Programmers Room

EXE File format

PE EXE (Windows 32Bit EXE, DLL, OCX, etc)

MZ EXE Header This contains information needed to run the DOS STUB

Extended MZ Header Offset 3ch points to the PE header

DOS STUB Usually displays 'Requires windows to run' or similar message

PE Header Contains info needed to run the Win32 Bit

Object table Information about objects present in file

Objects OBJECT DATA

MZ EXE Header

0000 Word ID 'MZ' - Exe file tag

0002 Word Number of bytes in last 512byte page of executable

0004 Word Total number of 512byte pages in executable (including last page)

0006 Word Number of relocation entries

0008 Word Header size in paragraphs

000a Word Minimum paragraphs of memory allocated in addition to the code size

000c Word Maximum paragraphs of memory allocated in addition to the code size

000e Word Initial SS relative to start of executable

0010 Word Initial SP

0012 Word Checksum (or 0) of executable

0014 Dword CS:IP relative to start of executable (Entry point)

0018 Word Offset of relocation table
40h for new (NE,LE,LX,W3,PE etc) executables

001a Word Overlay number (0 = main program)

Extended MZ Header

001c Dword ????

0020 Word ?

0022 26Bytes Reserved (0)?

003c Dword Offset of New EXE header from start of file
Or 0 if plain MZ EXE file

PE Header

0000 Dword Signature - 'PE',0,0

0004 Word CPU_TYPE
0000 - Unknown        0162 - MIPS I
014c - 80386             0163 - MIPS II
014d - 80486             0166 - MIPS III
014e - 80586

0006 Word Number of objects in object table

0008 Dword Time/Date stamp

000c 8Bytes Reserved

0014 Word NT Header size (Following Flags)

0016 Word Flags
0 - Program Image       2 - EXE
200 - Fixed address     2000 - Library

0018 Word Reserved

001a Word Linker version

001c 12Bytes Reserved

0028 Dword Entry point RVA - Execution starts here.

002c 8Bytes Reserved

0034 Dword Image Base - start of image in memory

0038 Dword Object align (Power of 2 512-256M)

003c Dword File align (Power of 2 512-64k)

0040 Dword O/S Version required

0044 Dword User Version

0048 Dword Subsys Version

004c Dword Reserved

0050 Dword Image size

0054 Dword Header size

0058 Dword File Checksum (Only used in NT devices)

005c Word Subsystem
0 - Unknown            1 - Native
2 - Win GUI             3 - Win Character

005e Word DLL Flags

0060 Dword Stack reserve size

0064 Dword Stack commit size

0068 Dword Heap reserve size

006c Dword Heap commit size

0070 Dword Reserved

0074 Dword Number of RVA/Sizes present NOW
All entrys have   Dword RVA, Size

0078 8Bytes Export table RVA/Size

0080 8Bytes Import table RVA/Size

0088 8Bytes Resource table RVA/Size

0090 8Bytes Exception table RVA/Size

0098 8Bytes Security table RVA/Size

00a0 8Bytes Fixup table RVA/Size

00a8 8Bytes Debug table RVA/Size

00b0 8Bytes Image description RVA/Size

00b8 8Bytes Machine specific RVA/Size

00c0 8Bytes Local thread storage RVA/Size

NE Header

0000 Word ID - 'NE'

0002 Word Linker version

0004 Word Offset of entry table

0006 Word Length of entry table in bytes

0008 Dword File load CRC (Or 0)

000c Byte Program flags bitmapped:
0-1 - DGroup type       0- none, 1- single shared, 2- multiple, 3- (null)
2      - Global initialization
3      - Protected mode only
4      - 8086 Instructions
5      - 80286 Instructions
6      - 80386 Instructions
7      - 80x87 Instructions

000d Byte Application flags bitmapped:
0-2   - Application type   1- Full screen   2- Compat with Windows/PM 3-Uses Win/PM
3      - OS/2 family application
4      - Reserved?
5      - Errors in image/executable
6      - Non-conforming program
7      - DLL or driver (SS:SP info invalid) CS:IP -> Far init routine called with ax=mod handle. returns ax=0 on failure, ax nonzero on successful initialization.

000e Byte Auto data segment index

0010 Word Initial local heap size

0012 Word Initial stack size

0014 Dword Entry point CS:IP (CS is index into segment table)

0018 Dword Initial stack pointer SS:SP (SS is index into segment table)

001c Word Segment count

001e Word Module reference count

0020 Word Size of nonresident names table in bytes

0022 Word Offset of segment table

0024 Word Offset of resource table

0026 Word Offset of resident names table

0028 Word Offset of module reference table

002a Word Offset of imported names table

002c Dword Offset from start of file to nonresident names table

0030 Word Count of moveable entry point listed in entry table

0032 Word File alignment size shift count (0 is equivalent to 9) Default 512-byte pages

0034 Word Number of resource table entries

0036 Byte Target operating system
0- unknown
1- OS/2
2- Windows
3- European DOS 4.x
4- Windows 386
5- BOSS (Borland operating system services)

0037 Byte Other OS/2 EXE flags bitmapped:
0- Long filename support
1- 2.x protected mode
2- 2.x proportional fonts
3- EXE has gangload area

0038 Word Offset to return thunks or start of gangload area

003a Word Offset to segment reference thunks or length of gangload area

003c Word Minimum code swap area size

003e Word Expected windows version

MZ EXE Header	This contains information needed to run the DOS STUB
Extended MZ Header	Offset 3ch points to the PE header
DOS STUB	Usually displays 'Requires windows to run' or similar message
PE Header	Contains info needed to run the Win32 Bit
Object table	Information about objects present in file
Objects	OBJECT DATA

0000	Word	ID 'MZ' - Exe file tag
0002	Word	Number of bytes in last 512byte page of executable
0004	Word	Total number of 512byte pages in executable (including last page)
0006	Word	Number of relocation entries
0008	Word	Header size in paragraphs
000a	Word	Minimum paragraphs of memory allocated in addition to the code size
000c	Word	Maximum paragraphs of memory allocated in addition to the code size
000e	Word	Initial SS relative to start of executable
0010	Word	Initial SP
0012	Word	Checksum (or 0) of executable
0014	Dword	CS:IP relative to start of executable (Entry point)
0018	Word	Offset of relocation table 40h for new (NE,LE,LX,W3,PE etc) executables
001a	Word	Overlay number (0 = main program)

001c	Dword	????
0020	Word	?
0022	26Bytes	Reserved (0)?
003c	Dword	Offset of New EXE header from start of file Or 0 if plain MZ EXE file

0000	Dword	Signature - 'PE',0,0
0004	Word	CPU_TYPE 0000 - Unknown 0162 - MIPS I 014c - 80386 0163 - MIPS II 014d - 80486 0166 - MIPS III 014e - 80586
0006	Word	Number of objects in object table
0008	Dword	Time/Date stamp
000c	8Bytes	Reserved
0014	Word	NT Header size (Following Flags)
0016	Word	Flags 0 - Program Image 2 - EXE 200 - Fixed address 2000 - Library
0018	Word	Reserved
001a	Word	Linker version
001c	12Bytes	Reserved
0028	Dword	Entry point RVA - Execution starts here.
002c	8Bytes	Reserved
0034	Dword	Image Base - start of image in memory
0038	Dword	Object align (Power of 2 512-256M)
003c	Dword	File align (Power of 2 512-64k)
0040	Dword	O/S Version required
0044	Dword	User Version
0048	Dword	Subsys Version
004c	Dword	Reserved
0050	Dword	Image size
0054	Dword	Header size
0058	Dword	File Checksum (Only used in NT devices)
005c	Word	Subsystem 0 - Unknown 1 - Native 2 - Win GUI 3 - Win Character
005e	Word	DLL Flags
0060	Dword	Stack reserve size
0064	Dword	Stack commit size
0068	Dword	Heap reserve size
006c	Dword	Heap commit size
0070	Dword	Reserved
0074	Dword	Number of RVA/Sizes present NOW All entrys have Dword RVA, Size
0078	8Bytes	Export table RVA/Size
0080	8Bytes	Import table RVA/Size
0088	8Bytes	Resource table RVA/Size
0090	8Bytes	Exception table RVA/Size
0098	8Bytes	Security table RVA/Size
00a0	8Bytes	Fixup table RVA/Size
00a8	8Bytes	Debug table RVA/Size
00b0	8Bytes	Image description RVA/Size
00b8	8Bytes	Machine specific RVA/Size
00c0	8Bytes	Local thread storage RVA/Size

0000	Word	ID - 'NE'
0002	Word	Linker version
0004	Word	Offset of entry table
0006	Word	Length of entry table in bytes
0008	Dword	File load CRC (Or 0)
000c	Byte	Program flags bitmapped: 0-1 - DGroup type 0- none, 1- single shared, 2- multiple, 3- (null) 2 - Global initialization 3 - Protected mode only 4 - 8086 Instructions 5 - 80286 Instructions 6 - 80386 Instructions 7 - 80x87 Instructions
000d	Byte	Application flags bitmapped: 0-2 - Application type 1- Full screen 2- Compat with Windows/PM 3-Uses Win/PM 3 - OS/2 family application 4 - Reserved? 5 - Errors in image/executable 6 - Non-conforming program 7 - DLL or driver (SS:SP info invalid) CS:IP -> Far init routine called with ax=mod handle. returns ax=0 on failure, ax nonzero on successful initialization.
000e	Byte	Auto data segment index
0010	Word	Initial local heap size
0012	Word	Initial stack size
0014	Dword	Entry point CS:IP (CS is index into segment table)
0018	Dword	Initial stack pointer SS:SP (SS is index into segment table)
001c	Word	Segment count
001e	Word	Module reference count
0020	Word	Size of nonresident names table in bytes
0022	Word	Offset of segment table
0024	Word	Offset of resource table
0026	Word	Offset of resident names table
0028	Word	Offset of module reference table
002a	Word	Offset of imported names table
002c	Dword	Offset from start of file to nonresident names table
0030	Word	Count of moveable entry point listed in entry table
0032	Word	File alignment size shift count (0 is equivalent to 9) Default 512-byte pages
0034	Word	Number of resource table entries
0036	Byte	Target operating system 0- unknown 1- OS/2 2- Windows 3- European DOS 4.x 4- Windows 386 5- BOSS (Borland operating system services)
0037	Byte	Other OS/2 EXE flags bitmapped: 0- Long filename support 1- 2.x protected mode 2- 2.x proportional fonts 3- EXE has gangload area
0038	Word	Offset to return thunks or start of gangload area
003a	Word	Offset to segment reference thunks or length of gangload area
003c	Word	Minimum code swap area size
003e	Word	Expected windows version