Jonathan Smith
Reputation: 7
Can't find COFF file header in hex editor
In the offset "0x3c" (from win32 docs) is the location of the signature "PE\0\0" therefore the Machine type must be next to it.
However in the next 2 hex values (since it said size 2) "4C 01" didn't match in the win32 docs
Upvotes: 0
Views: 423
Answers (1)
IInspectable
Reputation: 51538
The IMAGE_FILE_HEADER follows the signature PE\0\0. The first WORD does in fact hold the target Machine. IMAGE_FILE_MACHINE_I386 has the value 0x014c (which is stored as 4C 01 in little-endian byte order). That coincides with your observations.
The hex dump indicates an image with x86 object code, and agrees with the informal PE Format specification.
Upvotes: 1
Related Questions
- Loading PE Headers
- PE Header Requirements
- Reading PE COFF Header and getting characteristics flag
- Names of PE directories
- Why I didn't get the "PE\0\0"?
- Why is my PE file invalid?
- Determine physical file address of directory RVA in PE file
- PE/COFF symbol type field
- PE/COFF file extensions
- the executed section