Von wegen Erkennung ob 32 oder 64 Bit EXE:
16 Bit Modul: NE16 Header
32 Bit Modul: PE32 Header
64 Bit Modul: PE32+ Header
Zitat von
MSDN:
The addition of 64-bit Windows required just a few modifications to the
PE format. This new format is called PE32+. No new fields were added, and only one field in the
PE format was deleted. The remaining changes are simply the widening of certain fields from 32 bits to 64 bits. In most of these cases, you can write code that simply works with both 32 and 64-bit
PE files.
The IMAGE_NT_HEADERS structure is the primary location where specifics of the
PE file are stored. Its offset is given by the e_lfanew field in the IMAGE_DOS_HEADER at the beginning of the file. There are actually two versions of the IMAGE_NT_HEADER structure, one for 32-bit executables and the other for 64-bit versions. The differences are so minor that I'll consider them to be the same for the purposes of this discussion.
The only correct, Microsoft-approved way of differentiating between the two formats is via the value of the Magic field in the IMAGE_OPTIONAL_HEADER (described shortly).
Beide Quotes aus dem 2. Link.
Im Detail: IMAGE_FILE_XXX Struktur, erstes Wort: "MACHINE"
Code:
The target CPU for this executable. Common values are:
IMAGE_FILE_MACHINE_I386 0x014c // Intel 386
IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
Siehe letzter Link.
/EDIT: Noch was: Jeder Section Header hat nochmal eine entsprechende Magic:
Auch wieder das 1. Word:
Zitat von
Structures: IMAGE_SECTION_HEADER:
A signature WORD, identifying what type of header this is. The two most common values are IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b and IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b.
Siehe letzter Link.
Some Info:
*
MSDN: Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
*
An In-Depth Look into the Win32 Portable Executable File Format
*
Under the hood
*
Structures