Friday, October 14, 2011

Determining .NET Assembly Target Platform



.NET assembly can be built with different platform targets: any CPU, x86 or x64.
But if all you got is already built binary file: how to determine what is exe or dll target platform?

In .NET information about assemblies and types is stored using metadata. For instance, assembly metadata is contained in the assembly manifest.

Assembly manifest can be viewed using special tools, e.g. IL Disassembler

Other tool that we can use for determining CPU type of the assembly is CorFlags Conversion Tool (CorFlags.exe). I will demonstrate how this tool works and what output it generates.

Let us assume we have 3 assemblies: CpuTypeSample_x86.exe, CpuTypeSample_x64.exe and CpuTypeSample_any.exe. Having x86, x64 and "Any CPU" respectively platofrm targets.

In the command prompt we will execute following commands:
Command: "corflags CpuTypeSample_x86.exe" will produce output:
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 3.5.21022.8
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v4.0.30319
CLR Header: 2.5
PE : PE32
CorFlags : 3
ILONLY : 1
32BIT : 1
Signed : 0


The output above means that CpuTypeSample_x86.exe has PE32 executable PE type and 32BIT flag set to 1. If you observe such output on other assemblies it means they were built for x86 platform.

Here is the output for the x64 assembly:
Command: "corflags CpuTypeSample_x64.exe"
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 3.5.21022.8
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v4.0.30319
CLR Header: 2.5
PE : PE32+
CorFlags : 1
ILONLY : 1
32BIT : 0
Signed : 0


Contrary to x86 it has PE32+ type of the PE file and 32BIT flag is turned off.

Finally, here is the output for the "Any CPU" assembly:
Command: "corflags CpuTypeSample_any.exe"
Microsoft (R) .NET Framework CorFlags Conversion Tool. Version 3.5.21022.8
Copyright (c) Microsoft Corporation. All rights reserved.

Version : v4.0.30319
CLR Header: 2.5
PE : PE32
CorFlags : 1
ILONLY : 1
32BIT : 0
Signed : 0


PE type in this file is similar to x86 assembly but 32BIT flag is turned off.
Summary table of the above output
PE Type32BIT
x86PE321
x64PE32+0
AnyPE320