What field of PE Headers tells that whether a valid PE file or not?

Question

I need to validate whether the given binary is a PE file or not (e.g. if I rename JS/HTML or .class files to .exe or .dll), it won't still be PE files. Parsing PE files would give me info about this problem; what field indicates that a given binary is a valid PE file or not?

I have checked the "e_magic" field of FileHeader, it always gets populated in the case of wrong PE files (i.e. js/html/java/class files renamed to .dll/Exe) and doesn't say anything about the validity of the PE.

Answer 1

Check the Portable Executable/Common Object File Format Specification. There are three magic values for you to check:

• The MZ header's magic number at the beginning of the file
• The PE header's magic number "PE\0\0" at the start of the PE header
• Version identifier for the optional header, IIRC, it's 0x10b for PE files, and 0x20b for PE+ (x64) files.

Beyond that, you'd have to parse the entire file and look at every processor instruction to ensure it's valid, etc. Several of the files use the COFF spec internally, and you might not have an easy way to distinguish that. PE's format itself was designed with multiple machines, and many different forms of compiled code can be contained while keeping the file valid.

Answer 2

One way is the usage of GetBinaryType function (see http://msdn.microsoft.com/en-us/library/aa364819.aspx) or the usage of SHGetFileInfo with SHGFI_EXETYPE.

Answer 3

If such a field existed, it'd be too easy to create an invalid exe and mark it as valid on purpose.

You verify that a file is a PE file by reading the PE header and checking values for all fields (the values should belong to valid ranges, should not point outside the file etc).