The NT header (IMAGE_NT_HEADERS) is a structure within PE files which contains the FileHeader and OptionalHeader headers.
This header can be identified by the signature “PE” (0x50 0x45). This signature is defined as a DWORD and padded by two NULL bytes: 0x50450000
The NT header varies based off of the architecture the file is targeted for:
32 bit:
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
64 bit:
typedef struct _IMAGE_NT_HEADERS64 {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;