PE trick explained: Telling 32 and 64 bit apart with naked eye

[harlan4096]

There is a simple trick to see the bitness of a Portable Executable file immediately by looking into a hex editor. But why does it even work? And is it reliable?

The trick only needs a hex editor

Recently I was approached on Twitter by @living_pirate with a question about PE bitness. Aparently there is a trick to see in a hex editor whether you are dealing with a 32 or 64 bit PE file. I had never heard of such a trick before, so I was intrigued.

The claim is that 32 bit PE files have the letter 'L' right after the PE signature, which is 'PE\0\0' or in hex 50 45 00 00. 64 bit PE files on the other hand have allegedly the letter 'd' appended to the PE signature.

If we open up a hex editor and look at some 32 and 64 bit samples, this seems to be correct (32 bit on the left, 64 bit on the right side). But why is this the case and what are we actually looking at?

The explanation is in the specificationTaking a peek into the PE COFF specification by Microsoft, we see that the COFF File Header starts right after the PE signature. The first field of the COFF File Header is 2 bytes long and denotes the machine type.

The specification distinguishes 25 different machine types, defined by constants. The PE Header values are little endian, so the least significant byte is written first. The letter 'd' is 0x64. That means three of those machine type constants will result in 'PE\0\0d' because they end with 0x64. I marked those constants below in red.

There is exactly one machine type constant that will have the letter 'L' or 0x4c as least significant bit and that's IMAGE_FILE_MACHINE_I386. I marked this constant in blue in the image below.
...

Continue Reading