As some may know the .exe stands for executable. This extension has been set forth and used by Microsoft in its release of Windows NT onwards. The .exe in windows is also known by different names such as Portable Executable/ PE file, PECOFF file, and WIN-PE file. Reason of which will become obvious soon.
An executable file in the windows world is more than just a bunch of lines of code. The executable file must tell Windows how it would like to be placed/ "mapped" in memory, how big chunks of memory should be, if there are any functions it needs to import from other programs or library's, if it has any functions to export itself, where code execution starts, if it's compatible with your version of windows, etc. For this reason explaining the exe is quite the endeavor, but it's not impossible.
Terminology time:
The PECOFF/ PE/ WIN PE format, which we'll call PE from now on, is a combination of two different formats, I'd argue it's an extension instead of combination but I'll let the system architects argue that. The PE of PECOFF stands for "Portable Executable", portable in the sense of system architecture independent. While at the time of writing this article the PE format has yet to see wide adoption outside of Windows, it is completely possible to implement it on other operating systems. An example of such is ReactOS, an Operating System with an emphasis on Windows compatibility, which has it's own PE loader. The COFF of PECOFF stands for "Common Object File Format", which is used to describe how objects in the image will be allocated and referenced.
As with any standardized format, there are rules and bounds which must be respected to function properly. These rules and standards are documented by Microsoft here: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format. In this post we will not be breaking down the specifications (that'll come later).
When you double click an executable what happens is explorer.exe, a program handling some of the GUI aspects of your Windows OS makes a call to a kernel32 function "CreateProcess", this function in turn calls a more hidden and direct API "NtCreateProcess" located in ntdll.dll which is part of the PE Loader. Running executables from command prompt or a shell does the same. This can all be observed with tools such as Systems Internals Procmon.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla euismod condimentum felis vitae efficitur. Sed vel dictum quam, at blandit leo.
© Copyright. All rights reserved.