Helium Hex Editor Documentation: Portable Executable (PE)

Portable Executable (PE)

   - PE View
      - PE Structs
      - PE Sections
      - PE Exports
      - PE Imports
      - PE Resource
   - PE Search
   - PE Header Compare
   - PE Export Table Compare
   - PE Import Table Compare

PE View

PE Parsing can be done for file or memory
- For file, the PE start address is 0,
- For memory the PE start address is the base address of module (exe,dll,ocx,...) also called module handle

PE Structs

The PE structs view display all PE information into a tree view.
In the hexadecimal part, the selected structure is hilighted in purpule and the selected field in yellow.
In the tree part some checking are done on required values (like PE magic numbers, header checksum, ...). The checking result is displayed for field : you will get on success green highlights, and on failure red hilights
This view give you access in raw mode to different PE header content:
   - Export Table
   - Import Table
   - Resource Table
   - Exception Table with unwind opcode decoding (x64)
   - Security Table
   - Relocation Table
   - Debug Directory
   - Thread Local Storage (TLS) table
   - Load Configuration Table with Safe Exeption Handlers (SEH) and Control Flow Guard (CFG) parsing
   - Bound Import Table
   - Import Adress Table (IAT)
   - Delay Import Table
   - Sections

The following screenshots are there to help you to find where the information is located

Raw Export Table (Decoded Export Table is available in the "PE Exports" tab)

Raw Import Table (Decoded Import Table is available in the "PE Imports" tab)

ExceptionTable Parsing and Unwind Decoding (x64)

Control Flow Guard (CFG)

Safe Exception Handlers (SEH) (x86)

PE Sections

PE Sections

PE Sections Dialog allows you to quickly identify section, and convert addresses (raw, relative or virtual)

Color code is the following:
In green sections with executable or code flag
In blue sections with writable flag
In yellow sections with uninitialize data

The section containing the entry point has the specific icon

From this dialog, you can add, edit or remove section(s)
You can also apply an offset to section(s)

The "Unused Raw Size" is the space in raw section which is not used, but must be there for section alignment. That means it can be used to add extra data

Toolbar

	Reparse PE and refresh sections
	Disasm the full section content
	Check PE header sums according to the sections caracteristics and if sections do not overlapp
	Add section and update PE header sums (available only if document is not in read only mode)
	Edit section and update PE header sums (available only if document is not in read only mode)
	Remove section and update PE header sums (available only if document is not in read only mode)
	Apply offset to section (available only if document is not in read only mode)

PE Exports

Exports are availables in 2 ways:
- Decoded with the "PE Exports" tab. This is the easy and fast way to view export table of dll, or search for exported functions.
- Raw with the "PE Structs" tab, under "IMAGE_NT_HEADERS" / "OptionalHeader" / "ExportTable". It should be used only if you want to access structures defining the export table, or do some manual patching of the export table
For more information on the different structures of the raw mode, please refer to the Microsoft PE format specification
Notice: When exported symbol is a variable (not a function) the line background is purple

Decoded PE Exports

PE Imports

Imports are availables in 2 ways:
- Decoded with the "PE Imports" tab. This is the easy and fast way to view import table of dll, or search for imported functions.
- Raw with the "PE Structs" tab, under "IMAGE_NT_HEADERS" / "OptionalHeader" in 4 sections: "ImportTable", "BoundImportTable", "ImportAddressTable", and "DelayLoadImportTable". It should be used only if you want to access structures defining the export table, or do some manual patching of the export table
For more information on the different structures of the raw mode, please refer to the Microsoft PE format specification

Decoded PE Imports

PE Resource

PE Resource are availables in 2 ways:
- Decoded with the "Reource" tab
- Raw with the "PE Structs" tab, under "IMAGE_NT_HEADERS" / "OptionalHeader" / "ReourceTable"
For more information on the raw mode, please refer to the Microsoft PE format specification

This tab allows you to extract all resources and rebuild .rc, .h and message table files

Toolbar

	Jump to PE Struct view. Notice : you directly jump to the corresponding item (no time lost to expand scroll and find matching item)
	Extract the selected resource
	Extract all resources and rebuild .rc, .h and message table files

Decoded PE Resource

resource in PE Structs

PE Search

If you are looking for specific PE caracteristics inside a directory, PE search is for you
Select the wanted caracteristics, specify files extensions you are looking for, and press the "Search" button.
Multiple action can be done on result with a right click button.

PE Header Compare

PE header compare allows to compare header of 2 PE.
You can quickly see the differences.
In the screenshot we can quickly identify that we have one 32 bits and one 64 bits binaries, and that the number of sections differ

PE Export Table Compare

PE export table compare allows to see the differences of exports of 2 DLL versions.
Expanding items permit to compare Ordinal, Hint and RVA

PE Import Table Compare

PE import table compare allows to see the differences of imports of 2 EXE/DLL versions.
Expanding items permit to compare Ordinal and Hint of imported functions