English English  Deutsch Deutsch

home  products  pe explorer  feature tour


Viewing The EXE File Headers (File Header and Optional Header) Information

The default view of the file's contents is called Headers Info Viewer, and here you can get information about the machine, the binary is supposed to run on, how many sections are in it, the time it was linked, whether it is an executable or a DLL, and more.

The Headers Info Viewer lets you reduce the numerous internal information sources of PE files into a more convenient viewing format. You can also save the header information to a text file.

PE Header ViewerWhen you first choose to explore an executable, PE Explorer shows you information about the headers of the file (COFF File Header and Optional Header), such as the number of code sections, the size of the image, the application subsystem, and the stack size information.

The File Header tells on which machine the binary is supposed to run, how many sections are in it, the time it was linked, whether it is an executable or a DLL and so on. (The difference between executable and DLL in this context is: a DLL can not be started but only be used by another binary, and a binary cannot link to an executable).

The Optional Header is optional in the sense that some files (specifically, object files) do not have it. For image files, this header is required. It tells us more about how the binary should be loaded: the starting address, the amount of stack to reserve, the size of the data segment etc. In addition, it is important to validate the Optional Header’s Magic number for PE32 format compatibility.

Entry Point Modification

The Entry Point value can be modified using automatic range checking. PE Explorer will notify you if the new value falls outside of the permissable range disabling the button.

Entry Point value modification

Characteristics Editor

Characteristics are a collection of flags. The image characteristics value contains an OR of these flags. This is a way of informing the OS about the certain aspects of the application. For instance, it can be used to tell the OS that the application is ready and compatible with getting access to virtual memory addresses above the 2 GB boundary (Bit 0x0020).

The Characteristics Editor helps you view or set flag bits in the PE file header Characteristics field:

Setting flag bits in the PE file header Characteristics field

All the flag values are OR'ed (each value is different, so the binary patterns just fall in place with respect to their respective position in order to resemble a composite binary pattern) to get the final value in hexadecimals in order to communicate to the Windows loader of the required values in the binary header field. Some values are of special importance for malware analysis: 0x2000 signifies that the file is a dynamic link library (DLL), and conversely, 0x0002 signifies that the file is an executable (no unresolved external references), which is an EXE file in this instance. 0x1000 would signify that the file is a system file, such as a driver (.sys). The remaining flags are also important, and they convey the validity of the executable to Windows, such as swap file usage if the file image is on removable media or the network, among others.

PE File Checksum

You can compare the real checksum to the value reported by the PE header. If necessary it is possible to update the value of the checksum in the header. Usually compilers do not fill this field, with the exception of NT-drivers. We recommend you use it in writing your own program to verify its own integrity at load time. It will allow you to be relatively sure in the integrity of the code and detect intentional, and even crafty modifications to a file.

The file checksum is computed at opening. It is used in Windows NT for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that ends up in the server are checked. The checksum is supposed to prevent loading of damaged binaries that would crash anyway (a crashing driver would result in a BSOD, so it is better not to load it at all). That is, a checksum is intended to detect simple memory failures leading to corruption (whether or not a block of memory on disk has gone bad and the values stored there have become corrupted). In general, any discrepancies result in discarding the particular instance.

Some Microsoft System DLLs also use the linker checksum to count how many instances of a particular file is loaded. When the limit is reached Windows NT will not under any circumstances load such marked files regardless of admin status etc. Usually no error is reported either just nothing happens after executing a program dependent on one of these libraries. Example is common control library with limit of 32 instances.

See also DLL Export Viewer: Review of the information on entry points, numbers, names and calling syntax of exported functions.

Feature Tour 
home | next 



PE Explorer

View Screenshots

Download a 30 day trial version of PE Explorer Buy the Full Version