如何检查 Windows 可执行文件是否为 64 位,仅读取其二进制文件。不执行它,也不使用任何工具,如dumpbin.exe带有该/headers选项的 SDK 工具。
检查exe是否为64位
逆向工程
视窗
聚乙烯
可执行
2021-06-09 02:05:35
4个回答
可执行文件类型由 PE 标头指示,请下载文档。
PE 头的第一个字(两个字节)表示目标机器,这里是可能值的列表:
0x0000 - The contents of this field are assumed to be applicable to any machine type
0x01d3 - Matsushita AM33
0x8664 - x64
0x01c0 - ARM little endian
0x01c4 - ARMv7 (or higher) Thumb mode only
0xaa64 - ARMv8 in 64-bit mode
0x0ebc - EFI byte code
0x014c - Intel 386 or later processors and compatible processors
0x0200 - Intel Itanium processor family
0x9041 - Mitsubishi M32R little endian
0x0266 - MIPS16
0x0366 - MIPS with FPU
0x0466 - MIPS16 with FPU
0x01f0 - Power PC little endian
0x01f1 - Power PC with floating point support
0x0166 - MIPS little endian
0x01a2 - Hitachi SH3
0x01a3 - Hitachi SH3 DSP
0x01a6 - Hitachi SH4
0x01a8 - Hitachi SH5
0x01c2 - ARM or Thumb (“interworking”)
0x0169 - MIPS little-endian WCE v2
因此,要检查它是否为 64 位,我们需要查找:
0x8664 - x64
0xaa64 - ARMv8 in 64-bit mode
0x0200 - Intel Itanium processor family
如果在 Windows 环境中检查 x86 或 x64 二进制文件,这里有一个有趣、快速的小技巧:
- 右键单击应用程序。
- 单击
Properties。 - 单击
Compatibility选项卡。 - 在该
Compatibility mode部分中,选中该Run this program in compatibility mode for:框。 - 如果您
Windows 95从下拉列表中看到一个选项,那么它是一个 32 位应用程序。如果没有,则它是 64 位应用程序。
将 ST3 答案的内容以现成的格式转储到 powershell 片段中
if($args.Count -eq 0) { "provide a file name or path to file";exit }
if((test-path -path $args) -ne $true) { "file doesnt seem to exist" ; exit }
$fs = New-Object IO.Filestream($args , [Io.FileMode]::Open)
$br = New-Object IO.BinaryReader($fs)
if($br.Readchar()-ne'M'){"no mz";exit};if($br.Readchar()-ne'Z'){"no mz";exit}
$fs.Seek(0x3c,[IO.SeekOrigin]::Begin) | Out-Null
$elfaw_new = $br.ReadUInt32();
$peheader=$fs.Seek($elfaw_new,[IO.SeekOrigin]::Begin)
if($br.Readchar()-ne'P'){"no pe";exit};if($br.Readchar()-ne'E'){"no pe";exit}
$mctypeoff = $fs.seek($peheader+4,[IO.SeekOrigin]::Begin)
$mctype= $br.ReadUInt16()
switch($mctype) {
0x0000 { "{0:x4} {1}" -f $mctype , "Unknown machine type"}
0x01d3 { "{0:x4} {1}" -f $mctype , "Matsushita AM33"}
0x8664 { "{0:x4} {1}" -f $mctype , "x64"}
0x01c0 { "{0:x4} {1}" -f $mctype , "ARM little endian"}
0x01c4 { "{0:x4} {1}" -f $mctype , "ARMv7 (or higher) Thumb mode only"}
0xaa64 { "{0:x4} {1}" -f $mctype , "ARMv8 in 64-bit mode"}
0x0ebc { "{0:x4} {1}" -f $mctype , "EFI byte code"}
0x014c { "{0:x4} {1}" -f $mctype , "Intel 386 or later family processors"}
0x0200 { "{0:x4} {1}" -f $mctype , "Intel Itanium processor family"}
0x9041 { "{0:x4} {1}" -f $mctype , "Mitsubishi M32R little endian"}
0x0266 { "{0:x4} {1}" -f $mctype , "MIPS16"}
0x0366 { "{0:x4} {1}" -f $mctype , "MIPS with FPU"}
0x0466 { "{0:x4} {1}" -f $mctype , "MIPS16 with FPU"}
0x01f0 { "{0:x4} {1}" -f $mctype , "Power PC little endian"}
0x01f1 { "{0:x4} {1}" -f $mctype , "Power PC with floating point support"}
0x0166 { "{0:x4} {1}" -f $mctype , "MIPS little endian"}
0x01a2 { "{0:x4} {1}" -f $mctype , "Hitachi SH3"}
0x01a3 { "{0:x4} {1}" -f $mctype , "Hitachi SH3 DSP"}
0x01a6 { "{0:x4} {1}" -f $mctype , "Hitachi SH4"}
0x01a8 { "{0:x4} {1}" -f $mctype , "Hitachi SH5"}
0x01c2 { "{0:x4} {1}" -f $mctype , "ARM or Thumb (`“interworking`”)"}
0x0169 { "{0:x4} {1}" -f $mctype , "MIPS little-endian WCE v2"}
};$fs.close()
用法如下
:\>powershell -f binstreamtest.ps1
provide a file name or path to file
:\>powershell -f binstreamtest.ps1 1
file doesnt seem to exist
:\>powershell -f binstreamtest.ps1 shell32.dll
014c Intel 386 or later family processors
:\>powershell -f binstreamtest.ps1 c:\WINDOWS\system32\ntkrnlpa.exe
014c Intel 386 or later family processors
:\>powershell -f binstreamtest.ps1 xxx\test32.exe
014c Intel 386 or later family processors
:\>powershell -f binstreamtest.ps1 xxx\test64.exe
8664 x64
其它你可能感兴趣的问题