Malware Analysis – Understanding The PE Header

Video Link

  • What Is The PE Header?

  • The PE header contains the information the OS requires to run the executable.

  • This information is very useful, as it can give us more information about the functionality of the malware and how the malware interacts with the OS.

Why is the PE header important?

  1. It contains all of the important and necessary information required by the OS to execute the executable.
  2. It contains information that specifies where the executable needs to be loaded in to memory.
  3. It contains the libraries that the executable requires to be loaded (dll).
  4. It contains information that specifies where the execution begins.

PE Header Structure

Header Name
MZ Header/DOS Header
DOS Stub
PE File Header (Signature)
Image Optional Header
Sections Table
Sections

PE Sections

Section Name Function
.code / .text Executable code
.data Stores Data (R/W)
.rdata Stores Data (Read Only)
.idata Stores The Import Table
.edata Stores Export Data
.rsrc Stores Resources (Strings, icons)