;Copyright (c) 2012-2013 Peter Ferrie
64-bit version

legend:
EE - executable without restriction
0E - executable with restriction

offset	type	contents	comments
000h	db	'M', 'Z'	;DOS signature
002h	db	'P', 'F'	;these are executable, too, but if Mark can put his signature... ;-)
004h	db	'P', 'E', 0, 0	;Signature
008h	dw	8664h	;Machine (x64 for this example)
00Ah	dw	0000	;NumberOfSections (zero sections has always been legal on NT-based platforms)
00Ch	dd	0EEEEEEEEh	;TimeDateStamp
010h	dd	0EEEEEEEEh	;PointerToSymbolTable
014h	dd	0EEEEEEEEh	;NumberOfSymbols
018h	dw	0008	;SizeOfOptionalHeader (must be a multiple of 8 for 64-bit, mostly ignored if NumberOfSections is zero, so executable with restrictions)
01Ah	dw	0002	;Characteristics (can be any value if bit 1 (executable) is set and bit 13 (DLL) is clear, so executable with restrictions)
01Ch	dw	020Bh	;Magic (executable but unchangable - the 02 can form part of an "add", for example)
01Eh	db	0EEh	;MajorLinkerVersion
01Fh	db	0EEh	;MinorLinkerVersion
020h	dd	0EEEEEEEEh	;SizeOfCode
024h	dd	0EEEEEEEEh	;SizeOfInitializedData
028h	dd	0EEEEEEEEh	;SizeOfUninitializedData
02Ch	dd	00000036h	;AddressOfEntryPoint (executable if chosen carefully, for example a "mov reg, 0")
030h	dd	0EEEEEEEEh	;BaseOfCode
034h	dq	0000000000CC0000h	;ImageBase
03Ch	dd	00000004	;SectionAlignment (also lfanew for DOS header, and values < 1000h disable DEP so we can run directly from the file header)
040h	dd	00000004	;FileAlignment (must == SectionAlignment if < 1000h, but can't be changed because of lfanew position)
044h	dw	0EEEEh	;MajorOperatingSystemVersion
046h	dw	0EEEEh	;MinorOperatingSystemVersion
048h	dw	0EEEEh	;MajorImageVersion
04Ah	dw	0EEEEh	;MinorImageVersion
04Ch	dw	0004	;MajorSubsystemVersion (must not be larger than the platform version, a lesser major version allows any minor version)
;a major value of 4 is easier to use, since it decodes to "add al, 0")
04Eh	dw	0EEEEh	;MinorSubsystemVersion (must be 0ah or larger if major version is 3)
050h	dd	0EEEEEEEEh	;Win32VersionValue (but apparently non-zero values can break D3D support on some systems)
054h	dd	000EEEEEEh	;SizeOfImage (does not need to be aligned to anything, even the top byte can be used for small values
058h	dd	00000000	;SizeOfHeaders (this is the size in memory, not the size on disk, so can be > filesize, but must be < SizeOfImage
;must be <= AddressOfEntryPoint in Windows 8
;executable if chosen carefully, for example a "mov reg, 0")
05Ch	dd	0EEEEEEEEh	;CheckSum
060h	dw	0002	;SubSystem
062h	dw	0EE0Eh	;DllCharacteristics (can be any value if bit 7 (integrity checks) is clear, bit 10 (no SEH) is clear if you want to use SEH, and bit 12 (appcontainer) is clear in Windows 8)
064h	dq	000000000EEEEEEEh	;SizeOfStackReserve (top byte of low dword can be used for small values, but much harder to use)
06Ch	dq	000000000EEEEEEEh	;SizeOfStackCommit (top byte of low dword can be used for small values, but much harder to use)
074h	dq	000000000EEEEEEEh	;SizeOfHeapReserve (top byte of low dword can be used for small values, but much harder to use)
07Ch	dq	000000000EEEEEEEh	;SizeOfHeapCommit (top byte of low dword can be used for small values, but much harder to use)
084h	dd	0EEEEEEEEh	;LoaderFlags
088h	dd	00000000	;NumberOfRvaAndSizes
08Ch	times	80h db (0EEh)	;padding to reach 10ch, the minimum file size for 64-bit platforms
;DataDirectory RVA and Sizes would be here, if we had any
10Ch	;end of header