Let's try to understand how a compiled program appears on the disk, with an example. Let's take an example of a simple C program that prints a string to the screen:

#include <stdio.h>
int main() {
   char *string = "This is a simple program"; 
   printf("%s",string);
   return 0;
}

The above program was passed through a compiler to generate an executable file (print_string.exe). Opening the compiled executable file in the PE Internals tool (http://www.andreybazhan.com/pe-internals.html) displays the five sections (.text, .rdata, .data, .rsrc, and .reloc) generated by the compiler. Information about the sections was provided in Chapter 2, Static Analysis. Here, we will mainly focus on two sections: .text and .data. The content of the .data section is shown in the following screenshot:

In the preceding screenshot, you can see that the string This is a simple program, which we used in our program, is stored in the .data section at the file offset 0x1E00. This string is not a code, but it is the data required by the program. In the same manner, the .rdata section contains read-only data and sometimes contains import/export information. The .rsrc section contains resources used by the executable. 

The content of the .text section is shown in the following screenshot:

The sequence of bytes (35 bytes to be specific) displayed in the .text section (starting from the file offset 0x400) is the machine code. The source code that we had written was translated into machine code (or machine language program) by the compiler. The machine code is not easy for humans to read, but the processor (CPU) knows how to interpret those sequences of bytes. The machine code contains instructions that will be executed by the processor. The compiler segregated the data and the code in different sections on the disk. For the sake of simplicity, we can think of an executable as containing code (.text) and data (.data, .rdata, and so on):