{"id":3997,"date":"2016-12-15T00:27:19","date_gmt":"2016-12-15T00:27:19","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3997"},"modified":"2024-06-07T23:40:51","modified_gmt":"2024-06-07T23:40:51","slug":"pe-section-names-re-visited","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/12\/15\/pe-section-names-re-visited\/","title":{"rendered":"PE Section names &#8211; re-visited"},"content":{"rendered":"<p><strong>Update 2022-11-23<\/strong><\/p>\n<p>Added .profile for NightHawk<\/p>\n<p><strong>Update 2021-01-29<\/strong><\/p>\n<p>Added a few more sections<\/p>\n<p><strong>Update 2020-10-15<\/strong><\/p>\n<p>Added .AAWEBS<\/p>\n<p><strong>Update 2020-08-15<\/strong><\/p>\n<p>Added .imrsiv, also visit this <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/07\/26\/pe-section-names-re-visited-again\/\">post<\/a>.<\/p>\n<p><strong>Update 2019-03-15<\/strong><\/p>\n<p>Added sections from demoscene files; additional protectors, and many others; big update in general<\/p>\n<p><strong>Update 2019-02-12<\/strong><\/p>\n<p>Added .ecode and .edata for EPL<\/p>\n<p><strong>Update 2018-12-09<\/strong><\/p>\n<p>Added .mnbvcx1 &amp; .mnbvcx2, .import, some ELF sections<\/p>\n<p><strong>Update 2018-06-02<\/strong><\/p>\n<p>Added .apiset<\/p>\n<p><strong>Update 2017-11-21<\/strong><\/p>\n<p>Updated info on minATL and .wpp_sf<\/p>\n<p>thx to <a href=\"https:\/\/twitter.com\/digirati82\">@digirati82<\/a> for bringing it to my attention<\/p>\n<p><strong>Update:<\/strong> This list has been last updated on 7th of January 2017<\/p>\n<p>4 years back I published a list of <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/14\/random-stats-from-1-2m-samples-pe-section-names\/\">PE section names<\/a>; I recently thought of revisiting the list and as a result added a lot more entries.<\/p>\n<p>This is the latest version of the list (note that there are duplicates, if treated as case-insensitive):<\/p>\n<p><strong>The packer\/protector\/tools section names\/keywords<\/strong><\/p>\n<ul>\n<li>.aspack \u2013 Aspack packer<\/li>\n<li>.adata \u2013 Aspack packer\/Armadillo packer<\/li>\n<li>ASPack \u2013 Aspack packer<\/li>\n<li>.ASPack \u2013 ASPAck Protector<\/li>\n<li>.boom \u2013&nbsp;The Boomerang List Builder (config+exe xored with a single byte key 0x77)<\/li>\n<li>.ccg \u2013 CCG Packer (Chinese Packer)<\/li>\n<li>.charmve &#8211; Added by the PIN tool<\/li>\n<li>BitArts \u2013 Crunch 2.0 Packer<\/li>\n<li>DAStub \u2013 DAStub Dragon Armor protector<\/li>\n<li>!EPack \u2013 Epack packer<\/li>\n<li>.ecode \u2013 Built with <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/02\/13\/pe-files-and-the-easy-programming-language-epl\/\">EPL<\/a><\/li>\n<li>.edata \u2013 Built with <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/02\/13\/pe-files-and-the-easy-programming-language-epl\/\">EPL<\/a><\/li>\n<li>.enigma1 \u2013 Enigma Protector<\/li>\n<li>.enigma2 \u2013 Enigma Protector<\/li>\n<li>FSG! \u2013 FSG packer (not a section name, but a good identifier)<\/li>\n<li>.imrsiv \u2013 special section used for applications that can be loaded to <a href=\"https:\/\/blog.adeltax.com\/window-z-order-in-windows-10\/\">OS desktop bands<\/a>.<\/li>\n<li>.gentee \u2013 Gentee installer<\/li>\n<li>kkrunchy \u2013 kkrunchy Packer<\/li>\n<li>lz32.dll &#8211; Crinkler<\/li>\n<li>.mackt \u2013 ImpRec-created section<\/li>\n<li>.MaskPE \u2013 MaskPE Packer<\/li>\n<li>MEW \u2013 MEW packer<\/li>\n<li>.mnbvcx1 &#8211; most likely associated with Firseria PUP downloaders<\/li>\n<li>.mnbvcx2 &#8211; most likely associated with Firseria PUP downloaders<\/li>\n<li>.MPRESS1 \u2013 Mpress Packer<\/li>\n<li>.MPRESS2 \u2013 Mpress Packer<\/li>\n<li>.neolite \u2013 Neolite Packer<\/li>\n<li>.neolit \u2013 Neolite Packer<\/li>\n<li>.nsp1 \u2013 NsPack packer<\/li>\n<li>.nsp0 \u2013 NsPack packer<\/li>\n<li>.nsp2 \u2013 NsPack packer<\/li>\n<li>nsp1 \u2013 NsPack packer<\/li>\n<li>nsp0 \u2013 NsPack packer<\/li>\n<li>nsp2 \u2013 NsPack packer<\/li>\n<li>.packed \u2013 RLPack Packer (first section)<\/li>\n<li>PEPACK!! \u2013 Pepack<\/li>\n<li>pebundle \u2013 PEBundle Packer<\/li>\n<li>PEBundle \u2013 PEBundle Packer<\/li>\n<li>PEC2TO \u2013 PECompact packer<\/li>\n<li>PECompact2 \u2013 PECompact packer (not a section name, but a good identifier)<\/li>\n<li>PEC2 \u2013 PECompact packer<\/li>\n<li>pec \u2013 PECompact packer<\/li>\n<li>pec1 \u2013 PECompact packer<\/li>\n<li>pec2 \u2013 PECompact packer<\/li>\n<li>pec3 \u2013 PECompact packer<\/li>\n<li>pec4 \u2013 PECompact packer<\/li>\n<li>pec5 \u2013 PECompact packer<\/li>\n<li>pec6 \u2013 PECompact packer<\/li>\n<li>PEC2MO \u2013 PECompact packer<\/li>\n<li>PELOCKnt \u2013 PELock Protector<\/li>\n<li>.perplex \u2013 Perplex PE-Protector<\/li>\n<li>PESHiELD \u2013 PEShield Packer<\/li>\n<li>.petite \u2013 Petite Packer<\/li>\n<li>.pinclie \u2013 Added by the PIN tool<\/li>\n<li>ProCrypt \u2013 ProCrypt Packer<\/li>\n<li>.profile \u2013 NightHawk C2 framework (by MDSec)<\/li>\n<li>.RLPack \u2013 RLPack Packer (second section)<\/li>\n<li>.rmnet \u2013 Ramnit virus marker<\/li>\n<li>RCryptor \u2013 RPCrypt Packer<\/li>\n<li>.RPCrypt \u2013 RPCrypt Packer<\/li>\n<li>.seau \u2013 SeauSFX Packer<\/li>\n<li>.sforce3 \u2013 StarForce Protection<\/li>\n<li>.shrink1 &#8211; Shrinker<\/li>\n<li>.shrink2 &#8211; Shrinker<\/li>\n<li>.shrink3 &#8211; Shrinker<\/li>\n<li>.spack \u2013 Simple Pack (by bagie)<\/li>\n<li>.svkp \u2013 SVKP packer<\/li>\n<li>Themida \u2013 Themida Packer<\/li>\n<li>.Themida \u2013 Themida Packer<\/li>\n<li>.taz \u2013 Some version os PESpin<\/li>\n<li>.tsuarch \u2013 TSULoader<\/li>\n<li>.tsustub \u2013 TSULoader<\/li>\n<li>.packed \u2013 Unknown Packer<\/li>\n<li>PEPACK!! \u2013 Pepack<\/li>\n<li>.Upack \u2013 Upack packer<\/li>\n<li>.ByDwing \u2013 Upack Packer<\/li>\n<li>UPX0 \u2013 UPX packer<\/li>\n<li>UPX1 \u2013 UPX packer<\/li>\n<li>UPX2 \u2013 UPX packer<\/li>\n<li>UPX3 \u2013 UPX packer<\/li>\n<li>UPX! \u2013 UPX packer<\/li>\n<li>.UPX0 \u2013 UPX Packer<\/li>\n<li>.UPX1 \u2013 UPX Packer<\/li>\n<li>.UPX2 \u2013 UPX Packer<\/li>\n<li>.vmp0 \u2013 VMProtect packer<\/li>\n<li>.vmp1 \u2013 VMProtect packer<\/li>\n<li>.vmp2 \u2013 VMProtect packer<\/li>\n<li>VProtect \u2013 Vprotect Packer<\/li>\n<li>.winapi &#8211; Added by API Override tool<\/li>\n<li>WinLicen \u2013 WinLicense (Themida) Protector<\/li>\n<li>_winzip_ \u2013 WinZip Self-Extractor<\/li>\n<li>.WWPACK \u2013 WWPACK Packer<\/li>\n<li>.WWP32 \u2013 WWPACK Packer (WWPack32)<\/li>\n<li>.yP \u2013 Y0da Protector<\/li>\n<li>.y0da \u2013 Y0da Protector<\/li>\n<\/ul>\n<p><strong>Unclassified from Demoscene repo<\/strong><\/p>\n<p>These are PE sections extracted from the demoscene corpora; some of them use a name that is clearly associated with a respective demo group; some are variations of well-known pe sections and we can guess their meaning, some are clearly one-offs; I have provided the section name, some quick comment, if applicable, and a relative path on the scene.org where you can find sample of a PE file using a described section. I provided only one path, but in some cases there are many, so you may need to do a homework if you want more samples. If you see folders prefixed with an underscore it means that the file name that follows refers to a file inside an archive (and the actual archive is named like the folder name, but w\/o the underscore prefix).<\/p>\n<ul>\n<li>.crtemui &#8211; demos\\groups\\raizor\\mengers_mice<\/li>\n<li>.delete &#8211; demos\\groups\\scoopex\\_scx-snc2.zip\\ScxNchips02.exe<\/li>\n<li>.exc &#8211; demos\\groups\\artwork\\mdiv2\\_mdiv2b2.zip\\mdiv2be.exe<\/li>\n<li>.g4kcod2, .g4kcod3, .g4kcod4, .g4kcoda, .g4kcodb, .g4kcodc, .g4kcodd, .g4kcodf, .g4kcodg, .g4kcodh, .g4kcodi, .g4kcodj, .g4kcodk, .g4kcodl, .g4kcodp, .g4kcods, .g4kcodt, .g4kcodw, .g4kcodx, .g4kcody, .g4kcodz, .g4kdat1, .g4kdat2, .g4kmuc1, .g4kmuc2, .g4kmuc3, .g4kmuc4, .g4kmuc5 &#8211; demos\\groups\\raizor\\mengers_mice\\_mengersmice.zip\\mengersMice.exe<\/li>\n<li>.icon &#8211; possibly an icon resource &#8211; demos\\groups\\class\\cls_d2k.zip<\/li>\n<li>.intro &#8211; graphics\\groups\\superior_art_creations\\_sac-27.zip\\com-myth.exe<\/li>\n<li>.load &#8211; demos\\groups\\class\\_c64.zip\\c64.exe<\/li>\n<li>.mydata &#8211; demos\\groups\\p4!nt\\_p4!nt_micro_intro.zip\\demoscene.exe<\/li>\n<li>.pe &#8211; possibly PE file &#8211; demos\\groups\\coolphat\\_cphbv1.zip\\cphbv1.exe<\/li>\n<li>.pklstb &#8211; demos\\groups\\scoopex\\_scx-snc2.zip\\ScxNchips02.exe<\/li>\n<li>.Razor &#8211; Razor group &#8211; graphics\\groups\\superior_art_creations\\_sac-18.zip\\HT-PDM6.EXE<\/li>\n<li>.relo2 &#8211; demos\\groups\\scoopex\\_scx-snc2.zip\\ScxNchips02.exe<\/li>\n<li>.rsrc A &#8211; possibly variant of resource section &#8211; demos\\compilations\\falcon_demo_mania\\cd1\\codec_and_player\\_bsplayer084.rc4.455d.zip\\bplay.exe<\/li>\n<li>.sCe!05 &#8211; Scienide group &#8211; demos\\groups\\scienide\\_scienide+reloaded+titan-reloaded_cracktro_3.zip\\cracktro.exe<\/li>\n<li>.trace &#8211; demos\\groups\\ivory_labs\\_iv_mdt9kf.zip\\demo.exe<\/li>\n<li>.wavefmt &#8211; demos\\groups\\raizor\\mengers_mice\\_mengersmice.zip\\mengersMice.exe<\/li>\n<li>.wavehdr &#8211; demos\\groups\\raizor\\mengers_mice\\_mengersmice.zip\\mengersMice.exe<\/li>\n<li>.xm &#8211; possibly an XM module &#8211; music\\groups\\bmp\\houseworks\\_bmphw006.zip\\spm-042.exe<\/li>\n<li>_RDATA &#8211; possibly Read-only data &#8211; demos\\groups\\$\\_$-chem.zip\\chem.exe<\/li>\n<li>Address &#8211; demos\\groups\\genesis\\_genesis-shrek_2.zip\\intro.exe<\/li>\n<li>AUTO &#8211; demos\\groups\\3state\\_3s-mspace.zip\\melrose.exe<\/li>\n<li>CLS &#8211; demos\\groups\\class\\_class-sp4.zip\\intro.exe<\/li>\n<li>CODE32 &#8211; 32-bit code section &#8211; graphics\\ascii\\zeit\\_zeit_03.zip\\ALL2BIT.DLL<\/li>\n<li>CONST32 &#8211; graphics\\ascii\\zeit\\_zeit_03.zip\\ALL2BIT.DLL<\/li>\n<li>CPHb &#8211; Coolphat group &#8211; demos\\groups\\coolphat\\_cph!mic2.zip\\cph_mi2.exe<\/li>\n<li>CRO0 &#8211; Cro group &#8211; graphics\\groups\\cro\\_cro-20_mag.zip\\Install.exe<\/li>\n<li>CR01 &#8211; Cro group &#8211; graphics\\groups\\cro\\_cro-20_mag.zip\\Install.exe<\/li>\n<li>fuzzion &#8211; Fuzzion group &#8211; demos\\groups\\fuzzion\\_fzn_blursux.zip\\blursux_unpacked.exe<\/li>\n<li>fzn03 &#8211; Fuzzion group &#8211; demos\\groups\\fuzzion\\_fzn_afull.zip\\fzn_afull.exe<\/li>\n<li>Guy ! &#8211; music\\disks\\_modaddiction2.zip\\modaddiction2.exe<\/li>\n<li>imports &#8211; possibly import section &#8211; mags\\tapmag\\_tapmag4.zip\\TAPMAG4A.EXE<\/li>\n<li>MYTH &#8211; graphics\\groups\\superior_art_creations\\_sac-28.zip\\kmx-dev03.exe<\/li>\n<li>Not War! &#8211; demos\\compos\\tmdc8\\07.null_ok-buchstabensuppe\\_buchstabensuppe.zip\\buchstabensuppe.exe<\/li>\n<li>packer. &#8211; Farbrausch group- demos\\groups\\3state\\_3s-sonnet.zip\\sonnet.exe<\/li>\n<li>PS &#8211; demos\\groups\\aardbei\\_aardbei_southside.zip\\aardbei_southside.exe<\/li>\n<li>relocs &#8211; possibly relocations &#8211; mags\\tapmag\\_tapmag4.zip\\TAPMAG4A.EXE<\/li>\n<li>resource &#8211; mags\\tapmag\\_tapmag4.zip\\TAPMAG4A.EXE<\/li>\n<li>resultat &#8211; demos\\groups\\bypass\\_love.zip\\love.exe<\/li>\n<li>Scooopex &#8211; Scoopex group &#8211; demos\\groups\\scoopex\\_blue_knot_scoopex_and_i8u.zip\\BlueKnot.exe<\/li>\n<li>Scoopex &#8211; Scoopex group &#8211; demos\\groups\\scoopex\\_blue_knot_scoopex_and_i8u.zip\\BlueKnot.exe<\/li>\n<li>Signatur &#8211; demos\\groups\\tlotb\\_tlotb_weare.zip\\WEARE.EXE<\/li>\n<li>STACK &#8211; demos\\groups\\superstition\\_superstition-melora-w32.zip\\melora.exe<\/li>\n<\/ul>\n<p><strong>List of popular section names<\/strong><\/p>\n<ul>\n<li>.00cfg \u2013 Control Flow Guard (CFG) section (added by newer versions of Visual Studio)<\/li>\n<li>.AAWEBS &#8211; section used by Amiti Antivirus DLLs webspam.dll and webspamwow64.dll<\/li>\n<li>.apiset \u2013 a section present inside the <a href=\"https:\/\/blog.quarkslab.com\/runtime-dll-name-resolution-apisetschema-part-i.html\">apisetschema.dll<\/a><\/li>\n<li>.arch \u2013 Alpha-architecture section<\/li>\n<li>.autoload_text \u2013 cygwin\/gcc; the Cygwin DLL uses a section to avoid copying certain data on fork.<\/li>\n<li>.bindat \u2013 Binary data (also used by one of the downware installers based on LUA)<\/li>\n<li>.bootdat \u2013 section that can be found inside Visual Studio files; contains palette entries<\/li>\n<li>.bss \u2013 Uninitialized Data Section<\/li>\n<li>.BSS \u2013 Uninitialized Data Section<\/li>\n<li>.buildid \u2013 gcc\/cygwin; Contains debug information (if overlaps with debug directory)<\/li>\n<li>.CLR_UEF \u2013 .CLR Unhandled Exception Handler section; see <a href=\"https:\/\/github.com\/dotnet\/coreclr\/blob\/master\/src\/vm\/excep.h\">https:\/\/github.com\/dotnet\/coreclr\/blob\/master\/src\/vm\/excep.h<\/a><\/li>\n<li>.code \u2013 Code Section<\/li>\n<li>.cormeta \u2013 .CLR Metadata Section<\/li>\n<li>.complua \u2013 Binary data, most likely compiled LUA (also used by one of the downware installers based on LUA)<\/li>\n<li>.CRT \u2013 Initialized Data Section&nbsp; (C RunTime)<\/li>\n<li>.cygwin_dll_common \u2013 cygwin section containing flags representing Cygwin&#8217;s capabilities; refer to cygwin.sc and wincap.cc inside Cygwin run-time<\/li>\n<li>.data \u2013 Data Section<\/li>\n<li>.DATA \u2013 Data Section<\/li>\n<li>.data1 \u2013 Data Section<\/li>\n<li>.data2 \u2013 Data Section<\/li>\n<li>.data3 \u2013 Data Section<\/li>\n<li>.debug \u2013 Debug info Section<\/li>\n<li>.debug$F \u2013 Debug info Section (Visual C++ version &lt;7.0)<\/li>\n<li>.debug$P \u2013 Debug info Section (Visual C++ debug information &#8211; precompiled information<\/li>\n<li>.debug$S \u2013 Debug info Section (Visual C++ debug information &#8211; symbolic information)<\/li>\n<li>.debug$T \u2013 Debug info Section (Visual C++ debug information &#8211; type information)<\/li>\n<li>.drectve&nbsp; \u2013 directive section (temporary, linker removes it after processing it; should not appear in a final PE image)<\/li>\n<li>.didat \u2013 Delay Import Section<\/li>\n<li>.didata \u2013 Delay Import Section<\/li>\n<li>.edata \u2013 Export Data Section<\/li>\n<li>.eh_fram \u2013 gcc\/cygwin; Exception Handler Frame section<\/li>\n<li>.export \u2013 Alternative Export Data Section<\/li>\n<li>.fasm \u2013 FASM flat Section<\/li>\n<li>.flat \u2013 FASM flat Section<\/li>\n<li>.gfids \u2013 section added by new Visual Studio (14.0); purpose unknown<\/li>\n<li>.giats \u2013 section added by new Visual Studio (14.0); purpose unknown<\/li>\n<li>.gljmp \u2013 section added by new Visual Studio (14.0); purpose unknown<\/li>\n<li>.glue_7t \u2013 ARMv7 core glue functions (thumb mode)<\/li>\n<li>.glue_7 \u2013 ARMv7 core glue functions (32-bit ARM mode)<\/li>\n<li>.idata \u2013 Initialized Data Section&nbsp; (Borland)<\/li>\n<li>.idlsym \u2013 IDL Attributes (registered SEH)<\/li>\n<li>.impdata \u2013 Alternative Import data section<\/li>\n<li>.import \u2013 Alternative Import data section<\/li>\n<li>.itext \u2013 Code Section&nbsp; (Borland)<\/li>\n<li>.ndata \u2013 Nullsoft Installer section<\/li>\n<li>.orpc \u2013 Code section inside rpcrt4.dll<\/li>\n<li>.pdata \u2013 Exception Handling Functions Section (PDATA records)<\/li>\n<li>.rdata \u2013 Read-only initialized Data Section&nbsp; (MS and Borland)<\/li>\n<li>.reloc \u2013 Relocations Section<\/li>\n<li>.rodata \u2013 Read-only Data Section<\/li>\n<li>.rsrc \u2013 Resource section<\/li>\n<li>.sbss \u2013 GP-relative Uninitialized Data Section<\/li>\n<li>.script \u2013 Section containing script<\/li>\n<li>.shared \u2013 Shared section<\/li>\n<li>.sdata \u2013 GP-relative Initialized Data Section<\/li>\n<li>.srdata \u2013 GP-relative Read-only Data Section<\/li>\n<li>.stab \u2013 Created by Haskell compiler (GHC)<\/li>\n<li>.stabstr \u2013 Created by Haskell compiler (GHC)<\/li>\n<li>.sxdata \u2013 Registered Exception Handlers Section<\/li>\n<li>.text \u2013 Code Section<\/li>\n<li>.text0 \u2013 Alternative Code Section<\/li>\n<li>.text1 \u2013 Alternative Code Section<\/li>\n<li>.text2 \u2013 Alternative Code Section<\/li>\n<li>.text3 \u2013 Alternative Code Section<\/li>\n<li>.textbss \u2013 Section used by incremental linking<\/li>\n<li>.tls \u2013 Thread Local Storage Section<\/li>\n<li>.tls$ \u2013 Thread Local Storage Section<\/li>\n<li>.udata \u2013 Uninitialized Data Section<\/li>\n<li>.vsdata \u2013 GP-relative Initialized Data<\/li>\n<li>.xdata \u2013 Exception Information Section<\/li>\n<li>.wixburn \u2013 Wix section; see <a href=\"https:\/\/github.com\/wixtoolset\/wix3\/blob\/develop\/src\/burn\/stub\/StubSection.cpp\">https:\/\/github.com\/wixtoolset\/wix3\/blob\/develop\/src\/burn\/stub\/StubSection.cpp<\/a><\/li>\n<li>.wpp_sf&nbsp; \u2013 section that is most likely related to WPP (Windows software trace PreProcessor); not sure how it is used though; the code inside the section is just a bunch of routines that call FastWppTraceMessage that in turn calls EtwTraceMessage<\/li>\n<li>BSS \u2013 Uninitialized Data Section&nbsp; (Borland)<\/li>\n<li>CODE \u2013 Code Section (Borland)<\/li>\n<li>DATA \u2013 Data Section (Borland)<\/li>\n<li>DGROUP \u2013 Legacy data group section<\/li>\n<li>edata \u2013 Export Data Section<\/li>\n<li>idata \u2013 Initialized Data Section&nbsp; (C RunTime)<\/li>\n<li>INIT \u2013 INIT section (drivers)<\/li>\n<li>minATL \u2013 Section that can be found inside some ARM PE files; purpose unknown; .exe files on Windows 10 also include this section as well; its purpose is unknown, but it contains references to ___pobjectentryfirst,___pobjectentrymid,___pobjectentrylast pointers used by Microsoft::WRL::Details::ModuleBase::&#8230; methods described e.g. <a href=\"https:\/\/ht.transparencytoolkit.org\/rcs-dev%5Cshare\/HOME\/cod\/CRT\/crt\/src\/vccorlib\/outofprocmodule.cpp\">here<\/a>, and also referenced by .pdb symbols; so, looks like it is being used internally by Windows Runtime C++ Template Library (WRL) which is a successor of Active Template Library (ATL); further research needed<\/li>\n<li>PAGE \u2013 PAGE section (drivers)<\/li>\n<li>rdata \u2013 Read-only Data Section<\/li>\n<li>sdata \u2013 Initialized Data Section<\/li>\n<li>shared \u2013 Shared section<\/li>\n<li>Shared \u2013 Shared section<\/li>\n<li>testdata \u2013 section containing test data (can be found inside Visual Studio files)<\/li>\n<li>text \u2013 Alternative Code Section<\/li>\n<\/ul>\n<p><strong>Other section names<\/strong><\/p>\n<ul>\n<li>.text$&lt;name&gt; \u2013 Typically a temporary Code Section merged during building; &lt;name&gt; can be anything; the sections are sorted by name, and combined into a single .text section during the linking process<\/li>\n<li>.data$&lt;name&gt; \u2013 as above, for .data section<\/li>\n<li>.rdata$&lt;name&gt; \u2013 as above, for .rdata section<\/li>\n<li>.rsrc$&lt;name&gt; \u2013 as above, for .rsrc section<\/li>\n<li>\/&lt;number&gt; \u2013 often found in Windows clones of *nix tools compiled with mingw\/cygwin; these typically replace lengthy section names that are used under *nix; the compiler often preserves the section names in the debugging information (which is often attached to the file); most of PE dumpers can&#8217;t process the debug information and just shows the raw numeric section names; tools like IDA can process this information and shows us the real section names (f.ex. .autoload_text, .cygwin_dll_common);&nbsp; examples below:\n<ul>\n<li>\/4<\/li>\n<li>\/14<\/li>\n<li>\/19<\/li>\n<li>\/29<\/li>\n<li>\/41<\/li>\n<li>\/48<\/li>\n<li>\/55<\/li>\n<li>\/67<\/li>\n<li>\/78<\/li>\n<li>\/89<\/li>\n<\/ul>\n<\/li>\n<li>Related to the above, the sections used by mingw\/cygwin are listed below (they can be found inside the cygwin.sc file in the source tarball).\n<ul>\n<li>.init<\/li>\n<li>.text<\/li>\n<li>.text$* (basically, .text$&lt;name&gt;)<\/li>\n<li>.glue_7t<\/li>\n<li>.glue_7<\/li>\n<li>.fini<\/li>\n<li>.gcc_exc<\/li>\n<li>.gcc_except_table<\/li>\n<li>.autoload_text<\/li>\n<li>.data<\/li>\n<li>.data2<\/li>\n<li>.data$* (basically, .data$&lt;name&gt;)<\/li>\n<li>.data_cygwin_nocopy<\/li>\n<li>.rdata<\/li>\n<li>.rdata$* (basically, .rdata$&lt;name&gt;)<\/li>\n<li>.eh_frame<\/li>\n<li>.pdata<\/li>\n<li>.bss<\/li>\n<li>COMMON<\/li>\n<li>.edata<\/li>\n<li>.debug$S<\/li>\n<li>.debug$T<\/li>\n<li>.debug$F<\/li>\n<li>.drectve<\/li>\n<li>.idata<\/li>\n<li>.idata$2<\/li>\n<li>.idata$3<\/li>\n<li>.idata$4<\/li>\n<li>.idata$5<\/li>\n<li>.idata$6<\/li>\n<li>.idata$7<\/li>\n<li>.CRT<\/li>\n<li>.endjunk<\/li>\n<li>.cygwin_dll_common<\/li>\n<li>.rsrc<\/li>\n<li>.rsrc$* (basically, .rsrc$&lt;name&gt;)<\/li>\n<li>.reloc<\/li>\n<li>.stab<\/li>\n<li>.stabstr<\/li>\n<li>.debug_aranges<\/li>\n<li>.debug_pubnames<\/li>\n<li>.debug_info<\/li>\n<li>.debug_abbrev<\/li>\n<li>.debug_line<\/li>\n<li>.debug_frame<\/li>\n<li>.debug_str<\/li>\n<li>.debug_loc<\/li>\n<li>.debug_macinfo<\/li>\n<li>.debug_ranges<\/li>\n<li>.cygheap<\/li>\n<\/ul>\n<\/li>\n<li>Not PE sections, but LINUX ELF file format sections\n<ul>\n<li>you may come across some of these inside PE; may be related to some code ported from *NIX; hard to say as I have not seen enough samples to confirm 100%<\/li>\n<li>.btext &#8211; Big Endian .text section (code)<\/li>\n<li>.bdata &#8211; Big Endian .data section (data)<\/li>\n<li>.brdata &#8211; Big Endian .rdata section (Read-Only data)<\/li>\n<li>.bctors &#8211; Big Endian .ctors section (constructors)<\/li>\n<li>.bdtors &#8211; Big Endian .dtors section (destructors)<\/li>\n<li>.rela.btext &#8211; Big Endian relocation section for .text<\/li>\n<li>.rela.bdata &#8211; Big Endian relocation section for .data<\/li>\n<li>.rela.brdata &#8211; Big Endian relocation section for .rdata<\/li>\n<li>.rela.bctors &#8211; Big Endian relocation section for .ctors<\/li>\n<li>.rela.bdtors &#8211; Big Endian relocation section for .dtors<\/li>\n<li>.bbss &#8211; Big Endian section .bss (uninitialized data)<\/li>\n<li>.ctors &#8211; Little Endian .ctors section (constructors)<\/li>\n<li>.dtors &#8211; Little Endian .dtors section (destructors)<\/li>\n<li>.ltext &#8211; Little Endian .text section (code)<\/li>\n<li>.ldata &#8211; Little Endian .data section (data)<\/li>\n<li>.lrdata &#8211; Little Endian .rdata section (Read-Only data)<\/li>\n<li>.lctors &#8211; Little Endian .ctors section (constructors)<\/li>\n<li>.ldtors &#8211; Little Endian .dtors section (destructors)<\/li>\n<li>.rela.ltext &#8211; Little Endian relocation section for .text<\/li>\n<li>.rela.ldata &#8211; Little Endian relocation section for .data<\/li>\n<li>.rela.lrdata &#8211; Little Endian relocation section for .rdata<\/li>\n<li>.rela.lctors &#8211; Little Endian relocation section for .ctors<\/li>\n<li>.rela.ldtors &#8211; Little Endian relocation section for .dtors<\/li>\n<li>.lbss &#8211; Little Endian section .bss (uninitialized data)<\/li>\n<\/ul>\n<\/li>\n<li>Primarily Linux-oriented, but sometimes present in PE e.g. in some old Watcom-compiled binaries\n<ul>\n<li>begtext &#8211; beginning of the text section<\/li>\n<li>begdata &#8211; beginning of the data section<\/li>\n<li>begbss &#8211; beginning of the bss section<\/li>\n<li>endtext &#8211; end of the text section<\/li>\n<li>enddata &#8211; end of the data section<\/li>\n<li>endbss &#8211; end of the bss section<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Update 2022-11-23 Added .profile for NightHawk Update 2021-01-29 Added a few more sections Update 2020-10-15 Added .AAWEBS Update 2020-08-15 Added .imrsiv, also visit this post. Update 2019-03-15 Added sections from demoscene files; additional protectors, and many others; big update in &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/12\/15\/pe-section-names-re-visited\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9,120],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3997"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3997"}],"version-history":[{"count":27,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3997\/revisions"}],"predecessor-version":[{"id":9211,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3997\/revisions\/9211"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}