496:
556:
533:. Because a compiled program cannot know the memory location of the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes actual addresses into the IAT slots, so that they point to the memory locations of the corresponding library functions. Though this adds an extra jump over the cost of an intra-module call resulting in a performance penalty, it provides a key benefit: The number of memory pages that need to be
618:, so many of the memory saving benefits of DLLs are lost in this scenario. It also slows down loading of the module significantly. For this reason rebasing is to be avoided wherever possible, and the DLLs shipped by Microsoft have base addresses pre-computed so as not to overlap. In the no rebase case PE therefore has the advantage of very efficient code, but in the presence of rebasing the memory usage hit can be expensive. This contrasts with
36:
673:. It is composed of a few directories: metadata, embedded resources, strong names and a few for native-code interoperability. Metadata directory is a set of tables that list all the distinct .NET entities in the assembly, including types, methods, fields, constants, events, as well as references between them and to other assemblies.
994:... Steven Edwards describes the discovery that Leopard apparently contains an undocumented loader for Portable Executables, a type of file used in 32-bit and 64-bit versions of Windows. More poking around revealed that Leopard's own loader tries to find Windows DLL files when attempting to load a Windows binary.
516:
section (holding global variables) is mapped as no-execute/read write. However, to avoid wasting space, the different sections are not page aligned on disk. Part of the job of the dynamic linker is to map each section to memory individually and assign the correct permissions to the resulting
507:
about how to map the file into memory. An executable image consists of several different regions, each of which requires different memory protection; so the start of each section must be aligned to a page boundary. For instance, typically the
537:
changed by the loader is minimized, saving memory and disk I/O time. If the compiler knows ahead of time that a call will be inter-module (via a dllimport attribute) it can produce more optimized code that simply results in an indirect call
473:
Whether the executable code is 32- or 64-bit can be found by checking the
Machine field in the IMAGE_FILE_HEADER. Whether addresses in the executable are 32- or 64-bit can be found by checking the Magic field in the IMAGE_OPTIONAL_HEADER.
458:
that displays a message like "This program cannot be run in DOS mode" (or similar), though it can be a full-fledged DOS version of the program (a later notable case being the
Windows 98 SE installer). Microsoft's linker has a
600:, and all addresses emitted by the compiler/linker are fixed ahead of time. If a PE file cannot be loaded at its preferred address (because it's already taken by something else), the operating system will
470:
PE also continues to serve the changing
Windows platform. Some extensions include the .NET PE format, a version with 64-bit address space support called PE32+, and a specification for Windows CE.
606:
it. This involves recalculating every absolute address and modifying the code to use the new values. The loader does this by comparing the preferred and actual load addresses, and calculating a
863:, a note on p.15, states that "this image type is chosen to enable UEFI images to contain Thumb and Thumb2 instructions while defining the EFI interfaces themselves to be in ARM mode."
735:
also uses the PE format for native DOS 32-bit binaries, plus it can, to some degree, execute existing
Windows binaries in DOS, thus acting like an equivalent of Wine for DOS.
979:
622:
where fully position-independent code is usually preferred to load-time relocation, thus trading off execution time in favor of lower memory usage.
1050:
1046:
297:
environments. The PE format is a data structure that encapsulates the information necessary for the
Windows OS loader to manage the wrapped
614:
are stored in a list and added, as needed, to an existing memory location. The resulting code is now private to the process and no longer
529:(IAT), which is used as a lookup table when the application is calling a function in a different module. It can be in the form of both
1027:
100:
72:
446:
addition to
Windows 3.1x, support the file structure. The format has retained limited legacy support to bridge the gap between
1220:
1097:
810:
773:
338:
79:
53:
530:
24:
568:
302:
855:
306:
119:
86:
1055:
1246:
1182:
876:
1251:
831:
610:
value. This is then added to the preferred address to come up with the new address of the memory location. Base
68:
1152:
712:, it uses the same PE format as the Microsoft implementation. The same goes for Microsoft's own cross-platform
698:
619:
403:
57:
669:
The CLR-related data, including the root structure itself, is typically contained in the common code section,
934:
748:
364:
1197:
789:
1187:
1090:
686:
591:
689:
with
Windows. It has also historically been used by a number of other operating systems, including
495:
1009:
921:
631:
93:
46:
778:
611:
650:
executables. The virtual machine then makes use of .NET metadata present, the root of which,
1083:
1015:
322:
310:
283:
20:
666:
strongly resembles PE's optional header, essentially playing its role for the CLR loader.
8:
1021:
957:
392:
896:
662:
metadata in COM+ applications, hence the name) entry in the PE header's data directory.
573:
Please help update this article to reflect recent events or newly available information.
752:
741:
has the ability to load and parse PE files, but is not binary compatible with
Windows.
138:
1172:
1075:
451:
372:
287:
250:
442:
operating system. All later versions of
Windows, including Windows 95/98/ME and the
341:
specification states that PE is the standard executable format in EFI environments.
1127:
388:
357:
290:
240:
1137:
732:
728:
705:
909:
1177:
709:
615:
607:
504:
439:
435:
1066:
PE Internals provides an easy way to learn the
Portable Executable File Format
1240:
1202:
738:
534:
330:
1065:
1016:
Tool Interface Standard (TIS) Formats Specifications for Windows Version 1.0
1038:
1031:
647:
630:
In a .NET executable, the PE code section contains a stub that invokes the
596:
512:
section (which holds program code) is mapped as execute/read-only, and the
368:
1028:
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
1110:
279:
271:
236:
228:
756:
727:
operating systems, Windows binaries (in PE format) can be executed with
1162:
1106:
464:
384:
314:
298:
275:
232:
202:
747:
and EFI firmware use Portable Executable files as well as the Windows
958:"Peering Inside the PE: A Tour of the Win32 Portable Executable File"
783:
724:
713:
503:
A PE file consists of a number of headers and sections that inform a
376:
218:
450:-based and NT systems. For example, PE/COFF headers still include a
35:
1142:
1061:
Ero Carrera's blog describing the PE header and how to walk through
602:
455:
1037:
An In-Depth Look into the Win32 Portable Executable File Format.
682:
380:
1167:
980:"Uncovered: Evidence that Mac OS X could run Windows apps soon"
539:
443:
415:
396:
349:
1070:
910:
PE trick explained: Telling 32 and 64 bit apart with naked eye
1207:
1147:
1122:
768:
690:
659:
517:
regions, according to the instructions found in the headers.
419:
407:
361:
353:
345:
1225:
1157:
1132:
1042:
744:
694:
411:
344:
On Windows NT operating systems, PE currently supports the
334:
326:
294:
254:
169:
1060:
720:
447:
423:
318:
832:"Portable executable (PE) - Definition - Trend Micro IN"
387:, it continues to support several variants of the MIPS,
309:
export and import tables, resource management data and
1105:
571:
and the trickery used to dodge the resulting problems.
871:
869:
697:
R3. However, both SkyOS and BeOS eventually moved to
1018:(Intel Order Number 241597, TIS Committee, Feb 1993)
625:
434:
Microsoft migrated to the PE format from the 16-bit
708:intends to be binary compatible with the Microsoft
60:. Unsourced material may be challenged and removed.
866:
1024:(Micheal J. O'Leary, Microsoft Developer Support)
935:"The Portable Executable File From Top to Bottom"
676:
463:switch to attach one. This constitutes a form of
286:and others used in 32-bit and 64-bit versions of
1238:
952:
950:
811:"application/vnd.microsoft.portable-executable"
1091:
947:
786:since all COFF libraries use that same format
317:operating systems, the PE format is used for
208:application/vnd.microsoft.portable-executable
654:(also called "CLR header") is pointed to by
339:Unified Extensible Firmware Interface (UEFI)
594:. Instead they are compiled to a preferred
1098:
1084:
808:
499:Structure of a Portable Executable 32 bit
371:, Windows NT (and thus PE) supported the
120:Learn how and when to remove this message
977:
971:
494:
1056:The .NET File Format by Daniel Pistelli
1034:, Microsoft Systems Journal, March 1994
1239:
303:dynamic library references for linking
1079:
774:Comparison of executable file formats
438:formats with the introduction of the
549:
531:import by ordinal and import by name
485:
58:adding citations to reliable sources
29:
658:(the entry was previously used for
25:Windows Preinstallation Environment
13:
856:"UEFI Specification, version 2.8B"
478:indicates a PE32 file, whereas 20B
14:
1263:
1003:
626:.NET, metadata, and the PE format
590:PE files normally do not contain
809:Andersson, Henrik (2015-04-23).
554:
34:
897:"/STUB (MS-DOS Stub File Name)"
685:, as ReactOS is intended to be
656:IMAGE_DIRECTORY_ENTRY_COMHEADER
634:virtual machine startup entry,
520:
45:needs additional citations for
978:Chartier, David (2007-11-30).
927:
915:
903:
889:
848:
824:
802:
681:The PE format is also used by
677:Use on other operating systems
567:. The reason given is: Use of
545:
1:
795:
365:instruction set architectures
402:Analogous formats to PE are
383:ISAs. Because PE is used on
7:
762:
525:One section of note is the
410:and most other versions of
10:
1268:
1022:Portable Executable Format
790:Application virtualization
429:
337:and other file types. The
18:
1216:
1118:
706:Mono development platform
592:position-independent code
563:This section needs to be
490:
246:
224:
213:
201:
137:
1012:(latest online document)
482:indicates a PE32+ file.
454:, which is by default a
203:Internet media type
19:Not to be confused with
1247:Executable file formats
1252:Windows administration
779:Executable compression
646:, much like it was in
500:
452:DOS executable program
1221:Comparison of formats
1047:Part I, February 2002
877:"PE Format (Windows)"
498:
69:"Portable Executable"
527:import address table
311:thread-local storage
54:improve this article
21:Portable application
1051:Part II, March 2002
264:Portable Executable
134:
133:Portable Executable
836:www.trendmicro.com
753:calling convention
664:IMAGE_COR20_HEADER
652:IMAGE_COR20_HEADER
501:
352:(AMD64/Intel 64),
247:Extended from
139:Filename extension
132:
1234:
1233:
687:binary-compatible
588:
587:
486:Technical details
367:(ISAs). Prior to
291:operating systems
260:
259:
251:DOS MZ executable
214:Developed by
130:
129:
122:
104:
1259:
1100:
1093:
1086:
1077:
1076:
997:
996:
991:
990:
975:
969:
968:
966:
965:
954:
945:
944:
942:
941:
931:
925:
924:at Microsoft.com
919:
913:
907:
901:
900:
899:. 3 August 2021.
893:
887:
886:
884:
883:
873:
864:
862:
860:
852:
846:
845:
843:
842:
828:
822:
821:
819:
818:
806:
672:
665:
657:
653:
645:
641:
637:
583:
580:
574:
558:
557:
550:
462:
301:. This includes
241:shared libraries
196:
192:
188:
184:
180:
176:
172:
166:
162:
158:
154:
150:
146:
135:
131:
125:
118:
114:
111:
105:
103:
62:
38:
30:
1267:
1266:
1262:
1261:
1260:
1258:
1257:
1256:
1237:
1236:
1235:
1230:
1212:
1114:
1104:
1006:
1001:
1000:
988:
986:
976:
972:
963:
961:
956:
955:
948:
939:
937:
933:
932:
928:
920:
916:
912:by Karsten Hahn
908:
904:
895:
894:
890:
881:
879:
875:
874:
867:
858:
854:
853:
849:
840:
838:
830:
829:
825:
816:
814:
807:
803:
798:
765:
733:HX DOS Extender
679:
670:
663:
655:
651:
643:
639:
635:
628:
584:
578:
575:
572:
559:
555:
548:
523:
493:
488:
481:
477:
460:
432:
313:(TLS) data. On
299:executable code
253:
209:
197:
194:
190:
186:
182:
178:
174:
168:
164:
160:
156:
152:
148:
144:
126:
115:
109:
106:
63:
61:
51:
39:
28:
17:
12:
11:
5:
1265:
1255:
1254:
1249:
1232:
1231:
1229:
1228:
1223:
1217:
1214:
1213:
1211:
1210:
1205:
1200:
1195:
1190:
1185:
1180:
1175:
1170:
1165:
1160:
1155:
1150:
1145:
1140:
1135:
1130:
1125:
1119:
1116:
1115:
1103:
1102:
1095:
1088:
1080:
1074:
1073:
1068:
1063:
1058:
1053:
1035:
1025:
1019:
1013:
1005:
1004:External links
1002:
999:
998:
970:
960:. 30 June 2010
946:
926:
914:
902:
888:
865:
847:
823:
800:
799:
797:
794:
793:
792:
787:
781:
776:
771:
764:
761:
710:.NET Framework
678:
675:
627:
624:
586:
585:
562:
560:
553:
547:
544:
522:
519:
505:dynamic linker
492:
489:
487:
484:
479:
475:
440:Windows NT 3.1
431:
428:
270:) format is a
258:
257:
248:
244:
243:
226:
225:Type of format
222:
221:
215:
211:
210:
207:
205:
199:
198:
143:
141:
128:
127:
42:
40:
33:
15:
9:
6:
4:
3:
2:
1264:
1253:
1250:
1248:
1245:
1244:
1242:
1227:
1224:
1222:
1219:
1218:
1215:
1209:
1206:
1204:
1201:
1199:
1196:
1194:
1191:
1189:
1186:
1184:
1181:
1179:
1176:
1174:
1171:
1169:
1166:
1164:
1161:
1159:
1156:
1154:
1151:
1149:
1146:
1144:
1141:
1139:
1136:
1134:
1131:
1129:
1126:
1124:
1121:
1120:
1117:
1112:
1108:
1101:
1096:
1094:
1089:
1087:
1082:
1081:
1078:
1072:
1069:
1067:
1064:
1062:
1059:
1057:
1054:
1052:
1048:
1044:
1040:
1036:
1033:
1029:
1026:
1023:
1020:
1017:
1014:
1011:
1008:
1007:
995:
985:
981:
974:
959:
953:
951:
936:
930:
923:
918:
911:
906:
898:
892:
878:
872:
870:
857:
851:
837:
833:
827:
812:
805:
801:
791:
788:
785:
782:
780:
777:
775:
772:
770:
767:
766:
760:
758:
754:
750:
746:
742:
740:
739:Mac OS X 10.5
736:
734:
730:
726:
722:
717:
715:
711:
707:
702:
700:
696:
692:
688:
684:
674:
667:
661:
649:
633:
623:
621:
617:
613:
609:
605:
604:
599:
598:
593:
582:
570:
566:
561:
552:
551:
543:
541:
536:
535:copy-on-write
532:
528:
518:
515:
511:
506:
497:
483:
471:
468:
466:
457:
453:
449:
445:
441:
437:
427:
425:
421:
417:
413:
409:
405:
400:
398:
394:
390:
386:
382:
378:
374:
370:
366:
363:
359:
355:
351:
347:
342:
340:
336:
332:
331:device driver
328:
324:
320:
316:
312:
308:
304:
300:
296:
292:
289:
285:
281:
277:
273:
269:
265:
256:
252:
249:
245:
242:
238:
234:
230:
227:
223:
220:
216:
212:
206:
204:
200:
171:
142:
140:
136:
124:
121:
113:
110:December 2010
102:
99:
95:
92:
88:
85:
81:
78:
74:
71: –
70:
66:
65:Find sources:
59:
55:
49:
48:
43:This article
41:
37:
32:
31:
26:
22:
1192:
1039:Matt Pietrek
1032:Matt Pietrek
993:
987:. Retrieved
984:Ars Technica
983:
973:
962:. Retrieved
938:. Retrieved
929:
917:
905:
891:
880:. Retrieved
850:
839:. Retrieved
835:
826:
815:. Retrieved
804:
757:applications
743:
737:
718:
703:
680:
668:
648:Visual Basic
629:
601:
597:base address
595:
589:
579:October 2017
576:
564:
526:
524:
521:Import table
513:
509:
502:
472:
469:
433:
401:
369:Windows 2000
343:
267:
263:
261:
116:
107:
97:
90:
83:
76:
64:
52:Please help
47:verification
44:
1111:object file
1071:PE Explorer
644:mscoree.dll
640:_CorDllMain
636:_CorExeMain
612:relocations
546:Relocations
391:(including
280:object code
276:executables
272:file format
217:Currently:
16:File format
1241:Categories
1107:Executable
1045:Magazine.
989:2007-12-03
964:2017-10-21
940:2017-10-21
882:2017-10-21
841:2022-11-10
817:2017-03-26
796:References
465:fat binary
385:Windows CE
233:executable
80:newspapers
1010:PE Format
922:PE Format
784:ar (Unix)
725:Unix-like
714:.NET Core
616:shareable
418:(used in
406:(used in
293:, and in
219:Microsoft
763:See also
456:DOS stub
1113:formats
704:As the
683:ReactOS
565:updated
430:History
395:), and
381:PowerPC
288:Windows
94:scholar
1188:OS/360
1168:Mach-O
813:. IANA
731:. The
723:(-64)
603:rebase
540:opcode
491:Layout
444:Win32s
416:Mach-O
414:) and
399:ISAs.
397:SuperH
379:, and
350:x86-64
237:object
229:Binary
96:
89:
82:
75:
67:
1208:XCOFF
1148:ECOFF
1123:a.out
859:(PDF)
769:a.out
691:SkyOS
671:.text
608:delta
514:.data
510:.text
461:/STUB
420:macOS
408:Linux
393:Thumb
377:Alpha
362:ARM64
354:IA-64
346:IA-32
101:JSTOR
87:books
1226:.exe
1163:Hunk
1158:GOFF
1133:COFF
1109:and
1043:MSDN
755:for
751:x64
745:UEFI
729:Wine
695:BeOS
693:and
660:COM+
569:ASLR
422:and
412:Unix
373:MIPS
360:and
295:UEFI
284:DLLs
274:for
262:The
255:COFF
195:.mun
191:.tsp
187:.sys
183:.scr
179:.ocx
175:.mui
170:.exe
165:.efi
161:.drv
157:.dll
153:.cpl
145:.acm
73:news
1198:PEF
1183:OMF
1153:ELF
1143:COM
1138:CMD
1128:AIF
749:ABI
721:x86
719:On
699:ELF
642:in
638:or
632:CLR
620:ELF
474:10B
448:DOS
426:).
424:iOS
404:ELF
389:ARM
358:ARM
335:MUI
333:),
327:SYS
323:DLL
319:EXE
307:API
149:.ax
56:by
23:or
1243::
1193:PE
1178:NE
1173:MZ
1049:;
1041:,
1030:.
992:.
982:.
949:^
868:^
834:.
759:.
716:.
701:.
542:.
480:16
476:16
467:.
436:NE
375:,
356:,
348:,
325:,
321:,
315:NT
305:,
282:,
278:,
268:PE
239:,
235:,
231:,
193:,
189:,
185:,
181:,
177:,
173:,
167:,
163:,
159:,
155:,
151:,
147:,
1203:X
1099:e
1092:t
1085:v
967:.
943:.
885:.
861:.
844:.
820:.
581:)
577:(
329:(
266:(
123:)
117:(
112:)
108:(
98:·
91:·
84:·
77:·
50:.
27:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.