Portable Executable

PE (Portable Executable, also called PE/COFF) is a family of executable file formats mainly used by Microsoft Windows. It is a sub-family of EXE. Parts of it are derived from COFF.

Despite the name, not all PE files are executable. Some contain only icons, fonts, etc.

Formats

• PE32 format is used by 32-bit Windows.
• PE32+ format is used by 64-bit Windows.

Identification

A PE file begins with the ASCII signature "MZ". The 16-bit integer at offset 24 is ≥ 64. At offset 60 is a 4-byte integer pointing to an "extended" header that begins with 'P' 'E' 0x00 0x00.

Links

• Wikipedia article
• PE, from the OSDev Wiki
• Microsoft PE and COFF Specification
• Article on the PE format as used by Windows NT 3, by Johannes Plachy
• Forensics Wiki: Portable Executable Format