Browsing: PE File

Discover all about the Windows Portable Executable (PE) file here

Windows Portable Executable aka (PE)

Windows operating system is the most popular one in the world. It was first produced in November 1985 under the direction of Bill Gates, founder and CEO of Microsoft. Initially, this operating system received commands and gave results using a command line interface. However, today it allows you to interact with your computer by using a Graphical User Interface (GUI). There are colorful icons to help you open files and programs.

Windows Portable Executable

The Windows operating system has been adapted for use in smartphones too. Every operating system has its own unique executable file. It is essentially a mirror indicating the capabilities of the respective operating system. Here is more about the windows portable executable file.

What is this file?

The windows portable executable (PE) file is a source of information about how the Windows operating system normally functions. This file was designed by Microsoft to be used in their x86 and x64 Windows operating systems. This file format is used for object code, DLL, executable, FON and core dump files. The PE file is essentially a data structure. It contains the information that is used by the Windows OS loader to deal with wrapped, executable code.

The parts of a Windows PE file

This file contains two main sections. They include:

• Header

• Section


This section is divided into sub-sections. They include the DOS MZ Header, DOS Stub, PE File Header and the Image_Optional_Header.

The DOS MZ Header occupies the first 64 bytes of every Windows PE file. This is so that the underlying MS-DOS system can recognize this file and run it. This header sub-section is also used quite often by malware analysis tools.

The DOS Stub is another sub-section which normally prints messages indicating the status of the PE file. An example of such is, “This program does not execute in DOS mode.” The instructions which the DOS Stub should print are stored in the winstub.exe operating system file.

The PE File Header contains some information about the structure of the file. You can learn about the location of the file and its size too. This file essentially performs memory mapping.


This is the main part of the windows portable executable file. It holds the main content of the file. Examples of this include the data, resources, code and executable files. A windows application normally has 9 parts. They include .idata, .pdata, .bss, .rdata, .rsrc, .edata, .text, .data, and .debug. The Section part of the PE file interacts with these parts. It can work with all or just some of them when the application is executed.


The windows portable executable is an important part of the operating system. It can be considered part of firmware. It is important for you not to edit or delete it. This can cause adverse effects across your entire system. The file is portable because you can use it in compatible operating system versions.

Examples of these are Windows 95, Windows NT, Windows 2000, Windows XP, Windows Vista and more. The windows portable executable is one of the unique characteristics of this operating system. It exhibits the characteristics of Windows and sets it apart from other operating systems in the world of Information Technology (IT).

{ Add a Comment }

The MZ Header

The MZ, at times, noted as ZM is a magic number for the file extension .exe supporting the binary and executable formats and can be extended to new, linear as well as the portable executable formats. The initials ZM or MZ refer to the name of Mark Zbikowski who put them into the original MS-DOS exec format. In as such, having the signature was necessary to create a distinguishing difference with other .EXE files from others that were considered much simpler like the .COM and the DOS formats.

The file can be easily identified by using the ASCII string MZ found at the beginning of the file. Compared to the COM format which is executable, the MZ Header is newer and different in that it contains information on relocation which allows users to access multiple segments that can be loaded on memory addresses as well as can support executable files slightly larger than the 64Kib. The only disadvantage of the MZ Header is that it requires little memory limits which apparently can be bypassed by the use of DOS extenders.

The executable found on the MZ Header can also run efficiently from DOS as well as 9x operating systems. Other 32 bit Windows can as well execute the MZ Header by using inbuilt virtual DOS machines. However, some of the graphical modes may not be supported by the MZ Header. On the other hand, 64-bit versions of Windows cannot execute the MZ Header. However, the DOSBox, Wine, and the DOSEMU are perfect alternative ways of running the MZ executable.

Moreover, it is considered that each and every PE file has a 16-bit DOS program. Due to that, when the file starts, it opens with the .EXE header. In the past, while people used the Microsoft Windows, The Windows 1.x, 2.x as well as 3.xx operating systems, they did not only exist in similar volumes as Microsoft DOS but equally ran with an MS-DOS operating system as well. As a matter of fact, it was highly likely that users found themselves attempting to run some of the programs in windows under the DOS.

Microsoft programmers, therefore, had to ensure that all windows programs had a 16-bit DOS program found at the front of each executable windows with the ability to alert users anytime they attempted to run any program under the Windows program operating under DOS. However, it cannot be considered to be more useful these days as it was back then when users and the world as a whole were transforming from the DOS to other systems and files that came after that. Notably, back then, it was not easy to find a program that could actually bind together a DOS version with a Win32 operating under the same single binary.

Additionally, users should know that the MZ Header is commonly used for backward compatibility. Moreover, it is considered the best to run on a program that has Win32 system as compared to others as well. Moreover, users should know that the MZ signature is commonly used by the MS-DOS relocatable 16-bit under the EXE format.


Don’t forget to check our pe file info tool and our file entropy article.

{ Add a Comment }

What is file entropy?

In general words, entropy is referred as the measurement of particular data in digital values. Similar to this, the term File Entropy is the representation of data sets in specific file. That is, the phrase File Entropy is used to measure the amount of data which is present in a selected file. For example, if you have some files and desire to calculate the entropy value for that, then it will be very simple by accessing the methods of File Entropy and its calculation process. If you are unfamiliar about what exactly means the entropy exactly and how to calculate an entropy value for particular files, just refer the details that are present below. The following details will provide the complete info about what is the entropy and how it is helpful to calculate the exact value of given data.

How it is work

In simple and exact term, entropy is defined as the measurement of unpredictable value or informative content. This definition may include different changes according to the sector or platform that uses the feature of entropy value. But, all types of measurement that is related with entropy calculation include only digital format information. Usually, the File Entropy is denoted by using different formulas depending on the form of selected data. The equation which is used by Shannon is the simple format to calculate the entropy value of data sets in particular file. This equation includes the measurement of random value, which will be calculated as a result by using the number of given data sets.

The result value of Shannon equation is generally represented between the values of zero and eight. So, entropy value of particular file is represented by using the digital values of 0 to 8. The result is either near to 0 or 8 as well as in-between these two numeric values. The final result will be concluded on the basis of value which is derived from the given data sets. For example, if the measured value is closer to zero, then it represents that the value of given data set is non-random or orderly format. Otherwise, if the value is closer to eight, then the given set is random or un-orderly format. This is the basic concept of File Entropy calculation, which is related to Shannon equation.

Uses of entropy measurement

The feature of entropy calculation is applicable for different purposes. But, it is mainly applicable for finding the values of encrypted data and compressed files. Generally, the random data is not similar to the normal kind of user data. For this purpose, the users apply the feature of File Entropy to calculate the value of given data that is represented by the format of non-uniform. Due to the inconvenient format of random data when compared to typical user data, the executable files are generally encrypted with the feature of synchronized decryption algorithm. So, the users can access the data volumes in an easy way and can find the entropy values for those files efficiently.

File Entropy is also use in the field of malware protection, in the process of malware analysis as there are all kind of security related tools that you check on the file to extract all kind of information from the file, to determine if the file is a malware or legit file, and if it is a malware this can be useful on the malware file entropy can be a useful method to quickly check if the malware file had been packed with one of the packed software it is also a good method to check if the file encrypted by one of the encryption algorithm.

Don’t forget to check our pe header tool and our Windows File Analyzer article.