Given some Random.exe on Windows, how can I determine
- its CPU architecture eg Intel/ARM, and
- its bitness eg 32 or 64.
Is there a property in File Explorer, some other tool, or programatic method I can use?
How do I determine the architecture of an executable binary on Windows 10
Asked Answered
The architecture of the executable is written in the Machine field of the COFF header. You can retrieve it programatically or manually with a hex editor:
- Go to offset 0x3C in the file. The four bytes there hold the offset of the COFF header (from the beginning of the file).
- Go to the COFF header pointed by the above field, and advance by four (4) bytes.
- The following two (2) bytes are the Machine field.
You can see PE structure here. The valid Machine field values are listed here.
EDIT: Here's a C code that does that, untested:
int main(int argc, char *argv[]) {
FILE *f = fopen(argv[1], "rb");
uint32_t offset = 0;
fseek(f, 0x3c, SEEK_SET);
fread(&offset, sizeof(offset), 1, f);
fseek(f, offset + 4, SEEK_SET);
uint16_t machine = 0;
fread(&machine, sizeof(machine), 1, f);
printf("Machine: 0x%.4x\n", machine);
}
Thanks, edited question to include programatic methods. –
Arrack
Cygwin file foo.exe will identify file contents based on their file format magic numbers / metadata. (Not their filenames). Presumably also available or installable from source in MinGW, and probably comes with any of the distros for MS's Windows Subsystem for Linux, WSL.
This is the same open-source implementation of the POSIX file command that most BSD and all Linux distros use. The upstream source is https://www.darwinsys.com/file/
https://en.wikipedia.org/wiki/File_(command) shows example output. And I have a couple Windows executables on my Linux desktop:
peter@volta:~/.wine/drive_c$ file Program\ Files/Internet\ Explorer/iexplore.exe
..../iexplore.exe: PE32+ executable (GUI) x86-64, for MS Windows
peter@volta:~/.wine/drive_c$ file Program\ Files\ \(x86\)/The\ Master\ Genealogist\ v9/tmg9.exe
..../tmg9.exe: PE32 executable (GUI) Intel 80386, for MS Windows
IDK if this is the best answer, if you don't regularly use a command line shell (like I do on my Linux desktop).
file works for pretty much any kind of file, e.g. ZIP, JPG, mp4, mkv, and for widely-used file formats it will even grab some extra metadata like JPG image resolution. (It's not based on filename, it opens the file to look at the metadata. Usually the first 4 bytes or so are a "magic number" that indicate what kind of file.)
For plain text formats, it can sometimes use heuristics to distinguish HTML vs. plain text, and recognize UTF-8 vs. UTF-16 vs. ISO-8851 vs. plain ASCII, and DOS vs. Unix line endings, etc. Pretty nice program to have around, not just for executables.
Indeed, with WSL installed,
wsl file some.exe works as well. –
Agley The architecture of the executable is written in the Machine field of the COFF header. You can retrieve it programatically or manually with a hex editor:
- Go to offset 0x3C in the file. The four bytes there hold the offset of the COFF header (from the beginning of the file).
- Go to the COFF header pointed by the above field, and advance by four (4) bytes.
- The following two (2) bytes are the Machine field.
You can see PE structure here. The valid Machine field values are listed here.
EDIT: Here's a C code that does that, untested:
int main(int argc, char *argv[]) {
FILE *f = fopen(argv[1], "rb");
uint32_t offset = 0;
fseek(f, 0x3c, SEEK_SET);
fread(&offset, sizeof(offset), 1, f);
fseek(f, offset + 4, SEEK_SET);
uint16_t machine = 0;
fread(&machine, sizeof(machine), 1, f);
printf("Machine: 0x%.4x\n", machine);
}
Thanks, edited question to include programatic methods. –
Arrack
dumpbin /headers
will also show the CPU architecture and the large address aware state of an executable, this tool is shipped with Visual Studio and gives the following output:
Microsoft (R) COFF/PE Dumper Version 14.11.25547.0 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Users\justins\projects\random.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
4 number of sections
5C0BB424 time date stamp Sat Dec 8 04:08:04 2018
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses
Fortunately, they put both properties are on the same line.
dumpbin /headers | findstr /i machine works in a script. –
Digiacomo I made a CLI utility for this called pearch
Posting here as it may be handy for newcomers.
It was initially written in PHP which you can still see in the deprecated-php-version branch but I've ported it to C.
On Linux you must compile yourself, for Windows you can use pre-built binaries.
Usage:
C:\> pearch c:\windows\system32\notepad.exe c:\windows\syswow64\notepad.exe
C:\Windows\System32\notepad.exe: Architecture: amd64
C:\Windows\SysWOW64\notepad.exe: Architecture: i386
A very easy way to do this with JavaScript: https://github.com/doctolib/windows-binary-architecture
getTargetArch(yourFilePath, (err, archName, archCode) => {
// you can check arch name here
}
© 2022 - 2024 — McMap. All rights reserved.