PE Executable Format
What is PE Executable Format?
PE Executable FormatPortable Executable, the Windows binary file format used by .exe, .dll, .sys, and .ocx files and derived from the older COFF object format.
PE (Portable Executable) is the binary format used by Windows for executables (.exe), dynamic libraries (.dll), kernel drivers (.sys), and other native artifacts. A PE file starts with an MS-DOS stub, then a PE signature, COFF header, optional header, section table, and sections such as .text, .rdata, .data, .rsrc, and .reloc. It also carries Import and Export Address Tables, Authenticode signatures, and metadata used by Windows mitigations like ASLR, DEP, CFG, and CET. Reverse engineers, EDR products, and threat hunters parse PE structures to detect packers, sideloaded DLLs, suspicious imports, signature anomalies, and code-injection patterns.
● Examples
- 01
Using pefile or CFF Explorer to inspect imports and Authenticode signatures of a suspicious .exe.
- 02
An attacker replacing a benign DLL on the application's search path to perform DLL sideloading against a signed PE.
● Frequently asked questions
What is PE Executable Format?
Portable Executable, the Windows binary file format used by .exe, .dll, .sys, and .ocx files and derived from the older COFF object format. It belongs to the Application Security category of cybersecurity.
What does PE Executable Format mean?
Portable Executable, the Windows binary file format used by .exe, .dll, .sys, and .ocx files and derived from the older COFF object format.
How does PE Executable Format work?
PE (Portable Executable) is the binary format used by Windows for executables (.exe), dynamic libraries (.dll), kernel drivers (.sys), and other native artifacts. A PE file starts with an MS-DOS stub, then a PE signature, COFF header, optional header, section table, and sections such as .text, .rdata, .data, .rsrc, and .reloc. It also carries Import and Export Address Tables, Authenticode signatures, and metadata used by Windows mitigations like ASLR, DEP, CFG, and CET. Reverse engineers, EDR products, and threat hunters parse PE structures to detect packers, sideloaded DLLs, suspicious imports, signature anomalies, and code-injection patterns.
How do you defend against PE Executable Format?
Defences for PE Executable Format typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PE Executable Format?
Common alternative names include: Portable Executable, PE/COFF.
● Related terms
- appsec№ 373
ELF Binary Format
Executable and Linkable Format, the standard binary container for executables, object files, and shared libraries on Linux, BSD, and most System V Unix derivatives.
- appsec№ 639
Mach-O
Mach-O is the native executable, object, and shared library format used by macOS, iOS, watchOS, and tvOS for binaries built with Apple's toolchain.
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
- forensics-ir№ 650
Malware Analysis
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.
- forensics-ir№ 926
Reverse Engineering
The process of disassembling and analyzing compiled software, firmware, or hardware to recover its design, behavior, and inner workings.