Portable Executable
From Just Solve the File Format Problem
(Difference between revisions)
(PRONOM update) |
|||
| Line 2: | Line 2: | ||
|formattype=electronic | |formattype=electronic | ||
|subcat=Executables | |subcat=Executables | ||
| − | |extensions={{ext| | + | |extensions={{ext|exe}}, {{ext|dll}}, {{ext|cpl}}, {{ext|efi}}, {{ext|ocx}}, {{ext|scr}}, {{ext|sys}}, others |
|pronom={{PRONOM|x-fmt/411}}, {{PRONOM|fmt/899}}, {{PRONOM|fmt/900}} | |pronom={{PRONOM|x-fmt/411}}, {{PRONOM|fmt/899}}, {{PRONOM|fmt/900}} | ||
}} | }} | ||
Revision as of 21:36, 29 October 2016
Portable Executable (PE, PE/COFF, PE32, PE32+) is a member of the EXE family of executable file formats. It is used by the Microsoft Windows family of operating systems (starting with Windows 95 and Win32s), EFI and sometimes in other environments. It is an extension/hybrid of MS-DOS EXE, and a successor to NE. Parts of it are derived from COFF.
Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.
Contents |
Formats
- PE32 format is used by 32-bit Windows.
- PE32+ format is used by 64-bit Windows.
Identification
A PE file begins with the ASCII signature "MZ". At offset 60 is a 4-byte integer pointing to an "extended" header that begins with 'P' 'E' 0x00 0x00. For more information, see MS-DOS EXE.
See also
Links
- Wikipedia article
- PE, from the OSDev Wiki
- Microsoft PE and COFF Specification
- Article on the PE format as used by Windows NT 3, by Johannes Plachy
- Forensics Wiki: Portable Executable Format
- PE (corkami.com)
- EXE Explorer utility
- PortEx Analyzer
- Converting PEiD Signatures To YARA Rules
