DOS Header
| Fields | Values | Explanation |
| e_magic | ‘MZ’ | constant signature |
| e_lfanew | 0x40 | offset of the PE Header |
PE Header
| Fields | Values | Explanation |
| Signature | ‘PE’, 0, 0 | constant signature |
| Machine | 0x14c [intel 386] | processor: ARM/MIPS/Intel/… |
| NumberOfSections | 3 | number of sections |
| SizeOfOptionalHeader | 0xe0 | relative offset of the section table |
| Characteristics | 0x102 [32b EXE] | EXE/DLL/… |
Optional Header
| Fields | Values | Explanation |
| Magic | 0x10b [32b] | 32 bits/64 bits |
| AddressOfEntryPoint | 0x1000 | where execution starts |
| ImageBase | 0x400000 | address where the file should be mapped in memory |
| SectionAlignment | 0x1000 | where sections should start in memory |
| FileAlignment | 0x200 | where sections should start on file |
| MajorSubsystemVersion | 4 [NT 4 or later] | required version of Windows |
| SizeOfImage | 0x4000 | total memory space required |
| SizeOfHeaders | 0x200 | total size of the headers |
| Subsystem | 2 [GUI] | driver/graphical/command line/… |
| NumberOfRvaAndSizes | 16 | number of data directories |
Data directory
| Field | Description |
| ImportsVA | RVA of the imports |
| Address | Points to the beginning of the header in memory (relative to the start of the file). |
| Size | Size of the header. |
| Name | Name of the section |
| VirtualAddress | Pointer to the beginning of the section in memory (RVA addresses) |
| VirtualSize | Size of a section (in memory) |
| SizeOfRawData | Size of a section (on the hard disk) |
| PointerToRawData | Pointer to the beginning of the section in the file on the hard disk |
| Characteristics | Memory protection flags (EXECUTE, READ, and WRITE) |
Section table
| Field | Description |
| Name | Name of the section |
| VirtualAddress | Pointer to the beginning of the section in memory (RVA addresses) |
| VirtualSize | Size of a section (in memory) |
| SizeOfRawData | Size of a section (on the hard disk) |
| PointerToRawData | Pointer to the beginning of the section in the file on the hard disk |
| Characteristics | Memory protection flags (EXECUTE, READ, and WRITE) |
PE+ (x64 PE)
| Field | Description |
| ImageBase | 4 bytes → 8 bytes |
| BaseOfData | Removed from the optional header |
| Others | Sizeofheapcommit, sizeofheapreserve, sizeofstackreserve, and sizeofstackcommit are 4 bytes → 8 bytes |
| Magic | Value changed from 0x10b (representing x86) to 0x20b (representing x64). |
PE File & Memory
