf64_Phdr;

2.3 Section Header (`Elf64_Shdr`)

Purpose: Defines sections used in linking/relocation.
Fields:
- sh_name
- sh_type
- sh_flags
- sh_addr
- sh_offset
- sh_size

3. macOS / iOS: Mach-O

Extension: None
Structure: Mach-O Header → Load Commands → Segments → Sections

Full Header Specifications

3.1 Mach-O Header (`mach_header_64`)

Fields:
- magic → 0xfeedfacf for 64-bit
- cputype, cpusubtype
- filetype
- ncmds, sizeofcmds
- flags, reserved


struct mach_header_64 {
    uint32_t magic;
    int32_t cputype;
    int32_t cpusubtype;
    uint32_t filetype;
    uint32_t ncmds;
    uint32_t sizeofcmds;
    uint32_t flags;
    uint32_t reserved;
};

3.2 Load Command (`load_command`)

Fields:
- cmd → type of command
- cmdsize → total size including data


struct load_command {
    uint32_t cmd;
    uint32_t cmdsize;
};

3.3 Segment Command 64 (`segment_command_64`)

Fields:
- segname[16]
- vmaddr, vmsize
- fileoff, filesize
- maxprot, initprot
- nsects, flags


struct segment_command_64 {
    uint32_t cmd;
    uint32_t cmdsize;
    char segname[16];
    uint64_t vmaddr;
    uint64_t vmsize;
    uint64_t fileoff;
    uint64_t filesize;
    int32_t maxprot;
    int32_t initprot;
    uint32_t nsects;
    uint32_t flags;
};

4. Android: APK (ZIP Archive)

Extension: .apk
Structure: ZIP Archive → AndroidManifest.xml, classes.dex, resources.arsc, assets

Full Header Specifications

4.1 ZIP Local File Header

Fields:
- signature → 0x04034b50
- version_needed
- general_purpose
- compression_method
- crc32, compressed_size, uncompressed_size
- filename_length, extra_field_length


struct zip_local_file_header {
    uint32_t signature;       
    uint16_t version_needed;
    uint16_t general_purpose;
    uint16_t compression_method;
    uint16_t last_mod_time;
    uint16_t last_mod_date;
    uint32_t crc32;
    uint32_t compressed_size;
    uint32_t uncompressed_size;
    uint16_t filename_length;
    uint16_t extra_field_length;
};

APK Contents:
- AndroidManifest.xml → app components & permissions
- classes.dex → compiled bytecode
- resources.arsc → binary resources
- META-INF/ → signatures

Comparison Table

OS	Header Format	Extension	32-bit	64-bit	Digital Signature	Cross-platform
Windows	PE	.exe	Yes	Yes	Yes	Limited
Linux	ELF	None	Yes	Yes	Yes	Wide
macOS/iOS	Mach-O	None	Yes	Yes	Yes	Limited
Android	APK	.apk	Yes	Yes	Yes	Limited

Conclusion

Executable headers vary widely across operating systems. Understanding their full technical structure enables:

Writing cross-platform loaders
Developing debuggers and reverse engineering tools
Creating compiler backends and binary utilities
Windows PE: optimized for Windows and DLLs.
Linux ELF: flexible and widely supported.
macOS/iOS Mach-O: supports multi-architecture binaries.
Android APK: ZIP-based, optimized for Java/Dalvik execution.

Executable Headers Across Operating Systems: Full Technical Specifications for Windows, Linux, macOS, Android, and iOS

1. Windows: PE (Portable Executable)

Full Header Specifications

1.1 DOS Header (IMAGE_DOS_HEADER)

1.2 PE Header (IMAGE_NT_HEADERS64)

1.3 COFF File Header (IMAGE_FILE_HEADER)

1.4 Optional Header (IMAGE_OPTIONAL_HEADER64)

1.5 Section Headers (IMAGE_SECTION_HEADER)

2. Linux: ELF (Executable and Linkable Format)

Full Header Specifications

2.1 ELF Header (Elf64_Ehdr)

2.2 Program Header (Elf64_Phdr)

2.3 Section Header (Elf64_Shdr)

3. macOS / iOS: Mach-O

Full Header Specifications

3.1 Mach-O Header (mach_header_64)

3.2 Load Command (load_command)

3.3 Segment Command 64 (segment_command_64)

4. Android: APK (ZIP Archive)

Full Header Specifications

4.1 ZIP Local File Header

Comparison Table

Conclusion

Advertisements

1.1 DOS Header (`IMAGE_DOS_HEADER`)

1.2 PE Header (`IMAGE_NT_HEADERS64`)

1.3 COFF File Header (`IMAGE_FILE_HEADER`)

1.4 Optional Header (`IMAGE_OPTIONAL_HEADER64`)

1.5 Section Headers (`IMAGE_SECTION_HEADER`)

2.1 ELF Header (`Elf64_Ehdr`)

2.2 Program Header (`Elf64_Phdr`)

2.3 Section Header (`Elf64_Shdr`)

3.1 Mach-O Header (`mach_header_64`)

3.2 Load Command (`load_command`)

3.3 Segment Command 64 (`segment_command_64`)