Text only | Text with Images

SyntaxBoom

General Category => Toolbox => Topic started by: Dabzy on Oct 17, 2025, 03:49 PM

Title: PE Architecture Explorer
Post by: Dabzy on Oct 17, 2025, 03:49 PM
PE Architecture Explorer

Download: PE Architecture Explorer (https://www.syntaxboom.com/dabzy/PE_ARCH_EXPLORER.zip)

This little application accurately determines the architecture (x86 or x64) of Windows DLL and EXE files, with special nose poking for detecting .NET assemblies. Unlike similar apps, it provides the complete picture for managed assemblies rather than just the PE header information.

See, many architecture detection tools simply read the "Machine Type" field from the PE (Portable Executable) header. While this works fine for native/unmanaged executables, it doesnt work that way with .NET assemblies:

.NET "AnyCPU" assemblies are compiled to run on any architecture (x86, x64, ARM, etc.)
However, their PE header typically shows x86 for backwards compatibility
Apps tend to read this x86 header and incorrectly report these assemblies as "32-bit only", this done my head in once upon a time, and hence, why I made this.

This app goes deeper into the DLL by:

Reading the PE Header - Gets the basic machine type (x86/x64)
Detecting .NET Assemblies - Checks for the CLR Runtime Header in the PE Data Directory
Analyzing CorFlags - Reads the .NET metadata to determine the actual platform target
Providing Complete Information - Reports both PE header architecture AND .NET platform target

What It Detects

Native/Unmanaged executables and DLLs (standard x86 or x64)
.NET x86-only (32-bit required)
.NET x64-only (64-bit only)
.NET AnyCPU (platform-agnostic, runs on any architecture)
.NET 32-bit preferred (AnyCPU with 32-bit preference)
Mixed-mode assemblies (combination of native and managed code)

The app correctly interprets the CorFlags field from the CLR header:

ILONLY flag indicates pure managed code
32BITREQUIRED flag indicates x86-only
32BITPREFERRED flag indicates AnyCPU with 32-bit preference
Absence of these flags with IL-only code indicates true AnyCPU

This ensures you get accurate information about how the assembly will actually behave at runtime, not just what the PE header suggests for compatibility reasons.

Which is nice, so yeah, I thought I share this little gem too! :)

Dabz
Text only | Text with Images