Category Archives: PE Sections

PE Section names – re-visited, again

Posted on by

I recently caught up with torrents shared by VirusShare and after merging the new VS samples with my repo decided to extract PE section stats from all the files again…. This time, instead of actually attributing section names to protectors, programs, etc. I just share the actual statistics file…

So… there you have it… 100M entries, 660K unique section names – it is an interesting clustering exercise…

You can download the resulting file here.

PE Section names – re-visited

Posted on by

Update 2022-11-23

Added .profile for NightHawk

Update 2021-01-29

Added a few more sections

Update 2020-10-15

Added .AAWEBS

Update 2020-08-15

Added .imrsiv, also visit this post.

Update 2019-03-15

Added sections from demoscene files; additional protectors, and many others; big update in general

Update 2019-02-12

Added .ecode and .edata for EPL

Update 2018-12-09

Added .mnbvcx1 & .mnbvcx2, .import, some ELF sections

Update 2018-06-02

Added .apiset

Update 2017-11-21

Updated info on minATL and .wpp_sf

thx to @digirati82 for bringing it to my attention

Update: This list has been last updated on 7th of January 2017

4 years back I published a list of PE section names; I recently thought of revisiting the list and as a result added a lot more entries.

This is the latest version of the list (note that there are duplicates, if treated as case-insensitive):

The packer/protector/tools section names/keywords

  • .aspack – Aspack packer
  • .adata – Aspack packer/Armadillo packer
  • ASPack – Aspack packer
  • .ASPack – ASPAck Protector
  • .boom – The Boomerang List Builder (config+exe xored with a single byte key 0x77)
  • .ccg – CCG Packer (Chinese Packer)
  • .charmve – Added by the PIN tool
  • BitArts – Crunch 2.0 Packer
  • DAStub – DAStub Dragon Armor protector
  • !EPack – Epack packer
  • .ecode – Built with EPL
  • .edata – Built with EPL
  • .enigma1 – Enigma Protector
  • .enigma2 – Enigma Protector
  • FSG! – FSG packer (not a section name, but a good identifier)
  • .imrsiv – special section used for applications that can be loaded to OS desktop bands.
  • .gentee – Gentee installer
  • kkrunchy – kkrunchy Packer
  • lz32.dll – Crinkler
  • .mackt – ImpRec-created section
  • .MaskPE – MaskPE Packer
  • MEW – MEW packer
  • .mnbvcx1 – most likely associated with Firseria PUP downloaders
  • .mnbvcx2 – most likely associated with Firseria PUP downloaders
  • .MPRESS1 – Mpress Packer
  • .MPRESS2 – Mpress Packer
  • .neolite – Neolite Packer
  • .neolit – Neolite Packer
  • .nsp1 – NsPack packer
  • .nsp0 – NsPack packer
  • .nsp2 – NsPack packer
  • nsp1 – NsPack packer
  • nsp0 – NsPack packer
  • nsp2 – NsPack packer
  • .packed – RLPack Packer (first section)
  • PEPACK!! – Pepack
  • pebundle – PEBundle Packer
  • PEBundle – PEBundle Packer
  • PEC2TO – PECompact packer
  • PECompact2 – PECompact packer (not a section name, but a good identifier)
  • PEC2 – PECompact packer
  • pec – PECompact packer
  • pec1 – PECompact packer
  • pec2 – PECompact packer
  • pec3 – PECompact packer
  • pec4 – PECompact packer
  • pec5 – PECompact packer
  • pec6 – PECompact packer
  • PEC2MO – PECompact packer
  • PELOCKnt – PELock Protector
  • .perplex – Perplex PE-Protector
  • PESHiELD – PEShield Packer
  • .petite – Petite Packer
  • .pinclie – Added by the PIN tool
  • ProCrypt – ProCrypt Packer
  • .profile – NightHawk C2 framework (by MDSec)
  • .RLPack – RLPack Packer (second section)
  • .rmnet – Ramnit virus marker
  • RCryptor – RPCrypt Packer
  • .RPCrypt – RPCrypt Packer
  • .seau – SeauSFX Packer
  • .sforce3 – StarForce Protection
  • .shrink1 – Shrinker
  • .shrink2 – Shrinker
  • .shrink3 – Shrinker
  • .spack – Simple Pack (by bagie)
  • .svkp – SVKP packer
  • Themida – Themida Packer
  • .Themida – Themida Packer
  • .taz – Some version os PESpin
  • .tsuarch – TSULoader
  • .tsustub – TSULoader
  • .packed – Unknown Packer
  • PEPACK!! – Pepack
  • .Upack – Upack packer
  • .ByDwing – Upack Packer
  • UPX0 – UPX packer
  • UPX1 – UPX packer
  • UPX2 – UPX packer
  • UPX3 – UPX packer
  • UPX! – UPX packer
  • .UPX0 – UPX Packer
  • .UPX1 – UPX Packer
  • .UPX2 – UPX Packer
  • .vmp0 – VMProtect packer
  • .vmp1 – VMProtect packer
  • .vmp2 – VMProtect packer
  • VProtect – Vprotect Packer
  • .winapi – Added by API Override tool
  • WinLicen – WinLicense (Themida) Protector
  • _winzip_ – WinZip Self-Extractor
  • .WWPACK – WWPACK Packer
  • .WWP32 – WWPACK Packer (WWPack32)
  • .yP – Y0da Protector
  • .y0da – Y0da Protector

Unclassified from Demoscene repo

These are PE sections extracted from the demoscene corpora; some of them use a name that is clearly associated with a respective demo group; some are variations of well-known pe sections and we can guess their meaning, some are clearly one-offs; I have provided the section name, some quick comment, if applicable, and a relative path on the scene.org where you can find sample of a PE file using a described section. I provided only one path, but in some cases there are many, so you may need to do a homework if you want more samples. If you see folders prefixed with an underscore it means that the file name that follows refers to a file inside an archive (and the actual archive is named like the folder name, but w/o the underscore prefix).

  • .crtemui – demos\groups\raizor\mengers_mice
  • .delete – demos\groups\scoopex\_scx-snc2.zip\ScxNchips02.exe
  • .exc – demos\groups\artwork\mdiv2\_mdiv2b2.zip\mdiv2be.exe
  • .g4kcod2, .g4kcod3, .g4kcod4, .g4kcoda, .g4kcodb, .g4kcodc, .g4kcodd, .g4kcodf, .g4kcodg, .g4kcodh, .g4kcodi, .g4kcodj, .g4kcodk, .g4kcodl, .g4kcodp, .g4kcods, .g4kcodt, .g4kcodw, .g4kcodx, .g4kcody, .g4kcodz, .g4kdat1, .g4kdat2, .g4kmuc1, .g4kmuc2, .g4kmuc3, .g4kmuc4, .g4kmuc5 – demos\groups\raizor\mengers_mice\_mengersmice.zip\mengersMice.exe
  • .icon – possibly an icon resource – demos\groups\class\cls_d2k.zip
  • .intro – graphics\groups\superior_art_creations\_sac-27.zip\com-myth.exe
  • .load – demos\groups\class\_c64.zip\c64.exe
  • .mydata – demos\groups\p4!nt\_p4!nt_micro_intro.zip\demoscene.exe
  • .pe – possibly PE file – demos\groups\coolphat\_cphbv1.zip\cphbv1.exe
  • .pklstb – demos\groups\scoopex\_scx-snc2.zip\ScxNchips02.exe
  • .Razor – Razor group – graphics\groups\superior_art_creations\_sac-18.zip\HT-PDM6.EXE
  • .relo2 – demos\groups\scoopex\_scx-snc2.zip\ScxNchips02.exe
  • .rsrc A – possibly variant of resource section – demos\compilations\falcon_demo_mania\cd1\codec_and_player\_bsplayer084.rc4.455d.zip\bplay.exe
  • .sCe!05 – Scienide group – demos\groups\scienide\_scienide+reloaded+titan-reloaded_cracktro_3.zip\cracktro.exe
  • .trace – demos\groups\ivory_labs\_iv_mdt9kf.zip\demo.exe
  • .wavefmt – demos\groups\raizor\mengers_mice\_mengersmice.zip\mengersMice.exe
  • .wavehdr – demos\groups\raizor\mengers_mice\_mengersmice.zip\mengersMice.exe
  • .xm – possibly an XM module – music\groups\bmp\houseworks\_bmphw006.zip\spm-042.exe
  • _RDATA – possibly Read-only data – demos\groups\$\_$-chem.zip\chem.exe
  • Address – demos\groups\genesis\_genesis-shrek_2.zip\intro.exe
  • AUTO – demos\groups\3state\_3s-mspace.zip\melrose.exe
  • CLS – demos\groups\class\_class-sp4.zip\intro.exe
  • CODE32 – 32-bit code section – graphics\ascii\zeit\_zeit_03.zip\ALL2BIT.DLL
  • CONST32 – graphics\ascii\zeit\_zeit_03.zip\ALL2BIT.DLL
  • CPHb – Coolphat group – demos\groups\coolphat\_cph!mic2.zip\cph_mi2.exe
  • CRO0 – Cro group – graphics\groups\cro\_cro-20_mag.zip\Install.exe
  • CR01 – Cro group – graphics\groups\cro\_cro-20_mag.zip\Install.exe
  • fuzzion – Fuzzion group – demos\groups\fuzzion\_fzn_blursux.zip\blursux_unpacked.exe
  • fzn03 – Fuzzion group – demos\groups\fuzzion\_fzn_afull.zip\fzn_afull.exe
  • Guy ! – music\disks\_modaddiction2.zip\modaddiction2.exe
  • imports – possibly import section – mags\tapmag\_tapmag4.zip\TAPMAG4A.EXE
  • MYTH – graphics\groups\superior_art_creations\_sac-28.zip\kmx-dev03.exe
  • Not War! – demos\compos\tmdc8\07.null_ok-buchstabensuppe\_buchstabensuppe.zip\buchstabensuppe.exe
  • packer. – Farbrausch group- demos\groups\3state\_3s-sonnet.zip\sonnet.exe
  • PS – demos\groups\aardbei\_aardbei_southside.zip\aardbei_southside.exe
  • relocs – possibly relocations – mags\tapmag\_tapmag4.zip\TAPMAG4A.EXE
  • resource – mags\tapmag\_tapmag4.zip\TAPMAG4A.EXE
  • resultat – demos\groups\bypass\_love.zip\love.exe
  • Scooopex – Scoopex group – demos\groups\scoopex\_blue_knot_scoopex_and_i8u.zip\BlueKnot.exe
  • Scoopex – Scoopex group – demos\groups\scoopex\_blue_knot_scoopex_and_i8u.zip\BlueKnot.exe
  • Signatur – demos\groups\tlotb\_tlotb_weare.zip\WEARE.EXE
  • STACK – demos\groups\superstition\_superstition-melora-w32.zip\melora.exe

List of popular section names

  • .00cfg – Control Flow Guard (CFG) section (added by newer versions of Visual Studio)
  • .AAWEBS – section used by Amiti Antivirus DLLs webspam.dll and webspamwow64.dll
  • .apiset – a section present inside the apisetschema.dll
  • .arch – Alpha-architecture section
  • .autoload_text – cygwin/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork.
  • .bindat – Binary data (also used by one of the downware installers based on LUA)
  • .bootdat – section that can be found inside Visual Studio files; contains palette entries
  • .bss – Uninitialized Data Section
  • .BSS – Uninitialized Data Section
  • .buildid – gcc/cygwin; Contains debug information (if overlaps with debug directory)
  • .CLR_UEF – .CLR Unhandled Exception Handler section; see https://github.com/dotnet/coreclr/blob/master/src/vm/excep.h
  • .code – Code Section
  • .cormeta – .CLR Metadata Section
  • .complua – Binary data, most likely compiled LUA (also used by one of the downware installers based on LUA)
  • .CRT – Initialized Data Section  (C RunTime)
  • .cygwin_dll_common – cygwin section containing flags representing Cygwin’s capabilities; refer to cygwin.sc and wincap.cc inside Cygwin run-time
  • .data – Data Section
  • .DATA – Data Section
  • .data1 – Data Section
  • .data2 – Data Section
  • .data3 – Data Section
  • .debug – Debug info Section
  • .debug$F – Debug info Section (Visual C++ version <7.0)
  • .debug$P – Debug info Section (Visual C++ debug information – precompiled information
  • .debug$S – Debug info Section (Visual C++ debug information – symbolic information)
  • .debug$T – Debug info Section (Visual C++ debug information – type information)
  • .drectve  – directive section (temporary, linker removes it after processing it; should not appear in a final PE image)
  • .didat – Delay Import Section
  • .didata – Delay Import Section
  • .edata – Export Data Section
  • .eh_fram – gcc/cygwin; Exception Handler Frame section
  • .export – Alternative Export Data Section
  • .fasm – FASM flat Section
  • .flat – FASM flat Section
  • .gfids – section added by new Visual Studio (14.0); purpose unknown
  • .giats – section added by new Visual Studio (14.0); purpose unknown
  • .gljmp – section added by new Visual Studio (14.0); purpose unknown
  • .glue_7t – ARMv7 core glue functions (thumb mode)
  • .glue_7 – ARMv7 core glue functions (32-bit ARM mode)
  • .idata – Initialized Data Section  (Borland)
  • .idlsym – IDL Attributes (registered SEH)
  • .impdata – Alternative Import data section
  • .import – Alternative Import data section
  • .itext – Code Section  (Borland)
  • .ndata – Nullsoft Installer section
  • .orpc – Code section inside rpcrt4.dll
  • .pdata – Exception Handling Functions Section (PDATA records)
  • .rdata – Read-only initialized Data Section  (MS and Borland)
  • .reloc – Relocations Section
  • .rodata – Read-only Data Section
  • .rsrc – Resource section
  • .sbss – GP-relative Uninitialized Data Section
  • .script – Section containing script
  • .shared – Shared section
  • .sdata – GP-relative Initialized Data Section
  • .srdata – GP-relative Read-only Data Section
  • .stab – Created by Haskell compiler (GHC)
  • .stabstr – Created by Haskell compiler (GHC)
  • .sxdata – Registered Exception Handlers Section
  • .text – Code Section
  • .text0 – Alternative Code Section
  • .text1 – Alternative Code Section
  • .text2 – Alternative Code Section
  • .text3 – Alternative Code Section
  • .textbss – Section used by incremental linking
  • .tls – Thread Local Storage Section
  • .tls$ – Thread Local Storage Section
  • .udata – Uninitialized Data Section
  • .vsdata – GP-relative Initialized Data
  • .xdata – Exception Information Section
  • .wixburn – Wix section; see https://github.com/wixtoolset/wix3/blob/develop/src/burn/stub/StubSection.cpp
  • .wpp_sf  – section that is most likely related to WPP (Windows software trace PreProcessor); not sure how it is used though; the code inside the section is just a bunch of routines that call FastWppTraceMessage that in turn calls EtwTraceMessage
  • BSS – Uninitialized Data Section  (Borland)
  • CODE – Code Section (Borland)
  • DATA – Data Section (Borland)
  • DGROUP – Legacy data group section
  • edata – Export Data Section
  • idata – Initialized Data Section  (C RunTime)
  • INIT – INIT section (drivers)
  • minATL – Section that can be found inside some ARM PE files; purpose unknown; .exe files on Windows 10 also include this section as well; its purpose is unknown, but it contains references to ___pobjectentryfirst,___pobjectentrymid,___pobjectentrylast pointers used by Microsoft::WRL::Details::ModuleBase::… methods described e.g. here, and also referenced by .pdb symbols; so, looks like it is being used internally by Windows Runtime C++ Template Library (WRL) which is a successor of Active Template Library (ATL); further research needed
  • PAGE – PAGE section (drivers)
  • rdata – Read-only Data Section
  • sdata – Initialized Data Section
  • shared – Shared section
  • Shared – Shared section
  • testdata – section containing test data (can be found inside Visual Studio files)
  • text – Alternative Code Section

Other section names

  • .text$<name> – Typically a temporary Code Section merged during building; <name> can be anything; the sections are sorted by name, and combined into a single .text section during the linking process
  • .data$<name> – as above, for .data section
  • .rdata$<name> – as above, for .rdata section
  • .rsrc$<name> – as above, for .rsrc section
  • /<number> – often found in Windows clones of *nix tools compiled with mingw/cygwin; these typically replace lengthy section names that are used under *nix; the compiler often preserves the section names in the debugging information (which is often attached to the file); most of PE dumpers can’t process the debug information and just shows the raw numeric section names; tools like IDA can process this information and shows us the real section names (f.ex. .autoload_text, .cygwin_dll_common);  examples below:
    • /4
    • /14
    • /19
    • /29
    • /41
    • /48
    • /55
    • /67
    • /78
    • /89
  • Related to the above, the sections used by mingw/cygwin are listed below (they can be found inside the cygwin.sc file in the source tarball).
    • .init
    • .text
    • .text$* (basically, .text$<name>)
    • .glue_7t
    • .glue_7
    • .fini
    • .gcc_exc
    • .gcc_except_table
    • .autoload_text
    • .data
    • .data2
    • .data$* (basically, .data$<name>)
    • .data_cygwin_nocopy
    • .rdata
    • .rdata$* (basically, .rdata$<name>)
    • .eh_frame
    • .pdata
    • .bss
    • COMMON
    • .edata
    • .debug$S
    • .debug$T
    • .debug$F
    • .drectve
    • .idata
    • .idata$2
    • .idata$3
    • .idata$4
    • .idata$5
    • .idata$6
    • .idata$7
    • .CRT
    • .endjunk
    • .cygwin_dll_common
    • .rsrc
    • .rsrc$* (basically, .rsrc$<name>)
    • .reloc
    • .stab
    • .stabstr
    • .debug_aranges
    • .debug_pubnames
    • .debug_info
    • .debug_abbrev
    • .debug_line
    • .debug_frame
    • .debug_str
    • .debug_loc
    • .debug_macinfo
    • .debug_ranges
    • .cygheap
  • Not PE sections, but LINUX ELF file format sections
    • you may come across some of these inside PE; may be related to some code ported from *NIX; hard to say as I have not seen enough samples to confirm 100%
    • .btext – Big Endian .text section (code)
    • .bdata – Big Endian .data section (data)
    • .brdata – Big Endian .rdata section (Read-Only data)
    • .bctors – Big Endian .ctors section (constructors)
    • .bdtors – Big Endian .dtors section (destructors)
    • .rela.btext – Big Endian relocation section for .text
    • .rela.bdata – Big Endian relocation section for .data
    • .rela.brdata – Big Endian relocation section for .rdata
    • .rela.bctors – Big Endian relocation section for .ctors
    • .rela.bdtors – Big Endian relocation section for .dtors
    • .bbss – Big Endian section .bss (uninitialized data)
    • .ctors – Little Endian .ctors section (constructors)
    • .dtors – Little Endian .dtors section (destructors)
    • .ltext – Little Endian .text section (code)
    • .ldata – Little Endian .data section (data)
    • .lrdata – Little Endian .rdata section (Read-Only data)
    • .lctors – Little Endian .ctors section (constructors)
    • .ldtors – Little Endian .dtors section (destructors)
    • .rela.ltext – Little Endian relocation section for .text
    • .rela.ldata – Little Endian relocation section for .data
    • .rela.lrdata – Little Endian relocation section for .rdata
    • .rela.lctors – Little Endian relocation section for .ctors
    • .rela.ldtors – Little Endian relocation section for .dtors
    • .lbss – Little Endian section .bss (uninitialized data)
  • Primarily Linux-oriented, but sometimes present in PE e.g. in some old Watcom-compiled binaries
    • begtext – beginning of the text section
    • begdata – beginning of the data section
    • begbss – beginning of the bss section
    • endtext – end of the text section
    • enddata – end of the data section
    • endbss – end of the bss section