|
The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture. The PE format is basically a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, OBJ, SYS (device driver), and other file types. The Extensible Firmware Interface specification states that PE is the standard executable format in EFI environments. A filename extension is a suffix to the name of a computer file applied to show its format. ...
Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ...
A Hexdump of a JPEG image. ...
In computer science, object file or object code is an intermediate representation of code generated by a compiler after it processes a source code file. ...
In computer science, a library is a collection of subprograms used to develop software. ...
A file format is a particular way to encode information for storage in a computer file. ...
In computer science, object file or object code is an intermediate representation of code generated by a compiler after it processes a source code file. ...
This article is about dynamic libraries implemented by Microsoft. ...
Windows redirects here. ...
An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ...
Illustration of an application which may use libvorbisfile. ...
API and Api redirect here. ...
In computer programming, thread-local storage is static or global memory local to a thread. ...
Windows NT (New Technology) is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. ...
EXE is the common filename extension for denoting an executable file (a program) in the OpenVMS, DOS, Microsoft Windows, ReactOS, and OS/2 operating systems. ...
The workings of the Extensible Firmware Interface The Extensible Firmware Interface (EFI) is a software interface between an operating system and platform firmware. ...
PE is a modified version of the Unix COFF file format. PE/COFF is an alternative term in Windows development. The Common Object File Format (COFF) is an object file format that was introduced in Unix System V Release 3, and was later adopted by Microsoft for Windows NT. It was superseded by the more powerful ELF in System V Release 4, but as of 2005, COFF is still used...
On Windows NT operating systems, PE currently supports the IA-32, IA-64, and x86-64 (AMD64 and Intel64) instruction set architectures. Prior to Windows 2000, Windows NT (and thus PE) supported the MIPS, DEC Alpha, and PowerPC instruction set architectures. Because PE is used on Windows CE, it continues to support several variants of the MIPS architecture, and also supports the ARM (including Thumb) and SuperH instruction set architectures. It has been suggested that this article or section be merged with X86 assembly language. ...
In computing, IA-64 (short for Intel Architecture-64) is a 64-bit processor architecture developed cooperatively by Intel Corporation and Hewlett-Packard (HP), and implemented in the Itanium and Itanium 2 processors. ...
The AMD64 or x86-64 is a 64-bit processor architecture invented by AMD. It is a superset of the x86 architecture, which it natively supports. ...
An instruction set is (a list of) all instructions, and all their variations, that a processor can execute. ...
Windows 2000 (also referred to as Win2K) is a preemptive, interruptible, graphical and business-oriented operating system designed to work with either uniprocessor or symmetric multi-processor computers. ...
A MIPS R4400 microprocessor made by Toshiba. ...
DEC Alpha AXP 21064 Microprocessor die photo Package for DEC Alpha AXP 21064 Microprocessor Alpha AXP 21064 bare die mounted on a business card with some statistics The DEC Alpha, also known as the Alpha AXP, is a 64-bit RISC microprocessor originally developed and fabricated by Digital Equipment Corp...
PowerPC is a RISC microprocessor architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM. Originally intended for personal computers, PowerPC CPUs have since become popular embedded and high-performance processors as well. ...
Windows CE (sometimes abbreviated WinCE) is a variation of Microsofts Windows operating system for minimalistic computers and embedded systems. ...
The ARM architecture (previously, the Advanced RISC Machine, and prior to that Acorn RISC Machine) is a 32-bit RISC processor architecture developed by ARM Limited that is widely used in a number of embedded designs. ...
The SuperHichem (or SH) is brandname of a certain microcontroller and microprocessor architecture. ...
Brief history Microsoft migrated to the PE format with the introduction of the Windows NT 3.1 operating system. All later versions of Windows, including Windows 95/98/ME, support the file structure. The format has retained limited legacy support to bridge the gap between DOS-based and NT systems. For example, PE/COFF headers still include an MS-DOS executable program, which is by default a stub that displays the simple message "This program cannot be run in DOS mode" (or similar). PE also continues to serve the changing Windows platform. Some extensions include the .NET PE format (see below), a 64-bit version called PE32+ (sometimes PE+), and a specification for Windows CE.
Technical details A PE file consists of a number of headers and sections that tell the dynamic linker how to map the file into memory. An executable image consists of several different regions, each of which require different memory protection; so the start of each section must be aligned to a page boundary. For instance, typically the .text section (which holds program code) is mapped as execute/readonly, and the .data section (holding global variables) is mapped as no-execute/readwrite. However, to avoid wasting space, the different sections are not page aligned on disk. Part of the job of the dynamic linker is to map each section individually and assign the correct permissions to the resulting regions, according to the instructions found in the headers. In computing, a dynamic linker is the part of an operating system (OS) that loads and links the shared libraries for an executable when it is run. ...
One section of note is the import address table (IAT), which is used as a lookup table when the application is calling a Windows API function. Because a compiled program cannot know the memory location of the the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes jump instructions into the IAT slots, so that they NIGGER!location. Base relocations are stored in a list and added, as needed, to an existing memory location. The resulting code is now private to the process and no longer shareable, so many of the memory saving benefits of DLLs are lost in this scenario. It also slows down loading of the module significantly. For this reason rebasing is to be avoided wherever possible, and the DLLs shipped by Microsoft have base addresses pre-computed so as not to overlap. In the no rebase case PE therefore has the advantage of very efficient code, but in the presence of rebasing the memory usage hit can be expensive. Contrast this with ELF which uses fully position independent code and a global offset table, which trades off execution time against memory usage in favour of the latter. In computing, the Executable and Linking Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps. ...
.NET, metadata, and the PE format Microsoft's .NET Framework has extended the PE format with features which support the Common Language Runtime (an implementation of the .NET virtual machine). Among the additions are a CLR Header and CLR Data section. Upon loading a binary, the OS loader yields execution to the CLR via a reference in the PE/COFF IMPORT table. The CLR VM then loads the CLR Header and Data sections. The Microsoft . ...
The Common Language Runtime (CLR) is the virtual machine component of Microsofts . ...
In computer science, a virtual machine is software that creates a virtualized environment between the computer platform and its operating system, so that the end user can operate software on an abstract machine. ...
The CLR Data section contains two important segments: Metadata and Intermediate Language (IL) code:
- Metadata contains information relevant to the assembly, including the assembly manifest. A manifest describes the assembly in detail including unique indentification (via a hash, version number, etc.), data on exported components, extensive type information (supported by the Common Type System (CTS)), external references, and a list of files within the assembly. The CLR environment makes extensive use of metadata.
- Intermediate Language (IL) code is abstracted, language independent code that satisfies the .NET CLR's Common Intermediate Language (CIL) requirement. The term "Intermediate" refers to the nature of IL code being cross-language and cross-platform compatible. This intermediate language, similar to bytecode in Java, allows platforms and languages to support the common .NET CLR (rather than vice versa). IL supports object-oriented programming (polymorphism, inheritance, abstract types, etc.), exceptions, events, and various data structures. IL code is assembled into a .NET PE for execution by the CLR.
Common Intermediate Language (CIL, pronounced either sill or kill) (formerly called Microsoft Intermediate Language or MSIL) is the lowest-level human-readable programming language in the Common Language Infrastructure and in the . ...
Bytecode is a binary representation of an executable program designed to be executed by a virtual machine rather than by dedicated hardware. ...
Java language redirects here. ...
Object-oriented programming (OOP) is a programming paradigm that uses objects and their interactions to design applications and computer programs. ...
Use on other operating systems The PE format is also used by ReactOS, as ReactOS is intended to be binary-compatible with Windows. It has also historically been used by a number of other operating systems, including SkyOS and BeOS R3. However, both SkyOS and BeOS eventually moved to ELF. ReactOS is a project to develop an operating system that is binary-compatible with application software and device drivers for Microsoft Windows NT version 5. ...
SkyOS is a proprietary operating system currently in production. ...
BeOS is an operating system for personal computers which began development by Be Inc. ...
In computing, the Executable and Linking Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps. ...
As the Mono development platform intends to be binary compatible with Microsoft .NET, it uses the same PE format as the Microsoft implementation. Mono is a project led by Novell, Inc. ...
Microsoft . ...
On x86, Unix-like operating systems can execute Windows binary (in PE format of course) with Wine. x86 or 80x86 is the generic name of a microprocessor architecture first developed and manufactured by Intel. ...
Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ...
Wine is a project which aims to allow a PC with an x86 architecture processor running a Unix-like operating system and the X Window System to execute programs that were originally written for Microsoft Windows. ...
See also a. ...
In computing, the Executable and Linking Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables, object code, shared libraries, and core dumps. ...
It has been suggested that this article or section be merged with Executable compression. ...
Related tools - PEBrowse a Portable Executable (Win32) file viewer/dissection utility
- CFF Explorer PE Editor with full support for PE32/64. Utilities, rebuilder, hex editor, import adder, resource viewer. First PE Editor with support for .NET.
- PE Explorer(Shareware) a PE file viewer/editor, also provides an API function syntax lookup, dependency viewer, section editor, and a disassembler for generating annotated code dumps.
- PEDUMP ConsoleApp + Source Code(C++), really nice to compare two PE-Files via a script. Redirect console output to a txt-file and compare it with, e.g., Examdiff
- GNU Binutils with --target=i386-pe, --target=mips-pe etc.
- Anywhere PE Viewer is a free tool for exploring PE files (headers, export table, import table, resources). It is a pure Java application.
- PE Read PE (e.g. .exe, .ocx, .dll) and show sections, import, export, etc. Freeware.
- SK PEInfo for Windows CE PE viewer for Windows CE. ARM/MIPS/SH3 processor builds for Handheld PC 2000/Pocket PC. Shows sections, import, export, etc. with built in resource viewer. Can also extract resources from ROM modules. Freeware.
- pefile Powerful Python module to parse PE files (e.g. exe, dll, etc). Fully written in Python. Freeware.
- anal_pe LGPL'd command line based tool for outputting PE headers as text. Runs on Linux and Windows.
The GNU Binutils is a collection of programming tools developed by the Free Software Foundation for the manipulation of object code in various object file formats. ...
External links |
Feeds |
Contact