The

A PE (Portable Executable) file is the format used by Windows programs (like .exe) to run. It's like a blueprint that tells Windows how to load and execute the program.

Basic Structure of a PE File

Headers – Technical info at the beginning of the file:
- DOS Header: A leftover from old MS-DOS days, still needed.
- PE Header: Says "Hey! I'm a Windows executable!"
- Optional Header: Not really optional! Includes the Entry Point (where the code starts), memory sizes, etc.
- Data Directories: Pointers to things like imported functions, exports, etc.
Sections Table – Describes all the parts of the program:
- .text: The actual program code (instructions).
- .data: Data used by the program.
- .rdata: Read-only data (like strings).
- .idata: Imported functions from DLLs (like MessageBoxA from user32.dll).
Sections (Contents of the executable):
- Code: The part that runs (machine instructions).
- Imports: The list of external functions the program uses.
- Data: Things like text or numbers the program shows or works with.

PE File Sections Explained:

Section

What's Inside?

Plain English Explanation

.text

Executable code

This is the brain of the program — it holds all the machine instructions that actually run.

.rdata

Read-only data

Contains constant strings, import tables, and other data that doesn't change while the program runs.

.data

Writable data

Stores variables that can change (like counters, buffers, flags, etc.).

.pdata

Exception data

Used for structured exception handling (SEH) — basically, helps the program deal with crashes or errors.

.rsrc

Resources

Contains icons, menus, dialogs, images, and even the "Hello World" message box text.

.reloc

Relocations

Allows the program to run at a different memory address if needed. It adjusts internal pointers to work correctly if moved.

To visualize PE information you can use

dumpbin.exe (From visual studio)

dumpbin /headers binarypath.exe

PE Bear (GUI)

Generating EXE vs DLL

EXE: A separate program that is loaded into memory as an independent process.
DLL: A Dynamic-Link Library is a PE module that is loaded into the memory space of another process, not independently.

How is a DLL loaded in a PE file (EXE)?

When an .exe file needs functions from a DLL, it can load it in two main ways:

Static Linking

Dynamic Linking

Defined in .idata section

Done manually with LoadLibrary()

The DLL is loaded automatically when the program starts.

The DLL is loaded manually during execution.

Fast and automatic

Flexible, used for plugins

How to obtain and run the imported function into a DLL

dumpbin /exports implant.dll
C:\Users\Mal-Dev\Desktop\RTO\01.Generate_PE\implantDLL>dumpbin /exports implant.dll
Microsoft (R) COFF/PE Dumper Version 14.16.27054.0
Copyright (C) Microsoft Corporation.  All rights reserved.

    ordinal hint RVA      name

          1    0 00001030 RunME

  Summary

        2000 .data
        1000 .gehcont
        1000 .gxfg
        1000 .pdata
        9000 .rdata
        1000 .reloc
        E000 .text
C:\Users\Mal-Dev\Desktop\RTO\01.Generate_PE\implantDLL> rundll32 implant.dll,RunME

PreviousAssembly Template Pack for Malware Development (32-bit x86 NASM)NextLabs

Last updated 25 days ago

dumpbin /exports implant.dll C:\Users\Mal-Dev\Desktop\RTO\01.Generate_PE\implantDLL>dumpbin /exports implant.dll Microsoft (R) COFF/PE Dumper Version 14.16.27054.0 Copyright (C) Microsoft Corporation. All rights reserved. ordinal hint RVA name 1 0 00001030 RunME Summary 2000 .data 1000 .gehcont 1000 .gxfg 1000 .pdata 9000 .rdata 1000 .reloc E000 .text C:\Users\Mal-Dev\Desktop\RTO\01.Generate_PE\implantDLL> rundll32 implant.dll,RunME