LLMpediaThe first transparent, open encyclopedia generated by LLMs

PE/COFF

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: NASM Hop 5
Expansion Funnel Raw 92 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted92
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
PE/COFF
NamePE/COFF
Extension.exe, .dll, .sys, .obj
OwnerMicrosoft, Intel
Introduced1993
Full namePortable Executable/Common Object File Format
TypeExecutable, object, shared library

PE/COFF

PE/COFF is a binary executable and object file format used on Microsoft Windows, originating from adaptations of the Common Object File Format and designed to interoperate with Intel-architecture toolchains and linkers. It underpins loading and linking on platforms influenced by Windows NT, supports dynamic linking with Dynamic-link librarys and is recognized by toolchains from GNU Project, Microsoft Visual Studio, Intel Compiler and LLVM toolchains. Implementations and tooling around the format intersect with projects and products such as Wine (software), ReactOS, System Center, Windows Driver Kit and numerous debuggers like WinDbg, GDB, Visual Studio Debugger.

Overview

PE/COFF combines concepts from Common Object File Format and Portable Executable specifications to define how executables, DLLs and object files are laid out for loaders like the Windows Loader on x86 architecture, x86-64, ARM architecture and ARM64. The format encodes metadata used by linkers such as Microsoft Linker and GNU ld and by dynamic loaders involving Kernel-mode subsystems and user-mode runtime components including Windows API libraries like Kernel32.dll, Ntdll.dll, Advapi32.dll. It supports features introduced in operating system releases like Windows NT 3.1, Windows 2000, Windows XP and later, and interacts with security features in Data Execution Prevention and Address Space Layout Randomization.

File Format Structure

A PE/COFF file begins with legacy headers adapted to coexist with MS-DOS stub programs and transitions into format-specific headers that describe machine, timestamp, and entry points consumed by bootstrapping components such as ntoskrnl.exe and user-mode loaders. The format embeds structures analogous to those in ELF used on Linux kernel and BSD systems but maps to Windows runtime expectations found in Win32 API, COM runtime registration and .NET Framework hosting scenarios. Toolchains from GCC, Clang, Microsoft Visual C++, and Borland produce compatible layouts for diverse platforms and targets.

Headers and Tables

Key headers include fields similar to the DOS MZ header, the PE signature, a COFF File Header, and an Optional Header containing fields for entry point, image base, and subsystem selection found in executables like explorer.exe and libraries such as user32.dll. The Data Directory table enumerates addresses for resources used by components like Import Address Table and runtime support such as Exception Handling tables used by Microsoft Visual C++ and Clang-generated binaries. Linkers and analyzers from IDA Pro, Cutter, PE Explorer and Radare2 parse these headers to support reverse engineering, packaging, and deployment tasks tied to product ecosystems like Microsoft Office and Internet Explorer.

Sections and Segments

Section headers describe discrete regions such as code (.text), data (.data), read-only data (.rdata), resources (.rsrc), and relocation (.reloc), akin to segments in Unix-style executables seen in glibc-linked programs. Sections are manipulated by linkers including Gold (linker), LLD, and Microsoft Linker and are mapped by loaders into virtual memory with protections that interact with subsystems like Structured Exception Handling and kernel components such as Executive (Windows NT) services. Resources managed in the .rsrc section tie into frameworks like Windows Shell and installer technologies including Windows Installer.

Relocations and Linking

Relocation entries and relocation tables allow base-address-independent images to be rebased by the loader, a process leveraged by mechanisms such as ASLR and by installers like InstallShield. Import and export tables resolve symbol addresses for DLLs such as Advapi32.dll, Gdi32.dll, and User32.dll, while delayed-loading and dynamic linking are coordinated by runtime components including LoadLibrary and GetProcAddress. Link-time optimizations and linkers from Microsoft Visual C++, Intel and LLVM influence relocation patterns and symbol resolution visible in build systems like MSBuild and CMake-driven projects.

Debugging and Symbol Information

Debug formats integrated or referenced by PE/COFF include COFF symbol tables, CodeView debug information produced by Microsoft Program Database (PDB) writers in Visual Studio, and auxiliary formats consumed by debuggers such as WinDbg, Visual Studio Debugger, GDB, and LLDB. Symbols and frame unwind data are used by postmortem tools like Windows Error Reporting and crash dump analyzers, and by reverse-engineering suites like Binary Ninja and IDA Pro to reconstruct call graphs for binaries from vendors including Adobe Systems, Oracle Corporation and SAP SE.

Platform and Variant Implementations

Variants of the format accommodate architectures like x86-64 used in Intel Xeon and AMD Ryzen systems, ARM64 for platforms like Surface Pro X and server designs from Qualcomm, and legacy IA-64 deployments. Cross-platform compatibility is addressed by compatibility layers and projects such as Wine (software), ReactOS, and virtualization stacks including VirtualBox, Hyper-V, and VMware ESXi which must interpret or translate PE/COFF structures for guest or host environments. Commercial toolchains from Microsoft, Intel, and ARM Limited and open-source projects like GNU Project and LLVM implement readers, writers, and optimizers for the format across operating systems and processor families.

Category:Executable file formats