Jump to content

Talk:Portable Executable

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

Position-independent code

[edit]

PE does support position-independent code, it's just that no compiler or linker does. Interix executables compiled with GCC are position-independent PEs —Preceding unsigned comment added by 151.48.66.164 (talk) 22:48, 21 November 2008 (UTC)[reply]

Errors

[edit]

Much of this is inaccurate. The .NET CLR is NOT 'added after the PE/COFF headers' nor does the CLR itself contain the mscoree!_CorExeMain or mscoree!_CorDllMain reference. The CLR header, defined as IMAGE_COR20_HEADER, is referenced through a data directory (#14) in the PE/COFF header. This data directory points to the virtual address and size of the CLR header.

The normal PE/COFF IMPORT table contains the mscoree!_Cor*Main reference. The entry point has a single jmp far instruction into the IAT table entry for this single import.

The IMAGE_COR20_HEADER is used by the CLR when it is loaded into the process space through a .NET aware operating system (WindowsXP+) or through the mscoree!CorExeMain or mscoree!CoreDllMain APIs.

So I gather three things are wrong:
1)The CLR header and data sections are not placed at some memory address after the PE/COFF header section.
2)The reference to CorExeMain and mscoree are not in the CLR header or data sections, but instead the import table
3)The CLR header is referenced/loaded by the CLR, not by the loader directly.
I've made changes accordingly. Thanks for the corrections.
Vector4F 21:49, 20 November 2005 (UTC)[reply]
[edit]

The "PE File Format Diagram" is broken, I don't know the right link... FYI Gil_mo 07:25, 15 July 2007 (UTC)[reply]

"portable" refers to the format's portability across all 32-bit

[edit]

(and by extension 64-bit) Windows operating systems.

That is to say, all 16 bit and 32-bit and 64-bit Windows and DOS operating systems? 150.101.166.15 02:21, 20 July 2007 (UTC)[reply]
No. That is to say, all 32-bit and 64-bit Windows operating systems. Guy Harris 08:21, 20 July 2007 (UTC)[reply]
No, the format was designed to be portable to DOS operating systems. There were two (rare) uses for the DOS compatibility, and one common use. The common use was to include a stub that displayed "This program requires Windows" or words to that effect. The less common uses were to include a stub that restarted the program in a Windows system, or to include a separate DOS copy of the program in the same file. The format also supports and is compatible with 16 bit windows, as it was designed to be, but I never heard of anyone using it for that purpose.
Since the body of the article clearly discusses this, and the specification clearly discusses this, can we change the leading sentence? 150.101.166.15 (talk) 03:21, 22 November 2007 (UTC)[reply]
The specification also clearly says, in the abstract, "This specification describes the structure of executable (image) files and object files under the Microsoft® Windows® family of operating systems." and the article clearly says "The format has retained limited legacy support to bridge the gap between DOS-based and NT systems." Neither of these speak of it as a format intended for use on DOS or 16-bit Windows; the format happens to begin with a header in the format of an MS-DOS executable, but there's nothing in the article or the PE specification to indicate that there was any intent that MS-DOS should be able to execute the code in the PE sections of the file just as 32-bit and 64-bit Windows can. Guy Harris (talk) 09:13, 22 November 2007 (UTC)[reply]
It "happens" to begin with a legacy format specifically so that it will be portable to legacy systems. It really looks like you are grasping at straws here!150.101.166.15 02:54, 4 December 2007 (UTC)[reply]
"Portable to legacy systems" in what sense? The legacy systems don't interpret the part that's new, so the only reason to run a PE binary on a legacy system, rather than just running an MZ binary, is to use PE as a fat binary format, with a single file containing both an old DOS binary and a new 32-bit or 64-bit Windows binary. The code in the PE portion of the binary will not be executed on DOS, so it's not as if PE adds anything for DOS-only binaries.
As such, you're stretching rather a lot to try to speak of it as being portable to DOS or 16-bit Windows, or to change the first sentence to speak of it as a file format used on DOS or 16-bit Windows - yes, if you try to run a PE file on DOS or 16-bit Windows, it'll run the MZ binary at the beginning, but if you try to run a file consisting of, for example, an MZ binary followed by a copy of the US Constitution in ASCII, it'll run the MZ binary at the beginning of that file, too. I.e., DOS doesn't explicitly support PE - it explicitly supports MZ, and, as PE files look like MZ if you ignore stuff past the size specified in the MZ header, that means it also runs the stub portion of PE binaries. Guy Harris 03:30, 4 December 2007 (UTC)[reply]
Or, to put it another way, DOS can't execute PE binaries. It can, however, execute MZ binaries with extra cruft stuck at the end; that's what a PE binary is to DOS. Saying it's used in DOS and 16-bit Windows is thus misleading; the only part that's used is the part that was there before PE was invented. Guy Harris 04:25, 4 December 2007 (UTC)[reply]
Yes, that's what Portable means. The Executable format is Portable to DOS etc. No, having a Portable Executable Format does not magically change BSD programs into Linux programs: There is a fairly clear distinction between having portable programs and having a portable executable format. Of course, having a portable executable format is a pre-requisite for having portable executables, which is why MS designed a PEF that was portable to DOS as well as Windows. 150.101.166.15 (talk) 01:38, 20 December 2007 (UTC)[reply]
[edit]

I didn't see any advantages of "yoda's LordPE Deluxe" and "PE Explorer" over "CFF Explorer" tool listed under "Related tools" section. The first one provides very limited set of features and the second one looks like advertisement. Hstab 02:52, 7 August 2007 (UTC)[reply]

Okay I look over it again and it's probably to much, "PE Explorer" looks nice + is actually the most useless of the three others. ...and it's commercial - so let's drop it!
I know LordPE is old and the initial mask let you edit only selected values in the PE-header, but if you go more in the deep like exploring directories, it show you also 'exotic' structures as TLS, DelayImport, LoadConfig - you normally don't find in the rest of the PE-Editors. Together with the dumper(that also come along the Imagesize mod and Virtualprotect trick as Armadillo uses) it's in my eyes still the best 'all-rounder'.
"CFF Explorer" is great addition to LordPE and may depending on what you're doing/trying to do a better choice.
That 'PEview' is more educational - but I find it fits good for that purpose. It show you the structures in a clean and simple way while showing the offsets and underlaying Hexdata.
A console app like PEDump as also it's advantages if you like to use its output as input for an other program like windiff (examdiff or other differ).
And maybe we should keep that online PE-Viewer, because you can use without installing. ... and kick out the rest.
@Hstab: Okay I see wikipedia is not meant to be a software collection. However regarding this subject some well selected links to free PE-Tools as great addition to make that article more practical and 'living'.
What are the reason/ya experiences, that makes you to be that strictly against this?

Djamana (talk) 03:51, 26 April 2009 (UTC)[reply]

Poor Quality!Needs Improving Badly!

[edit]

This article is poorly written! anyone explain PE format more clearly? Visame (talk) 18:42, 4 May 2008 (UTC)[reply]

Universal Binary?

[edit]

What's the difference between Portable Executable and Universal Binary? If I've understood it right Portable Executable is single binary file which has built in binary code for several different architectures while Universal Binary is more like a container for different binaries for different architectures. Is that correct or are both the one and same thing? --Dekonega (talk) 13:23, 10 November 2009 (UTC)[reply]

Universal binary refers to a Mach-O file that contains compiled code for PowerPC and Intel architectures. A common compiler flag used in Mac OS X is 32_64_universal which compiles an application as 32 and 64-bit for both PowerPC and Intel (the resulting executable ending up with instructions for 4 architectures). Dread Lord CyberSkull ✎☠ 09:33, 29 December 2011 (UTC)[reply]

Xbox use a similar format?

[edit]

I've been reading up on the likelihood that the Xbox console used a somewhat-modified form of the Portable Executable format for its .xbe executable files. Can anyone substantiate this supposition? Did the format translate over the to the Xbox 360? If either answer is affirmative, should those pieces of information be included in the article?—WhosAsking (talk) 18:40, 13 June 2010 (UTC)[reply]

Was PE proprietary at first?

[edit]

Was PE specification open from the start or was it reverse-engineered and published post factum? 93.175.21.184 (talk) 16:15, 13 January 2011 (UTC)[reply]

http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile2.html

The Windows NT™ version 3.1 operating system introduces a new executable file format called the Portable Executable (PE) file format. The Portable Executable File Format specification, though rather vague, has been made available to the public and is included on the Microsoft Developer Network CD (Specs and Strategy, Specifications, Windows NT File Format Specifications). Yet this specification alone does not provide enough information to make it easy, or even reasonable, for developers to understand the PE file format.

The first decent material on the subject was a famous MSDN Magazine article by Matt Pietrek in 1994. — Vano 23:57, 16 July 2013 (UTC)[reply]

Multiple binaries?

[edit]

Does PE support multiple binaries like Mach-O does? It is not clear from the article whether it does or not. Dread Lord CyberSkull ✎☠ 09:34, 29 December 2011 (UTC)[reply]

No A PE executable is a DOS Executable with extra DATA unlike universal MAC binaries where you have an archive which contain other executable archive: See Below. 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 22:42, 16 July 2013 (UTC)[reply]

HISTORY section and efi citation

[edit]

It should be mentioned that PE was originally developed by IBM and that the DOS executable was not as Stub message.

It was similar to Universal Binary. There was two executable for two different platform at same time. They both do the same thing. The latest know example is the windows 98SE installer. there are the same pictures with DOS and windows. OS/2 had no graphic interface in the beginning.

There is two formats on DOS: the first one is .com. It is an unformatted one. You can even boot on it if put one in a Boor sector. The second is .EXE. It is an archive which contain several files and allow relocatable sections. A PE executable is A DOS EXE with certain instructions for stopping the program before the beginning of the other. When windows explorer see a PE header with an icons it opens the archive go into a special folder an extract an .ico file then it display it. It is just for saying PE headers are archive based. It is an neglected aspect. Someone who read the article won't understand it.

When times goes by, DOS usage was decreasing. It didn't worth to develop application for DOS. It is at this time DOS executables started to be STUb message.

When DOS was dropped, they were implementations problems (ex:mingw): it is impossible to have a PE header without a working DOS .exe format. So compiler still continue to generate Stub message. It is the failure of forced compatibility. A normal situation in another case (Other OS) would make the new executable don't work at all. On DOS running a DLL would normaly crash the system. Most people think Stub message were designed for 9x users. But it WRONG because it is no longer the case. It is caused by a design issue


I didn't find a efi file available directly for download. I think it is that should be used for the source. 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 22:39, 16 July 2013 (UTC)[reply]

You're confusing it with DOS MZ executable. Btw, there was New Executable in between too. A note about a full-fledged DOS program is worth noting, I've added it. — Vano 22:58, 16 July 2013 (UTC)[reply]
I couldn't find any sources about PE format usage in OS/2 - they only talk about Linear Executables. So i'm removing that statement as plain confusion unless you find a reliable source saying otherwise. — Vano 23:39, 16 July 2013 (UTC)[reply]
I couldn"t find any source too but if you download ecomstation CD you'll see that every executable have a PE header. OS/2 was released before windows. Everybody who used OS/2 before windows know it is IBM that developed the nt kernel. Also don't forget first OS/2 (including 2.0) didn't use 32 bits and had their own type. 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 23:58, 16 July 2013 (UTC) Do not invisibly edit old or replied messages - this distorts the discussion history. Make changes clearly visible and timestamped (like this) or write a new message. — Vano 12:10, 18 July 2013 (UTC)[reply]
OS/2 was jointly developed by IBM and Microsoft, see Microsoft#1984.E2.80.9394:_Windows_and_Office. eComStation, regardless of formats, looks like an OS/2 spin-off rather that the original IBM's product. Whether its use of PE format deserves mentioning in .exe depends of how notable that OS is. — Vano 00:27, 17 July 2013 (UTC)[reply]
I found this. 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 22:17, 17 July 2013 (UTC)[reply]
Pretty surprising. I didn't know there was (and more so, STILL was: check out the VS version) a publicly supported way to attach MS-DOS executables. — Vano 22:48, 17 July 2013 (UTC)[reply]
Not surprising at all: It is the same with number of MS products: you have parts of very old code that is not obsoleted (absent article on a Software development process part) and removed. The web documentation is probably automatically generated by their build systems. It says that it is limited to win32, but it work on every executable having a PE header (They talk of Vxd whereas 2012 version no longer alow building Vxd). Sure, it still exist because nobody think to remove it. What if it is not a bug  : It is designed in the case a developper want anticipating this kind of user idea:


I have a new computer. UEFI is super: there are applications files. After playing my games, I want to boot another OS without leaving DOS for rebooting. I'm taking my 64 bits EFI file (since there is 16 bit-code in 64 bits programs). I'm renaming the extension to exe and try to see if there is the dos version included. Let's check...
Cooooooooooooooooool it work !!!!!!!!!!!!! 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 00:38, 18 July 2013 (UTC)[reply]
I'm glad for you but please refrain from drifting off topic too much. Article talk pages in Wikipedia are supposed to support writing the article, general discussions are only good as long as they facilitate that goal. Specifically:
  • your MSDN link is good to support the "can be a full MS-DOS app" clause
  • the fact that PE is the format for EFI executables is already present (a link to a section of UEFI standard is desirable though). A working DOS version of the loader as the MZ stub may be a part of the UEFI standard, Microsoft's implementation detail or just your luck with this particular loader. Please check this out if you want to add this fact to the article. — Vano 11:43, 18 July 2013 (UTC)[reply]
I had already read EFI in article before writing this. This was just for joking on the choice of PE for EFI instead of another format. It shouldn't be on an article talk page, I won't do it again.
I recognize the process of citing source is difficult considering the method to check: first Buy VS 2012 or download 2013 preview version. Install it. Create a simple EFI application and link it with the appropriate /SUBSYSTEM switch. Link it with another DOS program. You can download one on FreeDos. If you want to create your own DOS application, I suggest OpenWatcom.
I'll never write in encyclopaedic style, so I'll never make major edit on a wikipedia article. 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 23:41, 18 July 2013 (UTC)[reply]
"Never say 'never'". Whatever. I looked through MSDN and UEFI specification as well as google. They both seem to ignore the MZ stub altogether - neither UEFI's LoadImage fn or EFI-related compiler info mention anything as do independent resources. So it seems to be you luck with this particular image or MS's undocumented feature (or, more likely, practice) that no one expressed much interest in so far. — Vano 18:45, 28 July 2013 (UTC)[reply]
Yes the MZ header is ignored in both case. Again what I was saying it that the stub message in the header is a regular DOS-Mz application which can be extracted by removing PE only content. It is kind of "Hello-World" written in assembly. This is because whatever it contains the MZ need to have DOS code. It doesn't matter if the code don't work or is invalid or if it is large. It just need to be present to be ignored.
It is no luck with a particular loader. It is implementation detail. PE loaders need a regular dos-mz as a header. You can't have a working executable without DOS-MZ . Since there is DOS code needed, the best program is a stub message. That Stub message could be replaced by other DOS executable. There something you can do with an hex editor: remove the DOS-MZ part; record the file. then append it to a true DOS-MZ executable. You'll still have two executable in one file but the DOS executable would be the app of your choice.
For a DOS operating system, you can append any data at the end of the file. You can even append a small mp3, it will not be "read" and not loaded in ram.
This all what you need to understand: In reality what it is called "Stub message" in Specs is a regular MZ application which can be replaced. More details here 2A02:8422:1191:6E00:56E6:FCFF:FEDB:2BBA (talk) 21:22, 31 August 2013 (UTC)[reply]

DataDirectory error in diagram depicting EXE file headers

[edit]

This graphic https://upload.wikimedia.org/wikipedia/commons/7/70/Portable_Executable_32_bit_Structure_in_SVG.svg was so well done and professional looking, that I'd assumed that whoever made it really knew what they were talking about and had done their research. Apparently though, at least on one part of it, they had not. That part is the DataDirectory part. There are only 15 entries in it in the diagram in question. However there are actually supposed to be 16 entries in it, with the last one always blank (filled with 0x00 bytes). I was depending on this diagram for the specs of the PE format, and was using the info shown in this diagram in designing a piece of software I was making. I was trusting that diagram because it looked so well done, that I was assuming it was correct. But it wasn't, as have explained. I found that it was wrong, because my program always was failing to correctly extract data correctly from an EXE file. The section headers (which is what my program was designed to extract) are supposed to start immediately after the DataDirectory, but because your diagram that I was using for my info showed that directory to only have 15 entries, my program was always starting 8 bytes too soon when extracting section headers. I couldn't figure out why, but eventually I decided to scour the net, to see if maybe, just maybe, there was an error in this diagram. It turns out that indeed there is an error in it. It shows the DataDirectory holding only 15 entries, when in fact it should be 16 entries, just with the last entry always empty. After fixing this error, my program worked perfectly.

I don't know how to edit SVG graphics or how to upload any files to Wikipedia. If I did, I'd correct this error myself. So can somebody please fix this? I don't want any other programmers out there to be looking at this diagram, depending on the info it presents when writing their program, and end up getting their program wrong, and then have to go and waste an hour debugging their program like I did, to fix an error that never should have been there to start with. Benhut1 (talk) 05:42, 10 January 2016 (UTC)[reply]


Ok, I finally ended up figuring out how to edit SVG files, and fixed the diagram myself. The new image on this Wiki article is now my edited version of the image. The direct link to the new image is: https://upload.wikimedia.org/wikipedia/commons/1/1b/Portable_Executable_32_bit_Structure_in_SVG_fixed.svg Benhut1 (talk) 18:54, 1 September 2016 (UTC)[reply]

[edit]

Reference number 3: "Microsoft Portable Executable and Common Object File Format Specification, Microsoft Corporation, Revision 6.0 - February 1999" points to https://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/pecoff.doc which is invalid. — Preceding unsigned comment added by 131.91.169.98 (talk) 18:41, 11 May 2017 (UTC)[reply]

Done The dead link in reference 3 was replaced by the new link (https://www.microsoft.com/en-us/download/details.aspx?id=19509). Luis150902 (talk | contribs) 21:26, 13 June 2017 (UTC)[reply]

Merge PE infection with this article and/or Malware

[edit]

Propose merging PE infection with this article and/or Malware: PE infection is a stub with only two sentences and one reference, that can be merged with this article and/or Malware. Luis150902 (talk | contribs) 20:51, 13 June 2017 (UTC)[reply]

PE Infection has been merged into the Malware page. After review of the Portable Executable page, there is no way to fluidly incorporate the concept of PE Infection into the page because at no point does the article discuss security concerns of any kind. --Baumergrl (talk) 01:21, 22 October 2017 (UTC)[reply]

[edit]

Two references that point into oblivion, but I found alternatives An In-Depth Look into the Win32 Portable Executable File Format, Part 1 An In-Depth Look into the Win32 Portable Executable File Format, Part 2 --Dan Oom (talk) 20:45, 28 February 2019 (UTC)[reply]

1234567892011

[edit]

Я хочу чыты чтобы убит читеров 95.87.67.126 (talk) 10:58, 15 September 2024 (UTC)[reply]