Detecting Architecture in Windows

After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware

[code language=”C”]
xor eax,eax
mov ax,cs
shr eax,5
[/code]

I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.

Using ES

[code language=”C”]
; Author : @OsandaMalith
main:
xor eax,eax
mov ax,es
ror ax, 0x3
and eax,0x1
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit

thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION

exit:
invoke ExitProcess, 0

[/code]

Using GS

[code language=”C”]
; Author : @OsandaMalith
main:
xor eax, eax
mov eax, gs
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit

thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION

exit:
invoke ExitProcess, 0

.end main
[/code]

Using TEB

Apart from that, you can also use TEB + 0xc0 entry which is ‘WOW32Reserved’.

[code language=”C”]
; Author : @OsandaMalith
main:
xor eax, eax
mov eax, [FS:0xc0]
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit

thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION

exit:
invoke ExitProcess, 0

.end main
[/code]

I included all in one and coded a small C application. I’m sure there might be many other tricks to detect the architecture. This might come handy in shellcoding 😉


View this gist on GitHub

Shares:
http://www.hackplayers.com/2017/09/detectando-la-arquitectura-en-windows.html

Leave a Reply