After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware
[code language=”C”]
xor eax,eax
mov ax,cs
shr eax,5
[/code]
I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.
Using ES
[code language=”C”]
; Author : @OsandaMalith
main:
xor eax,eax
mov ax,es
ror ax, 0x3
and eax,0x1
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit
thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
exit:
invoke ExitProcess, 0
[/code]
(more…)