While there is a lot of data and various parts of the structure are at varying positions there are still a lot of useful fixed and relative offsets that will help when disassembling/examining PE files. Resource information and the such like are omitted - there are good tools available to manipulate these e.g. ResHacker.

　　The DOS Header

　　OFFSETSIZENAMEEXPLANATION00WORDe_magicMagic DOS signature MZ (4Dh 5Ah)02WORDe_cblpBytes on last page of file04WORDe_cpPages in file06WORDe_crlcRelocations08WORDe_cparhdrSize of header in paragraphs0AWORDe_minallocMinimum extra paragraphs needed0CWORDe_maxallocMaximum extra paragraphs needed0EWORDe_ssInitial (relative) SS value10WORDe_spInitial SP value12WORDe_csumChecksum14WORDe_ipInitial IP value16WORDe_csInitial (relative) CS value18WORDe_lfarlcFile address of relocation table1AWORDe_ovnoOverlay number1CWORDe_res[4]Reserved words24WORDe_oemidOEM identifier (for e_oeminfo)26WORDe_oeminfoOEM information; e_oemid specific28WORDe_res2[10]Reserved words3CDWORDe_lfanewOffset to start of PE header　

　　The PE Header

　　Offsets shown　are from the beginning of this section.

　　00DWORDSignaturePE Signature PE.. (50h 45h 00h 00h)04WORDMachine014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS06WORDNumberOfSectionsNumber Of Sections08DWORDTimeDateStampDate & time image was created by the linker0CDWORDPointerToSymbolTableZero or offset of COFF symbol table in older files10DWORDNumberOfSymbolsNumber of symbols in COFF symbol table14WORDSizeOfOptionalHeaderSize of optional header in bytes (224 in 32bit exe)16WORDCharacteristicssee below18**********START OF OPTIONAL HEADER**************************************18WORDMagic010Bh=32-bit executable image

　　020Bh=64-bit executable image

　　0107h=ROM image1ABYTEMajorLinkerVersionMajor version number of the linker1BBYTEMinorLinkerVersionMinor version number of the linker1CDWORDSizeOfCodesize of code section or sum if multiple code sections20DWORDSizeOfInitializedDataas above24DWORDSizeOfUninitializedDataas above28DWORDAddressOfEntryPointStart of code execution, optional for DLLs, zero when none present2CDWORDBaseOfCodeRVA of first byte of code when loaded into RAM30DWORDBaseOfDataRVA of first byte of data when loaded into RAM34DWORDImageBasePreferred load address38DWORDSectionAlignment　Alignment of sections when loaded in RAM3CDWORDFileAlignment　Alignment of sections in file on disk40WORDMajorOperatingSystemVersionMajor version no. of required operating system42WORDMinorOperatingSystemVersionMinor version no. of required operating system44WORDMajorImageVersionMajor version number of the image46WORDMinorImageVersionMinor version number of the image48WORDMajorSubsystemVersionMajor version number of the subsystem4AWORDMinorSubsystemVersionMinor version number of the subsystem4CDWORDReserved150DWORDSizeOfImageAmount of memory allocated by loader for image. Must be a multiple of SectionAlignment54DWORDSizeOfHeaders　Offset of first section, multiple of FileAlignment58DWORDCheckSumImage checksum (only required for kernel-mode drivers and some system DLLs).5CWORDSubsystem0002h=Windows GUI, 0003h=console5EWORDDllCharacteristics0001h=per-process library initialization

　　0002h=per-process library termination

　　0003h=per-thread library initialization

　　0004h=per-thread library termination 60DWORDSizeOfStackReserveNumber of bytes reserved for the stack64DWORDSizeOfStackCommitNumber of bytes actually used for the stack68DWORDSizeOfHeapReserveNumber of bytes to reserve for the local heap6CDWORDSizeOfHeapCommitNumber of bytes actually used for local heap70DWORDLoaderFlagsThis member is obsolete.74DWORDNumberOfRvaAndSizesNumber of directory entries.78**********START OF DATADIRECTORY**************************************78DWORDIMAGE_DATA_DIRECTORY0 RVA of Export Directory7CDWORDsize of Export Directory80DWORDIMAGE_DATA_DIRECTORY1RVA of Import Directory (array of IIDs)84DWORDsize of Import Directory (array of IIDs)88DWORDIMAGE_DATA_DIRECTORY2RVA of Resource Directory8CDWORDsize of Resource Directory90DWORDIMAGE_DATA_DIRECTORY3RVA of Exception Directory94DWORDsize of Exception Directory98DWORDIMAGE_DATA_DIRECTORY4Raw Offset of Security Directory9CDWORDsize of Security DirectoryA0DWORDIMAGE_DATA_DIRECTORY5RVA of Base Relocation DirectoryA4DWORDsize of Base Relocation DirectoryA8DWORDIMAGE_DATA_DIRECTORY6RVA of Debug DirectoryACDWORDsize of Debug DirectoryB0DWORDIMAGE_DATA_DIRECTORY7RVA of Copyright NoteB4DWORDsize of Copyright NoteB8DWORDIMAGE_DATA_DIRECTORY8RVA to be used as Global Pointer (IA-64 only)BCDWORDNot usedC0DWORDIMAGE_DATA_DIRECTORY9RVA of Thread Local Storage DirectoryC4DWORDsize of Thread Local Storage DirectoryC8DWORDIMAGE_DATA_DIRECTORY10RVA of Load Configuration DirectoryCCDWORDsize of Load Configuration DirectoryD0DWORDIMAGE_DATA_DIRECTORY11RVA of Bound Import DirectoryD4DWORDsize of Bound Import DirectoryD8DWORDIMAGE_DATA_DIRECTORY12RVA of first Import Address TableDCDWORDtotal size of all Import Address TablesE0DWORDIMAGE_DATA_DIRECTORY13RVA of Delay Import DirectoryE4DWORDsize of Delay Import DirectoryE8DWORDIMAGE_DATA_DIRECTORY14RVA of COM Header (top level info & metadata...ECDWORDsize of COM Header　　　　 ...in .NET executables)F0DWORDZERO (Reserved)ReservedF4DWORDZERO (Reserved)ReservedF8**********START OF SECTION TABLE*******Offsets shown from here********008 BytesName1Name of first section header08DWORDmisc (VirtualSize)Actual size of data in section0CDWORDvirtual address RVA where section begins in memory10DWORDSizeOfRawData Size of data on disk (multiple of FileAlignment)14DWORDpointerToRawData Raw offset of section on disk18DWORDpointerToRelocationsStart of relocation entries for section, zero if none1CDWORDPointerToLinenumbersStart of line-no. entries for section, zero if none20WORDNumberOfRelocationsThis value is zero for executable images.22WORDNumberOfLineNumbersNumber of line-number entries for section.24DWORDCharacteristicssee end of page below008 BytesName1Name of second section header**********Repeats for rest of sections**************************************

　　The Export Table

　　Offsets shown from beginning of table (given at offset 78 from start of PE header). The following 40 Bytes repeat for each export library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

　　OFFSETSIZENAMEEXPLANATION00DWORDCharacteristicsSet to zero (currently none defined)04DWORDTimeDateStampoften set to zero08WORDMajorVersionuser-defined version number, otherwise zero0AWORDMinorVersionas above0CDWORDNameRVA of DLL name in null-terminated ASCII10DWORDBaseFirst valid exported ordinal, normally=114DWORDNumberOfFunctionsNumber of entries in EAT18DWORDNumberOfNamesNumber of entries in ENT1CDWORDAddressOfFunctionsRVA of EAT (export address table)20DWORDAddressOfNamesRVA of ENT (export name table)24DWORDAddressOfNameOrdinalsRVA of EOT (export ordinal table)

　　The Import Table

　　Offsets shown from beginning of table (given at offset 80 from start of PE header). The following 5 DWORDS repeat for each import library (DLL whose functions are imported by the executable) and ends with one full of zeroes.

　　OFFSETSIZENAMEEXPLANATION00DWORDOriginalFirstThunkRVA to Image_Thunk_Data04DWORDTimeDateStampzero unless bound against imported DLL08DWORDForwarderChainpointer to 1st redirected function (or 0)0CDWORDName1RVA to name in null-terminated ASCII10DWORDFirstThunkRVA to Image_Thunk_Data

　　Image Characteristics Flags

　　FLAGEXPLANATION0001Relocation info stripped from file0002File is executable (no unresolved external references)0004Line numbers stripped from file0008Local symbols stripped from file0010Lets OS aggressively trim working set0020App can handle >2Gb addresses0080Low bytes of machine word are reversed0100requires 32-bit WORD machine0200Debugging info stripped from file into .DBG file0400If image is on removable media, copy and run from swap file0800If image is on a network, copy and run from swap file1000System file2000File is a DLL4000File should only be run on a single-processor machine8000High bytes of machine word are reversed

　　Section Characteristics Flags

　　FLAGEXPLANATION00000008Section should not be padded to next boundary00000020Section contains code00000040Section contains initialised data (which will become initialised with real values before the file is launched)00000080Section contains uninitialised data (which will be initialised as 00 byte values before launch)00000200Section contains comments for the linker00000800Section contents will not become part of image00001000Section contents comdat (Common Block Data)00008000Section contents cannot be accessed relative to GP00100000 to 00800000Boundary alignment settings01000000Section contains extended relocations02000000Section can be discarded (e.g. .reloc)04000000Section is not cacheable08000000Section is pageable10000000Section is shareable20000000Section is executable40000000Section is readable80000000Section is writable