From: Basic Static Techniques - Practical Malware Analysis
The PE file format contains a header followed by a series of sections. The header contains metadata about the file itself. Following the header are the actual sections of the file, each of which contains useful information.
- Reference: http://en.wikipedia.org/wiki/Portable_Executable
- Reference: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format.
- Reference: An In-Depth Look into the Win32 Portable Executable File Format, Part 1
- Reference: An In-Depth Look into the Win32 Portable Executable File Format, Part 2
- Reference: The .NET File Format
- The following are the most common and interesting sections in a PE file:
- Sections of a PE file for a Windows Executable
Executable Description .text Contains the executable code .rdata Holds read-only data that is globally accessible within the program .data Stores global data accessed throughout the program .idata Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section .edata Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section .pdata Present only in 64-bit executables and store exception-handling information .rsrc Stores resources needed by the executable .reloc Contains information for relocation of library files
.text The .text section contains the instructions that the CPU executes. All other sections store data and supporting information. Generally, this is the only section that can execute, and it should be the only section that includes code.
.rdata The .rdata section typically contains the import and export information, which is the same information available from both Dependency Walker and PEview. This section can also store other read-only data used by the program. Sometime a file will contain an .idata and .edata section, which store the import and export information.
.data The .data section contains the program's global data, which is accessible from anywhere in the program. Local data is not stored in this section, or anywhere else in the PE file.
.rsrc The .rsrc section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. Strings can be stored either in the .rsrc section or in the main program, but they are often stored in the .rsrc section for multilanguage support.
PE Header Summary:
- The PE header contains useful information for the malware analyst. Below is the key information that can be obtained from a PE header.
Field Information revealed Imports Functions from other libraries that are used by the malware Exports Functions in the malware that are meant to be called by other programs of libraries Time Date Stamp Time when the program was compiled Sections Names of sections in the field and their sizes on disk and in memory Subsystem Indicates whether the program is a command-line or GUI application Resources Strings, icons, menus, and other information included in the file