Reputation: 31
How to binary analyze a Windows exe file?
I want to binary analyze a Windows EXE file without Windows API call (because I will do it from another OS). I want to disginguish 2 x 2 types:
- Is it a windowed program or a command line program?
- Is it a Win32 or a Win64 program?
I hope that there are general bit structures which I can query.
Upvotes: 1
Views: 1178
Answers (1)
Reputation: 31
The link Microsoft PE and COFF Specification was useful, but a little tricky. Here is my result now:
Every Windows program has got a DOS program block showing a text like "This program cannot be run under DOS" or a similar text. The length of the DOS block can differ. The "real Windows program" section begins later. The beginning offset address of the Windows program is coded in the bytes offset 0x3c and 0x3d. 0x3d holds the hi and 0x3c the lo value. So you have to calulate 256*(0x3d) + (0x3c) to get the offset address of the real Windows program.
The real Windows program begins with four bytes: "PE", followed by two nullbytes. The fifth and sixth byte is 0x4c01 if it is a Win32 program and 0x6486 if it is a Win64 program.
To check if the program is textbased, you have to read offset byte (counted from "PE"=0x00) 0x5c. A value of 3 means text based, 2 means a Windowed GUI program.
Upvotes: 1
Related Questions
- How can I see the 0s and 1s / machine code from a executable file / object file?
- Portable executable file analysing using c#
- Read exe file as binary file in C#
- How to find the sequence in the binary file using WinAPI/Win32?
- Binary reading data from exe file
- Show binary code of external files/program
- How to read .exe in c
- How do I determine what functions are being called in a binary?
- I need to identify a binary file by examining the raw contents
- How to read exe file in binary code - C++