![]() PS E:\ #5> dumpbin /headers C:\Windows\syswow64\cmd.exeĤCE78E2B time date stamp Sat Nov 20 09:00:27 2010 All rights reserved.ĤCE798E5 time date stamp Sat Nov 20 09:46:13 2010Īpplication can handle large (>2GB) addresses Microsoft (R) COFF/PE Dumper Version 9.01Ĭopyright (C) Microsoft Corporation. PS E:\ #4> dumpbin /headers C:\Windows\system32\cmd.exe The SDK tool dumpbin.exe with the /headers option includes this information, compare these two (I've added bold for the key information) exe specifications, can be found in Microsoft PE and COFF Specification Machine Types section. ![]() ![]() There are a lot more possible values, but you probably won't ever encounter any of these, or be able to run such executables on your Windows PC.įull list of machine types, along with the rest of. The relevant values are 0x8664 for a 64-bit executable and 0x014c for a 32-bit one ( 64 86 and 4c 01 respectively when adjusted for endianness, but any decent hex editor will automatically handle endianness when you search for a hex value). The signature is PE\0\0 (letters "P" and "E" followed by two null bytes), followed by a two-byte Machine Type in Little Endian. If you have a HEX-Editor available, the offset of PE Signature is located at offset 0x3C. ![]() This is solution might be useful in case you need to inspect a file on a machine you can't install any additional software on. Notepad , however, was able to display a 120 MiB executable almost instantly. In my case, it took about 30 seconds to display a 12 MiB file. Here is what you're going to find: 32-bit: PE LĪ word of warning: using default Notepad on big files can be very slow, so better not use it for files larger than a megabyte or a few. This part is most likely to be surrounded by at least some whitespace (could be a lot of it), so it can be easily done visually. option in the context menu for executables.Ĭheck the first printable characters after the first occurrence of PE. dialog, because Windows doesn't show Open with. Even Windows' default notepad.exe would work. After examining header values from Richard's answer, I came up with a solution which is fast, easy, and only requires a text editor.
0 Comments
Leave a Reply. |