3THE PE FORMAT: A BRIEF INTRODUCTION

Now that you know all about the ELF format, let’s take a brief look at another popular binary format: the Portable Executable (PE) format. Because PE is the main binary format used on Windows, being familiar with PE is useful for analyzing the Windows binaries common in malware analysis.

PE is a modified version of the Common Object File Format (COFF), which was also used on Unix-based systems before being replaced by ELF. For this historic reason, PE is sometimes also referred to as PE/COFF. Confusingly, the 64-bit version of PE is called PE32+. Because PE32+ has only minor differences compared to the original PE format, I’ll simply refer to it as “PE.”

In the following overview of the PE format, I’ll highlight ...

Get Practical Binary Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.