🗃️

PE and COFF File Structure

Jul 20, 2025

Overview

This lecture details the structure and key components of the Windows Portable Executable (PE) and Common Object File Format (COFF), explaining headers, section tables, data directories, and special section usage relevant to Win32 executable and object files.

PE and COFF File Structure

  • PE files are portable, architecture-independent executable formats; COFF is the object file format for Windows.
  • A PE file starts with an MS-DOS header/stub, followed by the PE header, optional header, section headers, and image pages.
  • COFF object files include a COFF header, section headers, and raw data blocks, possibly with a string table and symbol table.

PE/COFF Headers and Fields

  • The PE header consists of the DOS stub, PE signature ("PE\0\0"), COFF file header, and the optional header.
  • The COFF header defines fields for machine type, number of sections, timestamps, pointers, symbol info, and file characteristics.
  • Machine types and characteristics fields specify the target CPU and file attributes (e.g., executable, DLL, stripped debug info).

Optional Header and Data Directories

  • The optional header is required for executables, contains standard fields, Windows-specific fields, and data directories.
  • The magic number identifies PE32 (0x10b) or PE32+ (0x20b) format.
  • Data directories provide addresses and sizes for tables like imports, exports, debug data, resources, relocations, TLS, and more.

Section Table and Section Characteristics

  • Each section table entry describes a code/data section: name, size, virtual address, raw data, and characteristics flags.
  • Common section names include .text (code), .data (initialized data), .bss (uninitialized data), .rsrc (resources), etc.
  • Section flags define usage: code, data, alignment, readable/writable, executable.

Relocations and Symbol Tables

  • COFF relocations in object files indicate how references to symbols should be adjusted during linking/loading.
  • Relocation types are architecture-dependent (e.g., x86, x64, ARM).
  • The COFF symbol table holds information on functions, data, storage class, and supports auxiliary records for functions and other metadata.

Special Sections and Tables

  • .edata (export table), .idata (import table), .reloc (base relocation), .tls (thread-local storage), and .rsrc (resources) have specific formats and usage.
  • The debug directory (.debug) and associated types specify locations and formats of debug information.
  • Attribute certificate tables enable file integrity verification with digital signatures (e.g., Authenticode).

Key Terms & Definitions

  • PE (Portable Executable) — Windows executable file format, not architecture-specific.
  • COFF — Common Object File Format, used for object (OBJ) files.
  • Section — Basic unit of code/data in PE/COFF files (e.g., .text, .data).
  • RVA (Relative Virtual Address) — Address relative to the image base when loaded.
  • VA (Virtual Address) — Actual address in process virtual memory.
  • Relocation — Adjustment of addresses/references due to loading at non-preferred locations.
  • Export/Import Table — Structures defining symbols/functions provided or consumed by the file.
  • Optional Header — Provides loader info; required for executables, optional for object files.

Action Items / Next Steps

  • Review field layouts and flag values for headers and sections.
  • Memorize common section names and their purposes.
  • Study relocation types and symbol table structure for your target architecture.
  • Practice reading PE/COFF headers using a binary viewer or analysis tool.

View note source

https://docs.microsoft.com/en-us/windows/win32/debug/pe-format