Win OS – Determine Application Bitness

Background

Sometimes one just needs to determine the bitness of a binary.

Tools

  1. Microsoft
    • SysInternals
      • sigcheck
    • Visual Studio
      • corflags
  2. NTCore
    • CFF Explorer

 

Microsoft

SysInternals

Sigcheck

Artifacts

The artifacts is available at Link.

Syntax


sigcheck [binary]

Sample


sigcheck "C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\sqlcmd.exe"

Output

 

Explanation

Please check under MachineType.

 

Visual Studio

CorFlags.exe

Artifacts

Part of Visual Studio.

Please look for Visual Studio Community Edition.

Syntax


corflags.exe [binary]

Sample

Sample – sqlcmd.exe

corflags.exe "C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\sqlcmd.exe"

Output
Output – Text
 

>corflags.exe "C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\sqlcmd.exe"
Microsoft (R) .NET Framework CorFlags Conversion Tool.  Version  4.8.3928.0
Copyright (c) Microsoft Corporation.  All rights reserved.

corflags : error CF008 : The specified file does not have a valid managed header

 

Output – Image

Explanation
  1. Error
    • Error Number:- CF008
    • Error Message:- The specified file does not have a valid managed header
  2. corflags only works on .Net applications

Sample – <.Net application x32 >

corflags.exe .netApplication

Output
Output – Text
 

corflags dotnetdemo_x32.exe
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 4.8.3928.0
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v4.0.30319
CLR Header: 2.5
PE : PE32
CorFlags : 0x1
ILONLY : 1
32BITREQ : 0
32BITPREF : 0
Signed : 0

Output – Image

Explanation
  1. Version
    • Sample:- v4.0.30319
    • Meaning:- Compiled by .Net version 4
  2. CLR Header
    • Sample:- 2.5
    • Meaning
  3. PE
    • Sample:- PE32
    • Meaning:-
      • PE32 => 32 bit
  4. CorFlags
    • Sample:- 0x1
  5. ILONLY
    • Sample:- 1
    • Meaning:- The executable contains only Microsoft intermediate language (MSIL), and is therefore neutral with respect to 32-bit or 64-bit platforms.
  6. 32BITREQ : 0
    • Sample:- 0
    • Meaning:- 32-bit not requested
  7. 32BITPREF
    • Sample:- 0
    • Meaning:- 32-bit not preferred
  8. Signed
    • Sample:- 0
    • Meaning:- Not Signed

Sample – .Net application x64

corflags.exe .netApplication

Output
Output – Text
 
corflags dotnetdemo_x64.exe
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 4.8.3928.0
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v4.0.30319
CLR Header: 2.5
PE : PE32+
CorFlags : 0x1
ILONLY : 1
32BITREQ : 0
32BITPREF : 0
Signed : 0
Output – Image

Explanation
  1. Version
    • Sample:- v4.0.30319
    • Meaning:- Compiled by .Net version 4
  2. CLR Header
    • Sample:- 2.5
    • Meaning
  3. PE
    • Sample:- PE32+
    • Meaning:-
      • PE32+ => 64 bit
  4. CorFlags
    • Sample:- 0x1
  5. ILONLY
    • Sample:- 1
    • Meaning:- The executable contains only Microsoft intermediate language (MSIL), and is therefore neutral with respect to 32-bit or 64-bit platforms.
  6. 32BITREQ : 0
    • Sample:- 0
    • Meaning:- 32-bit not requested
  7. 32BITPREF
    • Sample:- 0
    • Meaning:- 32-bit not preferred
  8. Signed
    • Sample:- 0
    • Meaning:- Not Signed

NTCore

CFF Explorer

Artifacts

The artifacts is available at Link.

Output

Explanation

Please check in the File Window, under the “File Type“.

 

References

  1. StackOverflow
    • superuser
      • How to check if a binary is 32 or 64 bit on Windows
        Link
    • How to interpret the CorFlags flags?
      Link
  2. Microsoft
    • Visual Studio
      • Docs / .NET / .NET Framework / .NET Framework Tools
        • corflags.exe
          • CorFlags.exe (CorFlags Conversion Tool)
            Link
    • Microsoft | Docs
      • Docs / .NET / .NET API browser / System.Reflection / PortableExecutableKinds
        • PortableExecutableKinds Enum
          Link
  3. Chandradev
    • C# Corner
      • How to use Corflags tool of Visual Studio to check 32/64 bit of dll ?
        Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s