PE32+ Image File Format

The image file format for the x64 platform is known as PE32+. As one would expect, the file format is derived from the PE file format with only very slight modifications. For instance, 64-bit binaries contain an IMAGE_OPTIONAL_HEADER64 rather than an IMAGE_OPTIONAL_HEADER. The differences between these two structures are described in the table below:

**Figure 3.1:** `IMAGE_OPTIONAL_HEADER` differences
$\begin{figure} \begin{center} \begin{tabular}{\vert l\vert l\vert l\vert} \hl... ...ULONG & ULONGLONG \\ \par \hline \end{tabular} \end{center} \end{figure}$

In general, any structure attribute in the PE image that made reference to a 32-bit virtual address directly rather than through an RVA (Relative Virtual Address) has been expanded to a 64-bit attribute in PE32+. Other examples of this include the IMAGE_TLS_DIRECTORY structure and the IMAGE_LOAD_CONFIG_DIRECTORY structure.

With the exception of certain field offsets in specific structures, the PE32+ image file format is largely backward compatible with PE both in use and in form.