Portable Executable
This article needs additional citations for verification. (December 2010) |
Filename extension | |
---|---|
Internet media type |
application/vnd.microsoft.portable-executable[1] |
Developed by | Currently: Microsoft |
Type of format | Binary, executable, object, shared libraries |
Extended from | DOS MZ executable COFF |
The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems, as well as in UEFI environments.[2] It serves as the standard format for executable files on Windows NT systems and is utilized for various file types, including .exe
, .dll
, .sys
(system drivers), and .mui
files. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data.
The Unified Extensible Firmware Interface (UEFI) specification states that PE is the standard executable format in EFI environments.[3]
On Windows NT systems, the PE format currently supports the IA-32, x86-64 (AMD64/Intel 64), IA-64, ARM and ARM64 instruction set architectures (ISAs). Prior to Windows 2000, Windows NT, and thus the PE format, also supported the MIPS, Alpha, and PowerPC ISAs. Due to its use in Windows CE, PE continues to support several variants of the MIPS, ARM (including Thumb), and SuperH ISAs.[4]
PE is analogous to the ELF format used in Linux and most other Unix versions, and the Mach-O format used in macOS and iOS.
History
[edit]Microsoft migrated to the PE format from the 16-bit NE formats with the introduction of the Windows NT 3.1 operating system. All later versions of Windows, including Windows 95/98/ME and the Win32s addition to Windows 3.1x, support the file structure. The format has retained limited legacy support to bridge the gap between DOS-based and NT systems. For example, PE/COFF headers still include a DOS executable program, which is by default a DOS stub that displays a message like "This program cannot be run in DOS mode" (or similar), though it can be a full-fledged DOS version of the program (a later notable case being the Windows 98 SE installer). Microsoft's linker has a /STUB
switch to attach one.[5] This constitutes a form of fat binary.
PE also continues to serve the changing Windows platform. Some extensions include the .NET PE format, a version with 64-bit address space support called PE32+, and a specification for Windows CE.
Whether the executable code is 32- or 64-bit can be found by checking the Machine field in the IMAGE_FILE_HEADER.[6] Whether addresses in the executable are 32- or 64-bit can be found by checking the Magic field in the IMAGE_OPTIONAL_HEADER. 0x10 indicates a PE32 file, whereas 0x20 indicates a PE32+ file.[7]
Technical details
[edit]Layout
[edit]A PE file consists of a several headers and sections that instruct the dynamic linker about on how to map the file into memory. An executable image consists of several different regions, each requiring different memory protection attributres. To ensure proper alignment, the start of each section must align to a page boundary.[8] For instance, the .text section, which contains program code, is typically mapped as as an execute/read-only. Conversely, the .data section, which holds global variables, is mapped as no-execute/read write. However, to conserve space, sections are not aligned on disk in this manner. The dynamic linker maps each section to memory individually and assigns the correct permissions based on the information in the headers.[9]
Import table
[edit]The import address table (IAT) is used as a lookup table when the application calls a function in a different module. The imports can be specified by ordinal or by name. Because a compiled program cannot know the memory locations of its dependent libraries beforehand, an indirect jump is necessary for API calls. As the dynamic linker holds modules and resolves dependancies, it populates the IAT slots with actual addresses of the corresponding library functions. Although this adds an extra jump, incurring a performance penalty compared to intermodular calls, it minimizes the number of memory pages that that require copy-on-write changes, thus conserving memory and disk I/O. If a call is known to be intermodular beforehand (if indicated by a dllimport attribute), the compiler can generate optimized code with a simple indirect call opcode.[9]
Address Space Layout Randomization (ASLR)
[edit]PE files aren't position-independent by default; they are compiled to run at a specific, fixed memory address. Modern operating systems use Address Space Layout Randomization (ASLR) to make it harder for attackers to exploit memory-related vulnerabilities. ASLR works by ransdomly changing the memory address of important parts of the program every time it's loaded. This includes the base address of the program itself, shared libraries (DLLs), and memory areas like the heap and stack. as a defense mechanism against memory-based exploits. ASLR rearranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. By randomizing these memory addresses each time the process an application is loaded, ASLR prevents attackers from being able to reliably predict memory locations.
.NET, metadata, and the PE format
[edit]In a .NET executable, the PE code section contains a stub that invokes the CLR virtual machine startup entry, _CorExeMain
or _CorDllMain
in mscoree.dll
, much like it was in Visual Basic executables. The virtual machine then makes use of .NET metadata present, the root of which, IMAGE_COR20_HEADER
(also called "CLR header") is pointed to by IMAGE_DIRECTORY_ENTRY_COMHEADER
(the entry was previously used for COM+ metadata in COM+ applications, hence the name[citation needed]) entry in the PE header's data directory. IMAGE_COR20_HEADER
strongly resembles PE's optional header, essentially playing its role for the CLR loader.[4]
The CLR-related data, including the root structure itself, is typically contained in the common code section, .text
. It is composed of a few directories: metadata, embedded resources, strong names and a few for native-code interoperability. Metadata directory is a set of tables that list all the distinct .NET entities in the assembly, including types, methods, fields, constants, events, as well as references between them and to other assemblies.
Use on other operating systems
[edit]The PE format is also used by ReactOS, as ReactOS is intended to be binary-compatible with Windows. It has also historically been used by a number of other operating systems, including SkyOS and BeOS R3. However, both SkyOS and BeOS eventually moved to ELF.[citation needed]
As the Mono development platform intends to be binary compatible with the Microsoft .NET Framework, it uses the same PE format as the Microsoft implementation. The same goes for Microsoft's own cross-platform .NET Core.
On x86(-64) Unix-like operating systems, Windows binaries (in PE format) can be executed with Wine. The HX DOS Extender also uses the PE format for native DOS 32-bit binaries, plus it can, to some degree, execute existing Windows binaries in DOS, thus acting like an equivalent of Wine for DOS.
Mac OS X 10.5 has the ability to load and parse PE files, but is not binary compatible with Windows.[10]
UEFI and EFI firmware use Portable Executable files as well as the Windows ABI x64 calling convention for applications.
See also
[edit]- a.out
- Comparison of executable file formats
- Executable compression
- ar (Unix) since all COFF libraries use that same format
- Application virtualization
References
[edit]- ^ Andersson, Henrik (2015-04-23). "application/vnd.microsoft.portable-executable". IANA. Retrieved 2017-03-26.
- ^ "Portable executable (PE) - Definition - Trend Micro IN". www.trendmicro.com. Retrieved 2022-11-10.
- ^ "UEFI Specification, version 2.8B" (PDF)., a note on p.15, states that "this image type is chosen to enable UEFI images to contain Thumb and Thumb2 instructions while defining the EFI interfaces themselves to be in ARM mode."
- ^ a b "PE Format (Windows)". Retrieved 2017-10-21.
- ^ "/STUB (MS-DOS Stub File Name)". 3 August 2021.
- ^ PE trick explained: Telling 32 and 64 bit apart with naked eye by Karsten Hahn
- ^ PE Format at Microsoft.com
- ^ "The Portable Executable File From Top to Bottom". Retrieved 2017-10-21.
- ^ a b "Peering Inside the PE: A Tour of the Win32 Portable Executable File". 30 June 2010. Retrieved 2017-10-21.
- ^ Chartier, David (2007-11-30). "Uncovered: Evidence that Mac OS X could run Windows apps soon". Ars Technica. Retrieved 2007-12-03.
... Steven Edwards describes the discovery that Leopard apparently contains an undocumented loader for Portable Executables, a type of file used in 32-bit and 64-bit versions of Windows. More poking around revealed that Leopard's own loader tries to find Windows DLL files when attempting to load a Windows binary.
External links
[edit]- PE Format (latest online document, changes in time)
- Microsoft Portable Executable and Common Object File Format Specification. Revision 11.0, Jan 2017; Revision 10.0, Jun 2016; Revision 8.3, Feb 2013; Revision 8.2, Sep 2010; Revision 8.1, Feb 2008; Revision 8.0, May 2006; Revision 6.0, Feb 1999; Revision 5.0, Oct 1997; Revision 4.1, Aug 1994; Revision 4.0, Sep 1993
- Tool Interface Standard (TIS) Formats Specifications for Windows Version 1.0 (Intel Order Number 241597, TIS Committee, Feb 1993)
- Portable Executable Format (Micheal J. O'Leary, Microsoft Developer Support)
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format. Matt Pietrek, Microsoft Systems Journal, March 1994
- An In-Depth Look into the Win32 Portable Executable File Format. Matt Pietrek, MSDN Magazine. Part I, February 2002; Part II, March 2002
- The .NET File Format by Daniel Pistelli
- Ero Carrera's blog describing the PE header and how to walk through
- PE Internals provides an easy way to learn the Portable Executable File Format
- PE Explorer