C# - Recognize whether an EXE (or DLL) is compiled as 64bit

By , 9/24/2012
(1 ratings)
The problem is that I have found no official function with which you can read whether a file is a 32bit or 64bit version. Often the DLLs even the same version number.

With the help of the documentation "Microsoft Portable Executable and Common Object File Format Specification," one can read that 64-bit applications use the new format + PE and 32bit applications use the old format PE32. I used this information to distinguish 64bit and 32bit.

Using the COFF information you can read also other things eg creation date, for which processor the file was created, etc.. I read out the COFF file header but commented it out in this example.
Note: For output, I used the RichTextBox "richTextBox_Output".

Author: Daniel Oberländer, translation by Michael List
private bool CheckIsFile64bit(FileStream filestream)
{
    bool ret = false;

    Byte[] _data = new Byte[4];
    filestream.Seek(0x3c, SeekOrigin.Begin);
    filestream.Read(_data, 0, 4);
    int _offset = BitConverter.ToInt32(_data, 0);

    if (_offset > 0x3c)
    {
        _data = new Byte[4];
        filestream.Seek(_offset, SeekOrigin.Begin);
        filestream.Read(_data, 0, 4);

        if ((_data[0] == 0x50)
            && (_data[1] == 0x45)
            && (_data[2] == 0x00)
            && (_data[3] == 0x00))
        {

            // Read COFF File Header
            _data = new Byte[20];
            filestream.Read(_data, 0, 20);
            int _machine = BitConverter.ToInt16(_data, 0);
            //richTextBox_Output.Text += string.Format("Machine: 0x{0}" + System.Environment.NewLine, _machine.ToString("X4"));
            //int _numberOfSections = BitConverter.ToInt16(_data, 2);
            //richTextBox_Output.Text += string.Format("NumberOfSections: 0x{0}" + System.Environment.NewLine, _numberOfSections.ToString("X4"));
            //int _timeDateStamp = BitConverter.ToInt32(_data, 4);
            //double _secs = Convert.ToDouble(_timeDateStamp);
            //DateTime _dt = new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds(_secs);
            //DateTime _tds = System.TimeZone.CurrentTimeZone.ToLocalTime(_dt);
            //richTextBox_Output.Text += string.Format("TimeDateStamp: {0} (0x{1})" + System.Environment.NewLine, _tds.ToString(), _timeDateStamp.ToString("X8"));
            //int _pointerToSymbolTable = BitConverter.ToInt32(_data, 8);
            //richTextBox_Output.Text += string.Format("PointerToSymbolTable: 0x{0}" + System.Environment.NewLine, _pointerToSymbolTable.ToString("X8"));
            //int _numberOfSymbols = BitConverter.ToInt32(_data, 12);
            //richTextBox_Output.Text += string.Format("NumberOfSymbols: 0x{0}" + System.Environment.NewLine, _numberOfSymbols.ToString("X4"));
            //int _sizeOfOptionalHeader = BitConverter.ToInt16(_data, 16);
            //richTextBox_Output.Text += string.Format("SizeOfOptionalHeader: 0x{0}" + System.Environment.NewLine, _sizeOfOptionalHeader.ToString("X4"));
            //int _characteristics = BitConverter.ToInt16(_data, 18);
            //richTextBox_Output.Text += string.Format("Characteristics: 0x{0}" + System.Environment.NewLine, _characteristics.ToString("X4"));

            // Read Optional Header
            _data = new Byte[2];
            filestream.Read(_data, 0, 2);
            int _magicNumber = BitConverter.ToInt16(_data, 0);
            //richTextBox_Output.Text += string.Format("Magic Number: 0x{0}" + System.Environment.NewLine, _magicNumber.ToString("X4"));
            if (_magicNumber == 0x010b)
                richTextBox_Output.Text += String.Format("File {0} is 32bit!" + System.Environment.NewLine, filestream.Name);
            else if (_magicNumber == 0x020b)
            {
                richTextBox_Output.Text += String.Format("File {0} is 64bit!" + System.Environment.NewLine, filestream.Name);
                ret = true;
            }
        }
        else
            richTextBox_Output.Text = "No PE File!";
    }
    else
        richTextBox_Output.Text = "Wrong Offset or no PE File!";

    return ret;
}
Tagged with 64bit, COFF, PE, dll, exe.

Comments

 

Log in, to comment!