Analyzing Structure of Executable Programs (.exe files)

Executable files execute code or a series of instructions contained in the file. The Portable Executable (PE) format is a file format for executables in Microsoft Windows. The PE format is used by Windows 95 and higher, Windows NT 3.1 and higher .exe is a common filename extension denoting an executable file. exe files contain binary machine code that has been compiled from source code using compliers.

In Windows, executable files can be loaded at any location point in RAM. 4D 5A is the File Id tag of a .exe file (hexadecimal notation) beginning with an ASCII string called “MZ”.

In a high level, the .exe file looks like a single file. But actually, it has several parts. The common major parts of the .exe file are shown in figure 21. PE file contains headers and sections. These headers and sections are inserted by Compilers and sometimes it may be varying according to Compilers.

MS-DOS Header — 64 bytes length. The DOS header contains relocation information. This header file belongs to an older MS-DOS system. The purpose of this header is to show an error message (It has an MS-DOS stub that can able to print the message “This program cannot be run in DOS mode”) if the user runs a PE file in an MS-DOS environment. This is largely legacy now and is only included for historical purposes.

PE Header — When .exe file execution, operating system loader reads data from this header and then load binary content from the file into RAM. Start with PE signature (4 bytes). This header contains where the executable needs to be loaded into memory, the address where the execution starts, checksum, supported machine/processer types, size of executable, the list of libraries/ functions/resources used. PE header has a directory called a section table. The section table is an array of the IMAGE_SECTION_HEADER structure, each of them containing information about one section. The information that the structure contains, includes but is not restricted to, the virtual size, virtual size, and characteristic flags, etc.

PE header has another directory called Data Directory. The data directory field (IMAGE_DATA_DIRECTORY array) indicates where to find the other important components of executable information in the file. There are few important ones are in this directory. Some of them are the ExportTableAddress (table of exported functions), the ImportTableAddress (table of imported functions), the ResourcesTable (table of resources such as images embedded in the PE), and the ImportAddressTable (IAT) which stores the runtime addresses of the imported functions.

Sections — These are the most important parts in sections of .exe file.

.text/.code/CODE/TEXT — Contains executable code (machine instructions) that the CPU executes. Important in the disassembly process.

.tests/TEXTBSS — Present if incremental linking is enabled.

.rdata — It contains constants and string literals (read-only data).

.data/DATA — It usually has READ/WRITE permissions, contains the initialized global and static variables and their values which are accessible from anywhere in the program. 

.bss/BSS — Contains uninitialized global and static variables for the program.

.rsrc — Contains resource data (images. icons, etc.). Strings can be stored here. 

.debug — Debug information Section. 

.idata — Import data Section. Present and stores the import function. information. 

.edata — Export data Section. 

.reloc — Contains information for the relocation of library files.

Conclusions

A .exe file has lots of parts. It is a package, not a single file. Each part has a different responsibility. It is necessarily required for computer professionals to get a proper understanding of .exe files.

Reference

  1. Altheide, C. & Carvey, H. (2011) Executable File — An Overview | Sciencedirect Topics [Online] Available from: [20 February 2020].
  2. Andriesse, D., Chen, X., Van der Veen, V., Slowinska, A. & Bos, H. (2016) An InDepth Analysis Of Disassembly On Full-Scale X86/X64 Binaries [Online] Available from: [21 February 2020].
  3. Liu, K. & Tan, J. (2013) Binary Code Analysis [Online] Available from: [05 May 2020].

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store