Portable Executable
Portable Executable describes a binary format of executable programs , so-called PE files . It is the file format used for executable files on Win32 and Win64 systems. It is also the format for executable files in EFI environments. It is based on the COFF binary format.
Possible file extensions are, for example:
- .exe - executable , a standalone program, or the main module
- .dll - Dynamic Link Library
- .sys - system , basic system software with special treatment by the operating system
- .drv - driver , a driver
- .scr - screensaver , a screen saver
- .cpl - control panel applet , a plug-in of the Windows control panel
- .ocx - activex control , an ActiveX control
- .ax - a DirectShow filter
- .efi - an EFI module
Apart from the .exe extension , which identifies a file as a separate program, the PE format is not tied to an extension. In terms of programming, the system can be made to execute code in any file in PE format. DLL files can, for example, export functions that are called by other programs. DRV and SYS files are usually device drivers that are used by Windows to control the hardware .
In addition to Windows, ReactOS also uses the PE file format and thus allows (currently only to a very limited extent) the execution of Windows programs. Early versions of BeOS as well as SkyOS also used the PE file format for their executable programs. But since they used a different binary interface (ABI), they were not binary compatible with Windows and did not even intend to do so. SkyOS now uses the widespread ELF format, which previously became popular with the Linux operating system , since it is the standard format for binary programs there.
Windows files in PE format can be executed under Linux with the help of WINE and under DOS partially with the help of the HX DOS Extender .
construction
Every PE file begins with the MZ header known from DOS times . This is primarily used here to terminate an EXE program that is not intended for a DOS operating system with an error message (e.g. “This program cannot be run in DOS mode”) if an attempt is made to terminate it but to start under DOS. As with every MS-DOS EXE file, the two letters “MZ”, the initials of Mark Zbikowski , the developer of the DOS program format , can be found at the beginning of a PE file . From a technical point of view, the code that outputs the error message is a complete DOS program that, appropriately programmed under DOS, can also have functions other than an error message.
The last field in the DOS header refers to the position of the PE header, which then begins with the ASCII identifier "PE".
The actual PE header consists of two parts, the IMAGE_FILE_HEADER, which contains the number of segments, the required CPU type and other flags, and the IMAGE_OPTIONAL_HEADER (which is not optional for executable program files despite the name). This contains, among other things, the size of the individual code and data segments in the file as well as further information about the required resources (memory, operating system version).
The following hex dump illustrates the start of an EXE program for Windows (32 bit). The blank line is inserted to clarify the end of the stub. The PE header then begins at address 00000100h. In this case, the DOS error message of the 256- byte MZ file inserted as a stub reads “This program must be run under Win32”.
00000000: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP............. 00000010: B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ........@....... 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................ 00000040: BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!.. 00000050: 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus 00000060: 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W 00000070: 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 in32..$7........ 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100: 50 45 00 00 4C 01 06 00 19 5E 42 2A 00 00 00 00 PE..L....^B*.... 00000110: 00 00 00 00 E0 00 8E 81 0B 01 02 19 00 38 01 00 .............8.. 00000120: 00 88 06 00 00 00 00 00 F0 45 01 00 00 10 00 00 .........E...... ... ...
Individual evidence
Web links
- Microsoft Portable Executable and Common Object File Format Specification (English)
- Matt Pietrek: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format (English)
- MIME type registration (English)
- Win32 assembler tutorial
- Microsoft Docs PE Format Specification (English)