PE parsing

A random page with some information of the PE format file and its main headers. Main usage: malware development and malware research.

Considerations

• RVA (Relative Virtual Address): Offset from Image Base. To obtain the absolute virtual address the calculation “Image Base + RVA” must be performed. Several PE sections include RVAs.
• Check the official Microsoft documentation if you want to know more! This is only a summary and my personal studies about the topic.

DOS header

• IMAGE_DOS_HEADER structure definition from winnt.h.
• First 64 bytes of the PE file.
• Was very important in the MS-DOS era, right now it is not.
• The actual Windows OS loader uses a field in this header to navigate to the new executable header , which is the header containing most of the needed information.
• Kept in the binaries for compatibility purposes.

We only want to know about the first and last members of this header: