|
The Portable Executable (PE) format is an executable file format used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's portability across all 32-bit (and by extension 64-bit) Windows operating systems. The PE format is basically a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, and resource management data. On NT operating systems, the PE format supports EXE, DLL, OBJ, and other filetypes.
PE is a modified version of the Unix COFF file format. PE/COFF is an alternate term in Windows development.
Brief History
Microsoft migrated to the PE format with the introduction of the Windows NT and Windows 95/98/ME operating systems (a hallmark of the transition to 32-bit systems). The format has retained limited legacy support to bridge the gap between DOS-based and NT systems. For example, PE/COFF Headers still include an MS-DOS executable header (or "stub") that displays the simple message "This program cannot be run in MSDOS mode", or similar, as backwards-compatible error output. PE also continues to serve the changing Windows platform. Some extensions include the .NET PE format (see below) and a 64-bit version called PE+ (sometimes PE32+).
.NET, Metadata, and the PE Format
Microsoft's .NET Framework has extended the PE format with features which support the Common Language Runtime (an implementation of the .NET Virtual Machine). The additions include a CLR Header and CLR Data section, appearing in that order after the PE/COFF Headers. The CLR Header section contains a reference to the function _CorExeMain, found in mscoree.dll, which calls and yields execution to the CLR.
The CLR Data section contains two important segments: Metadata and Intermediate Language (IL) code:
- Metadata contains information relevant to the assembly, including the assembly manifest. A manifest describes the assembly in detail including unique indentification (via a hash, version number, etc.), data on exported components, extensive type information (supported by the Common Type System (CTS)), external references, and a list of files within the assembly. The CLR environment makes extensive use of metadata.
- Intermediate Language (IL) code is abstracted, language independent code that satisfies the .NET CLR's Common Intermediate Language (CIL) requirement. The term "Intermediate" refers to the nature of IL code as cross-language and cross-platform compatible. This intermediate language, similar to bytecode in the Java programming language, allows platforms and languages to support the common .NET CLR (rather than vice versa). IL supports object-oriented programming (polymorphism, inheritance, abstract types, etc.), exceptions, events, and various data structures. IL code is assembled into a .NET PE for execution by the CLR.
Misc.
Computer viruses that infect PE files, such as CIH, often fill in the empty spaces within the file, so the file size does not grow.
Tools
- LordPE (http://sistemo.has.it/), the seminal PE viewer, supports PE32+ and .NET files, many options.
- PEBrowse (http://www.smidgeonsoft.com/) a Portable Executable (Win32) file viewer/dissection utility
- PEDUMP
External links
|
