PE File breakdown: |
-------------------/

HEX VALUES OF DIFFERENT HEADERS:

'MZ' = 5A4Dh
'NE' = 454Eh
'LE' = 454Ch
'PE' = 00004550h  {Dword}

Section I: MS-DOS EXE file header

Bytes 0-1: Word Identifier 'MZ'
Bytes 2-3: Word Number of bytes on last page
Bytes 4-5: Word Number of Pages
Bytes 6-7: Word Relocations
Bytes 8-9: Word Size of Header in 16-byte Paragraphs
Bytes 10-11: Word Minimum Extra Paragraphs
Bytes 12-13: Word Maximum Extra Paragraphs
Bytes 14-15: Word Initial Relative SS
Bytes 16-17: Word Initial SP
Bytes 18-19: Word Initial Checksum
Bytes 20-21: Word Initial IP
Bytes 22-23: Word Initial Relative CS
Bytes 24-25: Word Offset of Relocation Table
Bytes 26-27: Word Overlay number
Bytes 28-35: Reserved Bytes
Bytes 36-37: Word OEM identifier
Bytes 38-39: Word OEM Info (Varies by OEM ID)
Bytes 40-59: Reserved Words
Bytes 60-63: DWORD OFFSET OF NEW FILE HEADER

NOTE: All file offsets are now from the point supplied at absolute 60

Bytes 0-3: Dword PE File identifier (00004550h)
Bytes 4-5: Word Machine Type (CPU)
Bytes 6-7: Word Number of Sections
Bytes 8-11: Dword Time Stamp
Bytes 12-15: Dword Pointer to symbol table
Bytes 16-19: Dword Number of Symbols
Bytes 20-21: Word Size of optional header
Bytes 22-23: Word Characteristics.

Follows the 24-byte PE header is a 224-byte "Optional" header.  This header
is not really optional, and consists of the following:

Bytes 0-1: Word Magic Number (Purpose unknown, usually: 10Bh)
Byte 2: Major Linker Version
Byte 3: Minor Linker Version
Bytes 4-7: Dword Size of Code
Bytes 8-11: Dword size of Inialized Data
Bytes 12-15: Dword size of Unintialized Data
Bytes 16-19: Dword ENTRY POINT and Import Address Table
Bytes 20-23: Dword Relative offset of Code
Bytes 24-27: Dword Relative offset of uninitialized data

NOTE: The following locations may only be used in NT apps, not Win95 ones.

Bytes 28-31: Dword Image Base (Preferred Base Address)
Bytes 32-35: Dword Section Aligment (Multiple of 4096, usually 4096)
Bytes 36-39: Dword File Alignment (Power of 2, between 512 and 65535)
Bytes 40-41: Word OS Major Version (For NT, usually 1)
Bytes 42-43: Word OS Minor Version (For NT, usually 0)
Bytes 44-45: Word App Major Version (Programmer Defined, i.e. for Word 7 it'd be 7)
Bytes 46-47: Word App Minor Version (See above)
Bytes 48-49: Word Subsystem Major Version (Version of NT subsystem, currently 3)
Bytes 50-51: Word Subsystem Minor version (As above, currently 10)
Bytes 52-55: Dword Reserved (Must be 0)
Bytes 56-59: Dword Size of image (Approx NumSections * SecAlign, Set by linker)
Bytes 60-63: Dword Size of all headers (Total size of all headers, including MS-DOS)
Bytes 64-67: Dword Checksum (Sorry, no data on how the linker gets this number...)
Bytes 68-69: Word Subsystem (Details later in this document)
Bytes 70-71: Word Dll Characteristics
Bytes 72-75: Dword Size of Reserved Stack (All these values are byte values, not pages)
Bytes 76-79: Dword Size of Committed Stack
Bytes 80-83: Dword Size of Reserved Heap
Bytes 84-87: Dword size of Committed Heap
Bytes 88-91: Dword LoaderFlags
Bytes 92-95: Dword Size of RVA and Sizes (Length of the next entry, the data directory)

The DATA Directory Index comes next, containing the number of entries defined in 
the Size of RVA variable.  They appear in the following order:

Export
Import
Resource
Exception
Security
Base Reloc
Debug
Description
Machine Value
TLS Directory
Load Config

Each Index entry contains the following:
Bytes 0-3: Dword Offset of directory entry (? Not sure what offset from.)
Bytes 4-7: Dword Size of directory.

After these entries are 40 byte section headers.  All the below values
are offsets from the start of the headers.

Bytes 0-7: ASCII string containing name of section (non-terminated)
Bytes 8-11: Dword Physical Address (UNION with VirtualSize?)
Bytes 12-15: Dword Virtual Size
Bytes 16-19: Dword Virtual Address
Bytes 20-23: Dword Pointer to Raw Data (Offset from beginning of file?)
Bytes 24-27: Dword Pointer to Relocations *
Bytes 28-31: Dword Pointer to Line Numbers *
Byte 32: Byte Number of Relocations *
Byte 33: Byte Number of Line Numbers *
Bytes 34-37: Dword Characteristics

* Not used in PE format... some related format?

Characteristics from above: (Note, can be blended, i.e. 20000020h)

00000020h Code Segment
00000040h Initialized Data Segment
00000080h Uninitialized Data Segment
04000000h Section cannot be cached
08000000h Section is not pageable
10000000h Section is shared
20000000h Executable Section
40000000h Readable Section
80000000h Writeable Section

Note, all data from Microsoft, some was less than clear.  The original
doc this was based on is available at:

http://www.microsoft.com/win32dev/