How to determine the size of an PE executable file from headers and or footers

Question

Assuming you have a stream of data or a block of bytes you want to carve, how can you determine the size of the executables?

There are numerous headers inside the PE executable format, but what header sections do I use to determine (if possible) the total length of the executable?

Here is a picture of the file format.

Answer 1

If the PE file is well formed, the calculation can be simplified as (pseudo-code):

size = IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders

foreach section_header in section_headers:
    size += section_header.SizeOfRawData

Where:

• SizeOfHeaders is a member of IMAGE_OPTIONAL_HEADER structure.
• (IMAGE_OPTIONAL_HEADER structure is part of IMAGE_NT_HEADERS)

SizeOfHeaders field gives the length of all the headers (note: including the 16-bit stub).

• Each section header is an IMAGE_SECTION_HEADER structure
• SizeOfRawData field gives the length of each section on disk.

---

Example with notepad (Windows 10):

• SizeOfHeaders : 0x400

• SizeOfRawDataof each sections :
  • .text: 0x15400
  • .data: 0x800
  • .idata: 0x1A00
  • .rsrc: 0x19C00
  • .reloc: 0x1600

(note: SizeOfRawData is called Raw Size in the below picture):

Sum everything:

>>> size_of_headers = 0x400
>>> sec_sizes = [0x15400, 0x800, 0x1a00, 0x19c00, 0x1600]
>>> size_of_headers + sum(sec_sizes)
207872
>>> 

Total size: 207872 bytes.

Verification:

Note: the above calculation doesn't take into account if the PE is badly formed or if there is an overlay.