Before the dominance of Windows NT (which evolved into modern Windows 10 and 11), the DOS era utilized the format (named after Mark Zbikowski). As Windows evolved, the need for a more robust format arose. Microsoft adopted the Unix COFF (Common Object File Format) specification and adapted it to create the PE format.
This article breaks down the technical identity of a a common string returned by the Unix-like file command when inspecting Windows programs. Anatomy of the Executable Format pe32 executable -console- x86-64 for ms windows
| Format | Machine | Subsystem examples | |--------|---------|--------------------| | PE32+ (x64) | AMD64 | Windows CUI / GUI / EFI | | PE32 (x86) | x86 | Windows console / GUI | | PE32+ (ARM64) | ARM64 | Windows on ARM | | ELF x64 | x86-64 | Linux console | | Mach-O x64 | x86-64 | macOS terminal app | Before the dominance of Windows NT (which evolved
20B magic # (PE32+)
Offset e_lfanew (at 0x3C) points to NT headers. At NT headers + 0x18 = Optional Header start. Check byte at that offset: 0x0B = PE32, 0x20B = PE32+. This article breaks down the technical identity of