;Copyright (c) 2012-2013 Peter Ferrie
Windows XP/Vista/7/8, 32-bit version, 64-bit compatible

legend:
EE - executable without restriction
0E - executable with restriction

offset	type	contents	comments
000h	db	'M', 'Z'	;DOS signature
002h	db	'P', 'F'	;these are executable, too, but if Mark can put his signature... ;-)
004h	db	'P', 'E', 0, 0	;Signature
008h	dw	014Ch	;Machine (x86 for this example)
00Ah	dw	0000	;NumberOfSections (zero sections has always been legal on NT-based platforms)
00Ch	dd	0EEEEEEEEh	;TimeDateStamp
010h	dd	0EEEEEEEEh	;PointerToSymbolTable
014h	dd	0EEEEEEEEh	;NumberOfSymbols
018h	dw	0008	;SizeOfOptionalHeader (must be a multiple of 8 for 64-bit, mostly ignored if NumberOfSections is zero, so executable with restrictions)
01Ah	dw	0002	;Characteristics (can be any value if bit 1 (executable) is set and bit 13 (DLL) is clear, so executable with restrictions)
01Ch	dw	010Bh	;Magic (executable but unchangable - the 01 can form part of an "add", for example)
01Eh	db	0EEh	;MajorLinkerVersion
01Fh	db	0EEh	;MinorLinkerVersion
020h	dd	0EEEEEEEEh	;SizeOfCode
024h	dd	0EEEEEEEEh	;SizeOfInitializedData
028h	dd	0EEEEEEEEh	;SizeOfUninitializedData
02Ch	dd	0000003Ah	;AddressOfEntryPoint (executable if chosen carefully, for example a "mov reg, 0")
030h	dd	0EEEEEEEEh	;BaseOfCode
034h	dd	0EEEEEEEEh	;BaseOfData
038h	dd	00CC0000h	;ImageBase
03Ch	dd	00000004	;SectionAlignment (also lfanew for DOS header, and values < 1000h disable DEP so we can run directly from the file header)
040h	dd	00000004	;FileAlignment (must == SectionAlignment if < 1000h, but can't be changed because of lfanew position)
044h	dw	0EEEEh	;MajorOperatingSystemVersion
046h	dw	0EEEEh	;MinorOperatingSystemVersion
048h	dw	0EEEEh	;MajorImageVersion
04Ah	dw	0EEEEh	;MinorImageVersion
04Ch	dw	0004	;MajorSubsystemVersion (must not be larger than the platform version, a lesser major version allows any minor version
;a major value of 4 is easier to use, since it decodes to "add al, 0")
04Eh	dw	0EEEEh	;MinorSubsystemVersion (must be 0ah or larger if major version is 3)
050h	dd	0EEEEEEEEh	;Win32VersionValue (but apparently non-zero values can break D3D support on some systems)
054h	dd	000EEEEEEh	;SizeOfImage (does not need to be aligned to anything, even the top byte can be used for small values
058h	dd	0000002Ch	;SizeOfHeaders (this is the size in memory, not the size on disk, so can be > filesize, but must be < SizeOfImage
;cannot be < 2ch in Windows 7 because of a bug when checking section names for compatibility purposes
;must be <= AddressOfEntryPoint in Windows 8
;executable if chosen carefully, for example a "mov reg, 0")
05Ch	dd	0EEEEEEEEh	;CheckSum
060h	dw	0002	;SubSystem
062h	dw	0EE0Eh	;DllCharacteristics (can be any value if bit 7 (integrity checks) is clear, bit 10 (no SEH) is clear if you want to use SEH, and bit 12 (appcontainer) is clear in Windows 8)
064h	dd	0EEEEEEEh	;SizeOfStackReserve (top byte can be used for small values)
068h	dd	0EEEEEEEh	;SizeOfStackCommit (top byte can be used for small values)
06Ch	dd	0EEEEEEEh	;SizeOfHeapReserve (top byte can be used for small values)
070h	dd	0EEEEEEEh	;SizeOfHeapCommit (top byte can be used for small values)
074h	dd	0EEEEEEEEh	;LoaderFlags
078h	dd	00000000	;NumberOfRvaAndSizes
07Ch	dq	6 dup (0EEEEEEEEEEEEEEEEh)	;DataDirectory RVA and Sizes would be here, if we had any
0ACh	dd	0EEEEEEEEh	;Debug.RVA
0B0h	dd	00000000	;Debug.Size (must be < 1ch if NX policy is not set to opt-in (or if undocumented RTL_USER_PROCESS_PARAMETERS.Flags bit 17 is set)
;because of a bug in Windows that assumes that there are always enough data directories to include a Debug directory, and just reads directly from the directory
;if the Size is non-zero, then Windows attemps to interpret the Debug data and might crash)
0B4h	db	58h dup (0EEh)	;padding to reach 10ch, the minimum file size for 64-bit platforms
10Ch	;end of header