Portable Executable File Format (PE)
Structure of a Portable Executable (source : http://www.csn.ul.ie/) The MS-DOS header occupies the first 64 bytes of the PE file. A structure representing its content is described below: Offset (hex) Meaning 00-01 0x4d , 0x5a. This is the "magic number" of an EXE file. The first byte of the file is 0x4d and the second is 0x5a . 02-03 The number of bytes in the last block of the program that are actually used. If this value is zero, that means the entire last block is used (i.e. the effective value is 512). 04-05 Number of blocks in the file that are part of the EXE file. If [02-03] is non-zero, only that much of the last block is used. 06-07 Number of relocation entries stored after the header. May be zero. 08-09 Number of paragraphs in the header. The program's data begins just after the header, and this field can be used to calculate the appropriate file offset. The header includes the relocation entries. Note th...