Menu
I guess my question is about the CLR Loader. I want to understand the mechanics behind CorFlags.exe /32BIT+ functionality.
We know that when one starts an assembly compiled with the Any CPU flag set on 64-bit Windows, it starts as a 64-bit process. If one run CorFlags /32BIT+ on that assembly, it will start as a 32-bit process. I think this is a fascinating feature.
I have so many questions about it:
Is there an article, book, blog, etc that explains the inner workings of this feature?
403
The CorFlags Conversion tool allows you to configure the CorFlags section of the header of a portable executable image. This tool is automatically installed with Visual Studio. To run the tool, use Visual Studio Developer Command Prompt or Visual Studio Developer PowerShell.
It could also be under the x86 folder if the 32bit Windows SDK installer used: C:\Program Files (x86)\Microsoft SDKs\Windows . Also, each version of the SDK has different versions of CorFlags.exe , which produce slightly different output.
This isn't well documented in any place I know of, I can only point you to a relevant MSDN article. Yes, your assumption is correct, the loader in Windows XP and up has awareness of managed executables. It automatically loads the .NET loader shim (c:\windows\system32\mscoree.dll), the relevant entrypoint is _CorValidateImage(). The Remarks section in the linked MSDN article describes the mechanism that turns a 32-bit .exe file into a 64-bit process:
In Windows XP and later versions, the operating system loader checks for managed modules by examining the COM Descriptor Directory bit in the common object file format (COFF) header. A set bit indicates a managed module. If the loader detects a managed module, it loads MsCorEE.dll and calls _CorValidateImage, which performs the following actions:
- Confirms that the image is a valid managed module.
- Changes the entry point in the image to an entry point in the common language runtime (CLR).
- For 64-bit versions of Windows, modifies the image that is in memory by transforming it from PE32 to PE32+ format.
- Returns to the loader when the managed module images are loaded.
For executable images, the operating system loader then calls the _CorExeMain function, regardless of the entry point specified in the executable. For DLL assembly images, the loader calls the _CorDllMain function.
_CorExeMain or _CorDllMain performs the following actions:
- Initializes the CLR.
- Locates the managed entry point from the assembly's CLR header.
- Begins execution.
The loader calls the _CorImageUnloading function when managed module images are unloaded. However, this function does not perform any action; it just returns.
94
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
