I'm reading the docs of PE's file structure and I'm wondering what parts of the structure of a PE may differ without altering its behavior.

To clarify, suppose I have two PEs of a calculator program, the TimeDateStamp of the COFF File Header may differ between them but the program itself would be "equivalent".

My question is what are all fields that may be different too between them? Does this even make sense to ask?

CodePudding user response：

• Everything between MZ and PE except e_lfanew (Might break it in DOS of course).
• TimeDateStamp
• MajorLinkerVersion, MinorLinkerVersion, MajorImageVersion and MinorImageVersion but might trigger very minor compatibility shims in Windows
• CheckSum (Assuming IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY is not set and it is not a kernel driver)
• SizeOfStack... and SizeOfHeap...
• LoaderFlags maybe? This field is deprecated/undocumented.
• In the section headers (IMAGE_SECTION_HEADER) you can most likely change the ASCII names and ...Linenumbers. You can also add Write and/or Execute to Characteristics.
• There are several data areas (resources etc.) where there are timestamps you can change.
• The padding between data areas.

SizeOfInitializedData and SizeOfUninitializedData can be set to 0 and maybe other values but then you start to violate the PE spec.

When you look at some of the tiny PE projects you will see that they don't include the full list of DataDirectories but this is hard to do on an existing PE. These projects often just do whatever the NT loader needs and they don't care about the PE spec.