检测exe 32/64位 [英] Detecting exe 32/64bit
问题描述
我如何手动[没有任何额外的脚本/程序]看看Windows可执行文件是否为32/64位?
我一直在环顾四周,发现应该怎样一直是我的答案。
在60字节中,据我所知,下面的数字是假设出现的。
I386 0x014c
IA64 0x0200
AMD64 0x8664
$ hr
编辑
跳转到PE偏移量后,我仍然没有看到机器类型。我做了一个Find&没有看到任何匹配[除非由于某种原因而接近底部]。
64 86 06 00不在上面的列表中,所以我不知道我在做什么错。
记事本.exe(64bit)
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 E8 00 00 00
0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68
69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20
6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00
83 C2 32 29 C7 A3 5C 7A C7 A3 5C 7A C7 A3 5C 7A
CE DB D8 7A C6 A3 5C 7A CE DB C9 7A C5 A3 5C 7A
CE DB CF 7A DA A3 5C 7A C7 A3 5D 7A 33 A3 5C 7A
CE DB DF 7A D3 A3 5C 7A CE DB D5 7A CC A3 5C 7A
CE DB C8 7A C6 A3 5C 7A CE DB CD 7A C6 A3 5C 7A
52 69 63 68 C7 A3 5C 7A 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 < -
B3 C9 5B 4A 00 00 00 00 00 00 00 00 F0 00 22 00
0B 02 09 00 00 A8 00 00 00 58 02 00 00 00 00 00
70 35 00 00 00 10 00 00 00 00 00 00 01 00 00 00
00 10 00 00 00 02 00 00 06 00 01 00 06 00 01 00
06 00 01 00 00 00 00 00 00 50 03 00 00 06 00 00
49 E7 03 00 02 00 40 81 00 00 08 00 00 00 00
00 10 01 00 00 00 00 00 00 00 10 00 00 00 00 00
00 10 00 00 00 00 00 00 00 00 00 10 00 00 00
00 00 00 00 00 00 00 00 F8 CF 00 00 2C 01 00 00
00 40 01 00 60 F1 01 00 00 30 01 00 B4 06 00 00
00 00 00 00 00 00 00 00 40 03 00 B8 00 00 00
10 B7 00 00 38 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 E0 02 00 00 38 01 00 00
00 C0 00 00 F0 07 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2E 74 65 78 74 00 00 00 70 A7 00 00 00 10 00 00
00 A8 00 00 00 06 00 00 00 00 00 00 00 00 00 00
60个字节出现的不是m achine类型,但PE头的偏移量。 (在这种情况下,0x00000100:256字节。)PE头开始:'P','E',00,00。之后是机器类型。
How do I manually [without any extra scripts/programs] see if a Windows executable is 32/64 bit?
I have been looking around and found what should have been my answer. At 60 bytes in, the numbers below is suppose to appear, as far as I understand.
I386 0x014c
IA64 0x0200
AMD64 0x8664
Edit
After jumping to the PE offset, I still did not see the machine type. I did a Find & did not see any matches [unless its near the bottom for some reason]. 64 86 06 00 is not in the list above, so I dont know what I am doing wrong.
Notepad.exe (64bit)
4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00
B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00
0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68
69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F
74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20
6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00
83 C2 32 29 C7 A3 5C 7A C7 A3 5C 7A C7 A3 5C 7A
CE DB D8 7A C6 A3 5C 7A CE DB C9 7A C5 A3 5C 7A
CE DB CF 7A DA A3 5C 7A C7 A3 5D 7A 33 A3 5C 7A
CE DB DF 7A D3 A3 5C 7A CE DB D5 7A CC A3 5C 7A
CE DB C8 7A C6 A3 5C 7A CE DB CD 7A C6 A3 5C 7A
52 69 63 68 C7 A3 5C 7A 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 <--
B3 C9 5B 4A 00 00 00 00 00 00 00 00 F0 00 22 00
0B 02 09 00 00 A8 00 00 00 58 02 00 00 00 00 00
70 35 00 00 00 10 00 00 00 00 00 00 01 00 00 00
00 10 00 00 00 02 00 00 06 00 01 00 06 00 01 00
06 00 01 00 00 00 00 00 00 50 03 00 00 06 00 00
49 E7 03 00 02 00 40 81 00 00 08 00 00 00 00 00
00 10 01 00 00 00 00 00 00 00 10 00 00 00 00 00
00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00
00 00 00 00 00 00 00 00 F8 CF 00 00 2C 01 00 00
00 40 01 00 60 F1 01 00 00 30 01 00 B4 06 00 00
00 00 00 00 00 00 00 00 00 40 03 00 B8 00 00 00
10 B7 00 00 38 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 E0 02 00 00 38 01 00 00
00 C0 00 00 F0 07 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2E 74 65 78 74 00 00 00 70 A7 00 00 00 10 00 00
00 A8 00 00 00 06 00 00 00 00 00 00 00 00 00 00
What appears 60 bytes in isn't the machine type but the offset of the PE header. (In this case, 0x00000100: 256 bytes.) The PE header begins: 'P', 'E', 00, 00. What comes after that is the machine type.
这篇关于检测exe 32/64位的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!