问题
I have a need to work with Windows executables which are made for x86, x64, and IA64. I\'d like to programmatically figure out the platform by examining the files themselves.
My target language is PowerShell but a C# example will do. Failing either of those, if you know the logic required that would be great.
回答1:
(from another Q, since removed)
Machine type: This is a quick little bit of code I based on some that gets the linker timestamp. This is in the same header, and it seems to work - it returns I386 when compiled -any cpu-, and x64 when compiled with that as the target platform.
The Exploring PE Headers (K. Stanton,MSDN) blog entry that showed me the offset, as another response noted.
public enum MachineType {
Native = 0, I386 = 0x014c, Itanium = 0x0200, x64 = 0x8664
}
public static MachineType GetMachineType(string fileName)
{
const int PE_POINTER_OFFSET = 60;
const int MACHINE_OFFSET = 4;
byte[] data = new byte[4096];
using (Stream s = new FileStream(fileName, FileMode.Open, FileAccess.Read)) {
s.Read(data, 0, 4096);
}
// dos header is 64 bytes, last element, long (4 bytes) is the address of the PE header
int PE_HEADER_ADDR = BitConverter.ToInt32(data, PE_POINTER_OFFSET);
int machineUint = BitConverter.ToUInt16(data, PE_HEADER_ADDR + MACHINE_OFFSET);
return (MachineType)machineUint;
}
回答2:
If you have Visual Studio installed you can use dumpbin.exe. There's also the Get-PEHeader cmdlet in the PowerShell Community Extensions that can be used to test for executable images.
Dumpbin will report DLLs as machine (x86) or machine (x64)
Get-PEHeader will report DLLs as either PE32 or PE32+
回答3:
You need the GetBinaryType win32 function. This will return the relevant parts of the PE-format executable.
Typically, you'll get either SCS_32BIT_BINARY or SCS_64BIT_BINARY in the BinaryType field,
Alternativaly you can check the PE format itself to see what architecture the executable is compiled for.
The IMAGE_FILE_HEADER.Machine field will have "IMAGE_FILE_MACHINE_IA64" set for IA64 binaries, IMAGE_FILE_MACHINE_I386 for 32-bit and IMAGE_FILE_MACHINE_AMD64 for 64-bit (ie x86_64).
There's a MSDN magazine article to help you get going.
Addendum: This may help you a little more. You read the binary as a file: check the first 2 bytes say "MZ", then skip the next 58 bytes and read the magic 32-bit value at 60 bytes into the image (which equals 0x00004550 for PE executables). The following bytes are this header, the first 2 bytes of which tell you which machine the binary is designed for (0x8664 = x86_64, 0x0200 = IA64, 0x014c = i386).
(executive summary: read bytes 65 and 66 of the file to get the image type)
回答4:
Assembly assembly = Assembly.LoadFile(Path.GetFullPath("ConsoleApplication1.exe"));
Module manifestModule = assembly.ManifestModule;
PortableExecutableKinds peKind;
ImageFileMachine machine;
manifestModule.GetPEKind(out peKind, out machine);
The target machine should then be in machine.
That'll only work with .NET assemblies though.
回答5:
According to this post, you can check if a DLL or EXE is 32 or 64 by opening it with NotePad and looking for "PE" at the beginning, if the next letter is "L" the platform is 32-bit, it the letter is "D" the platform is 64bit.
I tried it on my dlls and it seems to be accurate.
回答6:
I can offer a link to some C# code for accessing the IMAGE_FILE_HEADER, which I think could be (easily) compiled into a PowerShell cmdlet. I'm reasonably sure you can't use that method in PowerShell script directly, since it lacks pointers and PInvoke capability.
However, you should be able to use your by now extensive knowledge of the PE header format ;-) to just go "straight" to the right bytes and figure it out. This will work in PowerShell script, and you should be able to just convert this C# code from Tasos' blog to script. I won't bother repeating the code here since it's not mine.
回答7:
dumpbin.exe available under bin directory of Visual Studio works for both .lib and .dll
dumpbin.exe /headers *.dll |findstr machine
dumpbin.exe /headers *.lib |findstr machine
回答8:
Unix OS have a utility called "file" which identifies files. The rules for identifying are kept in a description file called "magic". You could try file to see if it is able to identify your files correctly and grab the appropriate rules out of the magic file.
回答9:
Here is my own implementation of this which has several more checks in place and always returns a result.
// the enum of known pe file types
public enum FilePEType : ushort
{
IMAGE_FILE_MACHINE_UNKNOWN = 0x0,
IMAGE_FILE_MACHINE_AM33 = 0x1d3,
IMAGE_FILE_MACHINE_AMD64 = 0x8664,
IMAGE_FILE_MACHINE_ARM = 0x1c0,
IMAGE_FILE_MACHINE_EBC = 0xebc,
IMAGE_FILE_MACHINE_I386 = 0x14c,
IMAGE_FILE_MACHINE_IA64 = 0x200,
IMAGE_FILE_MACHINE_M32R = 0x9041,
IMAGE_FILE_MACHINE_MIPS16 = 0x266,
IMAGE_FILE_MACHINE_MIPSFPU = 0x366,
IMAGE_FILE_MACHINE_MIPSFPU16 = 0x466,
IMAGE_FILE_MACHINE_POWERPC = 0x1f0,
IMAGE_FILE_MACHINE_POWERPCFP = 0x1f1,
IMAGE_FILE_MACHINE_R4000 = 0x166,
IMAGE_FILE_MACHINE_SH3 = 0x1a2,
IMAGE_FILE_MACHINE_SH3DSP = 0x1a3,
IMAGE_FILE_MACHINE_SH4 = 0x1a6,
IMAGE_FILE_MACHINE_SH5 = 0x1a8,
IMAGE_FILE_MACHINE_THUMB = 0x1c2,
IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x169,
}
// pass the path to the file and check the return
public static FilePEType GetFilePE(string path)
{
FilePEType pe = new FilePEType();
pe = FilePEType.IMAGE_FILE_MACHINE_UNKNOWN;
if(File.Exists(path))
{
using (var fs = new FileStream(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
byte[] data = new byte[4096];
fs.Read(data, 0, 4096);
ushort result = BitConverter.ToUInt16(data, BitConverter.ToInt32(data, 60) + 4);
try
{
pe = (FilePEType)result;
} catch (Exception)
{
pe = FilePEType.IMAGE_FILE_MACHINE_UNKNOWN;
}
}
}
return pe;
}
How to use :
string myfile = @"c:\windows\explorer.exe"; // the file
FilePEType pe = GetFilePE( myfile );
System.Diagnostics.WriteLine( pe.ToString() );
For the enum values used here, they were obtained from pe.go . The reason why this works is that for each binary ditribution of 'go' must have the correct flag in the assembly to let it pass the operating systems 'can you run here ?' check. Since 'go' is cross platform (all platforms), it is a good base to get this information. There are probably other sources for this information, but they seem to be nested knee-deep in google ca-ca requiring a 10th dan black-belt in Google-fu to locate.
回答10:
Here is an implementation in C.
// Determines if DLL is 32-bit or 64-bit.
#include <stdio.h>
int sGetDllType(const char *dll_name);
int main()
{
int ret;
const char *fname = "sample_32.dll";
//const char *fname = "sample_64.dll";
ret = sGetDllType(fname);
}
static int sGetDllType(const char *dll_name) {
const int PE_POINTER_OFFSET = 60;
const int MACHINE_TYPE_OFFSET = 4;
FILE *fp;
unsigned int ret = 0;
int peoffset;
unsigned short machine;
fp = fopen(dll_name, "rb");
unsigned char data[4096];
ret = fread(data, sizeof(char), 4096, fp);
fclose(fp);
if (ret == 0)
return -1;
if ( (data[0] == 'M') && (data[1] == 'Z') ) {
// Initial magic header is good
peoffset = data[PE_POINTER_OFFSET + 3];
peoffset = (peoffset << 8) + data[PE_POINTER_OFFSET + 2];
peoffset = (peoffset << 8) + data[PE_POINTER_OFFSET + 1];
peoffset = (peoffset << 8) + data[PE_POINTER_OFFSET];
// Check second header
if ((data[peoffset] == 'P') && (data[peoffset + 1] == 'E')) {
machine = data[peoffset + MACHINE_TYPE_OFFSET];
machine = (machine)+(data[peoffset + MACHINE_TYPE_OFFSET + 1] << 8);
if (machine == 0x014c)
return 32;
if (machine == 0x8664)
return 64;
return -1;
}
return -1;
}
else
return -1;
}
来源:https://stackoverflow.com/questions/197951/how-can-i-determine-for-which-platform-an-executable-is-compiled