PE EXPLORER: HEADERS INFORMATION VIEWER
Viewing The EXE File Headers (File Header and Optional Header) Information
The Headers Info Viewer lets you reduce the numerous internal information sources of PE files into a more convenient viewing format. You can also save the header information to a text file.
When you first choose to explore an executable, PE Explorer shows you information about the headers of the file (COFF File Header and Optional Header), such as the number of code sections, the size of the image, the application subsystem, and the stack size information.
The File Header tells on which machine the binary is supposed to run, how many sections are in it, the time it was linked, whether it is an executable or a DLL and so on. (The difference between executable and DLL in this context is: a DLL can not be started but only be used by another binary, and a binary cannot link to an executable).
The Optional Header is optional in the sense that some files (specifically, object files) do not have it. For image files, this header is required. It tells us more about how the binary should be loaded: the starting address, the amount of stack to reserve, the size of the data segment etc. In addition, it is important to validate the Optional Header’s Magic number for PE32 format compatibility.
Entry Point Modification
The Entry Point value can be modified using automatic range checking. PE Explorer will notify you if the new value falls outside of the permissable range disabling the button.
Characteristics are a collection of flags. The image characteristics value contains an OR of these flags. This is a way of informing the OS about the certain aspects of the application. For instance, it can be used to tell the OS that the application is ready and compatible with getting access to virtual memory addresses above the 2 GB boundary (Bit 0x0020).
The Characteristics Editor helps you view or set flag bits in the PE file header Characteristics field:
PE File Checksum
You can compare the real checksum to the value reported by the PE header. If necessary it is possible to update the value of the checksum in the header. Usually compilers do not fill this field, with the exception of NT-drivers. We recommend you use it in writing your own program to verify its own integrity at load time. It will allow you to be relatively sure in the integrity of the code and detect intentional, and even crafty modifications to a file.
The file checksum is computed at opening. It is used in Windows NT for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that ends up in the server are checked. The checksum is supposed to prevent loading of damaged binaries that would crash anyway (a crashing driver would result in a BSOD, so it is better not to load it at all). That is, a checksum is intended to detect simple memory failures leading to corruption (whether or not a block of memory on disk has gone bad and the values stored there have become corrupted).
Some Microsoft System DLLs also use the linker checksum to count how many instances of a particular file is loaded. When the limit is reached Windows NT will not under any circumstances load such marked files regardless of admin status etc. Usually no error is reported either just nothing happens after executing a program dependent on one of these libraries. Example is common control library with limit of 32 instances.
See also DLL Export Viewer: Review of the information on entry points, numbers, names and calling syntax of exported functions.