Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. PE Format

PE32

PE32 (Portable Executable 32-bit) is a file format used for executables, object code, DLLs, and other types of binary files in Windows operating systems. It is a standard format introduced by Microsoft to encapsulate executable code and associated resources in a structured manner.

Here's a brief overview of PE32:

  1. Structure: PE32 files consist of various headers and sections that organize and describe different aspects of the executable, including the DOS header, PE header, optional header, and one or more sections.

  2. DOS Header: The DOS header is a legacy header present at the beginning of the file, primarily for backward compatibility. It contains the DOS executable signature and a pointer to the PE header.

  3. PE Header: The PE header follows the DOS header and contains essential information about the PE file, such as the signature, machine type, number of sections, and entry point address.

  4. Optional Header: The optional header provides additional details about the PE file, including the image base address, entry point RVA (Relative Virtual Address), subsystem type, and various flags and characteristics.

  5. Sections: PE32 files are divided into sections, each containing specific types of data or code. Common sections include code sections (.text), data sections (.data), resource sections (.rsrc), and import/export tables.

  6. Addressing: PE32 files use 32-bit memory addressing, meaning they can access up to 4 GB of virtual memory space. The address space is divided into user space and system space, with different memory protection mechanisms.

  7. Imports and Exports: PE32 files can import functions from other DLLs using import tables, specifying the external functions and the DLLs providing them. They can also export their own functions for use by other modules through export tables.

  8. Relocation: PE32 files support relocation, allowing them to be loaded at different base addresses in memory. Relocation information is stored in the file to adjust addresses based on the actual loading address.

Overall, PE32 is a versatile and widely used format for Windows executables, offering a structured way to package and execute code, manage resources, and interact with the operating system and other modules.

PreviousPE FormatNextPE32+