Reversing PE (Portable Executable)

Last modified: 2024-02-18

Reverse Engineering Windows

The Portable Executable format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows.

PE Headers

There are many tools to analyze PE headers, such as wxHexEditor, pe-tree.
pe-tree is a tool that views PE files in a tree-view. It will take about a few minutes to open.

pe-tree ./executable

Structure	Description
IMAGE_DOS_HEADER	It consists of the first 64 bytes of the PE file. The first two bytes (”4D 5A”) means the “MZ” characters which are an identity of the Portable Executable format.
DOS_STUB	It is a small piece of code that only runs if the PE file is incompatible with the system it is being run on. At such time the message “!This program cannot be run in DOS mode" will be displayed.
IMAGE_NT_HEADERS	It contains most of the vital information related to the PE file. The starting address of the IMAGE_NT_HEADERS is found in `e_lfanew` from the IMAGE_DOS_HEADER. It contains `NT_HEADERS`, `IMAGE_SECTION_HEADER`, `IMAGE_IMPORT_DESCRIPTION`

Identify Packers of Packed Executable

pecheck is a command-line tool which analyze PE files.

pecheck ./executable

When results appears, check the section name in the PE Section.

Debugging

Decompiler Explorer
dnSpy
ILSpy
AnaloniaILSpy
Cutter
Ghidra
Binary Ninja

Assembly

Cheatsheet

Reversing

Others

Reversing PE (Portable Executable)

PE Headers

Identify Packers of Packed Executable

Debugging

ON THIS PAGE