Notes for the PE File Headers and Sections

From: Basic Static Techniques - Practical Malware Analysis

The PE file format contains a header followed by a series of sections. The header contains metadata about the file itself. Following the header are the actual sections of the file, each of which contains useful information.


Article:

• Reference: http://en.wikipedia.org/wiki/Portable_Executable
• Reference: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format.
• Reference: An In-Depth Look into the Win32 Portable Executable File Format, Part 1
• Reference: An In-Depth Look into the Win32 Portable Executable File Format, Part 2
• Reference: The .NET File Format

Image:

• Reference: Portable Executable 101 - a windows executable walkthrough

Description:

• The following are the most common and interesting sections in a PE file:

.text    The  .text section contains the instructions that the CPU executes. All other sections store data and supporting information. Generally, this is the only section that can execute, and it should be the only section that includes code.

 .rdata    The .rdata section typically contains the import and export information, which is the same information available  from both Dependency Walker and PEview. This section can also store other read-only data used by the program. Sometime a file will contain an .idata and .edata section, which store the import and export information.

.data    The .data section contains the program's global data, which is accessible from anywhere in the program. Local data is not stored in this section, or anywhere else in the PE file. 

 .rsrc    The .rsrc section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. Strings can be  stored either in the .rsrc section or in the main program, but they are often stored in the .rsrc section for multilanguage support.

• Sections of a PE file for a Windows Executable

  Executable	Description
  .text	Contains the executable code
  .rdata	Holds read-only data that is globally accessible within the program
  .data	Stores global data accessed throughout the program
  .idata	Sometimes present and stores the import function information; if this section is not present, the import function information is stored in the .rdata section
  .edata	Sometimes present and stores the export function information; if this section is not present, the export function information is stored in the .rdata section
  .pdata	Present only in 64-bit executables and store exception-handling information
  .rsrc	Stores resources needed by the executable
  .reloc	Contains information for relocation of library files

PE Header Summary:

• The PE header contains useful information for the malware analyst. Below is the key information that can be obtained from a PE header.

  Field	Information revealed
  Imports	Functions from other libraries that are used by the malware
  Exports	Functions in the malware that are meant to be called by other programs of libraries
  Time Date Stamp	Time when the program was compiled
  Sections	Names of sections in the field and their sizes on disk and in memory
  Subsystem	Indicates whether the program is a command-line or GUI application
  Resources	Strings, icons, menus, and other information included in the file