Saturday, 17 October 2015

In Depth Windows: What is PE File Format?


Introduction

Windows operating system is used by most of the Computer users out there but little do they know about how it works. Recently, I started to research deeper and deeper into Window's Internals for thorough Malware Analysis. One thing that holds utmost importance when It comes to digging deeper into Windows is the Portable Executable File Format, commonly known as the PE file format derived from Common Object File Format aka COFF.

PE is the native file format of Windows operating system, binaries (EXE, DLL, SYS, SCR) or even object files (BPL, DPL, CPL) use this format. Even NT's kernel mode drivers use PE file format. The reason why it is called "Portable Executable" refers to the fact that this file format is universal across all Win32 platforms. The loader on every Win32 platform recognizes this file format and loads the executable in memory despite the architecture of CPU being Intel or ARM or any other for that matter.

The knowledge of PE file format is useful to people who are trying to become Software Reverse Engineers, Better Programmers, and the know all kind. This knowledge is definitely necessary for people who are trying to write malicious softwares(those evil people).