The File Header display shows the contents of the PE file File Header.
File Name
The name of the PE file. This is often blank.
PDB Name
The name of the corresponding PDB file. This is often blank.
File Signature
This can be many values, but for a PE file, will be the value "PE".
File Type
This can be one of three values:
•DLL. A loadable module.
•Executable. An executable program.
•System. A system file.
Machine Type
This can be one of many values, although we typically only expect "i386" and "x64".
Valid values are:
•Unknown
•i386
•x64
•MIPS R3000
•MIPS R4000
•MIPS R10000
•Alpha
•Power PC
•Hitatchi SH3
•Hitatchi SH4
•ARM
•MIPS WinCE v2
•Hitatchi SH3E
•Thumb
•IA64 (Merced/Itanium)
•MIPS 16
•MIPS FPU
•MIPS FPU 16
•ALPHA64
Timestamp
This is the time the PE file was created. This is often not set.
Num Symbols
The number of symbols embedded in the PE file.
Pointer to Symbols
Pointer to any symbols embedded in the PE file.
Sections
The number of different named sections in the PE file.
Size of optional header
The size of the optional header in the PE file.
Characteristics
A PE file can have many characteristics. The remainder of the File Header lists only the characteristics that have been set, one per line.
The following characteristics can be set. Many values can apply at the same time. Many of these characteristics are obsolete.
•Relocations stripped (image has been bound using bind.exe or similar)
•Executable File
•DLL
•System File
•UniProcessor systems only
•32 bit machine
•64 bit machine
•Line numbers stripped
•Local symbols stripped
•Debug info stripped (held in separate .DBG file)
•Aggressive working set trim
•Large address aware
•Machine is LSB precedes MSB
•Run from swap if image is on removable media
•Run from swap if image is on the network
•Machine is MSB precedes LSB
