Windows-PE-Loader is a lightweight C-based library designed to parse and load Windows Portable Executable (PE) files directly from memory. Developed as part of OS internals research, this project provides insights into the PE file structure and the loading process, including handling of import tables, relocations, and more.
-
PE Header Parsing
Parses DOS, NT, and section headers to extract and validate core metadata necessary for loading. -
Section Mapping
Maps sections from the PE file into memory with correct protections (e.g., executable, writable) and alignment. -
Import Table Handling
Parses the Import Directory Table and loads dependencies usingLoadLibrary, resolving imported symbols withGetProcAddress. Handles both ILT and IAT. -
Relocation Processing
Adjusts absolute addresses when the module is loaded at a base address different from its preferred one. Supports applying relocation blocks. -
Memory-Based Execution
Loads and executes PE modules directly from memory buffers, ideal for reflective loading scenarios. -
Dynamic Library Management
Provides an abstraction for loading and freeing in-memory libraries using: -
Minimal Dependencies Designed with no external dependencies beyond the Windows API.
extern "C"
{
#include "pe_library.h"
}
#include <Windows.h>
int32_t APIENTRY wWinMain(_In_ HINSTANCE, _In_opt_ HINSTANCE, _In_ LPWSTR, _In_ int32_t)
{
const HMODULE module = Library__load_library(
DLL_BUFFER_DATA,
DLL_BUFFER_SIZE
);
Library__FreeLibrary(module);
}-
Logging is enabled automatically in debug builds and provides useful runtime information.
-
To view logs, run the application in a debugger (e.g., Visual Studio) or use DbgView from Sysinternals.
-
Logs are not available in release builds.
For those who want to inspect PE files visually, I recommend using the official 010 Editor template:
📄 EXE.bt – PE Template (Official)
This template supports both 32-bit and 64-bit PE files, including .exe, .dll, and .sys.
This project is licensed under the MIT License.