Extracting The Overlay Of A PE File

Published: 2022-05-29
Last Updated: 2022-05-29 08:47:00 UTC
by Didier Stevens (Version: 1)
In diary entries "Huge Signed PE File" and "Huge Signed PE File: Keeping The Signature" I explain how to get rid of the overlay in a huge PE file.

What commands do you need to issue if you do want the overlay (e.g., for analysis)?

To achieve this, you follow the steps as I explained here, up until the extraction of the stripped PE file (-g s). Issue a similar extraction command, but use -g o (o stands for overlay) to extract the overlay.

Didier Stevens
Senior handler
Microsoft MVP

Keywords: huge pefile signature
