Pe32 Executable -console- X86-64 For Ms Windows (Working — Review)

nasm -f win64 hello.asm -o hello.obj x86_64-w64-mingw32-ld hello.obj -o hello.exe -lkernel32 8.1 Check basic info (using dumpbin ) dumpbin /headers myapp.exe | findstr "machine magic subsystem" Output example:

cl /O1 /GS- /Gs9999999 minimal_console.c /link /SUBSYSTEM:CONSOLE /MACHINE:X64 /ENTRY:main Check output:

When a file analyzer (like file command, Detect It Easy, or PEiD) shows:

my_func PROC push rbp mov rbp, rsp sub rsp, 32 ; shadow space + locals ; ... add rsp, 32 pop rbp ret my_func ENDP 7.1 Using MSVC (Visual Studio) cl /c hello.c link hello.obj /SUBSYSTEM:CONSOLE /MACHINE:X64 7.2 Using MinGW-w64 (gcc) x86_64-w64-mingw32-gcc -m64 hello.c -o hello.exe 7.3 Using NASM + LD (raw assembly) ; hello.asm bits 64 section .data msg db 'Hello PE32+ console', 0xd, 0xa, 0 section .text global main extern GetStdHandle extern WriteFile extern ExitProcess pe32 executable -console- x86-64 for ms windows

| Component | Meaning | |-----------|---------| | | 64-bit Portable Executable format (extension of original PE32). Uses 64-bit fields for image base, virtual addresses, and sizes. | | console | Subsystem = Console. App runs in a terminal window (cmd/powershell). Not GUI ( /SUBSYSTEM:WINDOWS ). | | x86-64 | Target machine architecture = AMD64 (also called x64, Intel 64). Not ARM, not IA64 (Itanium). | | MS Windows | Target OS: Windows (NT family: 2000, XP, Vista, 7, 10, 11, Server). | 2. PE32+ File Structure PE32+ follows the same logical layout as PE32, but with key structural differences.

machine (8664) x64 magic (20B) PE32+ subsystem (3) Windows CUI dumpbin /imports myapp.exe 8.3 View sections dumpbin /sections myapp.exe 8.4 Manual parsing (using xxd + custom script) Offset e_lfanew (at 0x3C) points to NT headers. At NT headers + 0x18 = Optional Header start. Check byte at that offset: 0x0B = PE32, 0x20B = PE32+. 9. Common Pitfalls with PE32+ Console | Issue | Cause | Fix | |-------|-------|-----| | Error: "The application was unable to start correctly (0xc000007b)" | 32-bit app trying to load 64-bit DLL or vice versa | Check /MACHINE:X64 | | Entry point not found | Wrong CRT entry (e.g., WinMain in console app) | Use /ENTRY:mainCRTStartup or compile correctly | | Console flashes and closes | App finishes before you can see output | Run from cmd, not double-click | | Relocation errors | ImageBase conflict (64-bit ASLR) | Build with /DYNAMICBASE (default) or /FIXED | 10. PE32+ vs Other 64-bit Formats | Format | Machine | Subsystem examples | |--------|---------|--------------------| | PE32+ (x64) | AMD64 | Windows CUI / GUI / EFI | | PE32 (x86) | x86 | Windows console / GUI | | PE32+ (ARM64) | ARM64 | Windows on ARM | | ELF x64 | x86-64 | Linux console | | Mach-O x64 | x86-64 | macOS terminal app | 11. Tools for PE32+ Console Analysis | Tool | Purpose | |------|---------| | dumpbin (MSVC) | View headers, sections, imports | | objdump -x (MinGW) | Similar to dumpbin | | x64dbg | Debugging console apps | | PE-bear | GUI PE editor | | CFF Explorer | Detailed PE structure viewer | | Detect It Easy | Quick identification | | winhex / HxD | Manual hex parsing | 12. Complete Minimal C Example // minimal_console.c #include <windows.h> int main(void) HANDLE hOut = GetStdHandle(STD_OUTPUT_HANDLE); const char* msg = "PE32+ console app running.\n"; DWORD written; WriteFile(hOut, msg, lstrlenA(msg), &written, NULL); return 0;

Compile (MSVC):

PE32+ executable (console) x86-64 for MS Windows

main: sub rsp, 40 ; shadow + align mov rcx, -11 ; STD_OUTPUT_HANDLE call GetStdHandle mov rcx, rax lea rdx, [msg] mov r8, 23 ; length lea r9, [rsp + 32] ; lpNumberOfBytesWritten call WriteFile xor rcx, rcx call ExitProcess

Build:

It breaks down as:

dumpbin /headers minimal_console.exe | findstr "PE32+" Output: