Detecting Architecture in Windows

After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware

xor   eax,eax   
mov   ax,cs    
shr   eax,5      

I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.

Using ES

; Author : @OsandaMalith
main:
        xor eax,eax
        mov ax,es
        ror ax, 0x3
        and eax,0x1
        test eax, eax
        je thirtytwo
        invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION
        jmp exit

thirtytwo:
        invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION

exit:
        invoke ExitProcess, 0  

Using GS

; Author : @OsandaMalith
main:
        xor eax, eax
        mov eax, gs
        test eax, eax
        je thirtytwo
        invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION
        jmp exit

thirtytwo:
        invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION

exit:
        invoke ExitProcess, 0

.end main     

Using TEB

Apart from that, you can also use TEB + 0xc0 entry which is ‘WOW32Reserved’.

; Author : @OsandaMalith
main:
        xor eax, eax
        mov eax, [FS:0xc0]
        test eax, eax
        je thirtytwo
        invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION
        jmp exit

thirtytwo:
        invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION

exit:
        invoke ExitProcess, 0

.end main  

I included all in one and coded a small C application. I’m sure there might be many other tricks to detect the architecture. This might come handy in shellcoding 😉

#include <Windows.h>
#include <wchar.h>
/*
* Author: Osanda Malith Jayathissa – @OsandaMalith
* Website: https://osandamalith.com
* Description: Few tricks that you can use to detect the architecture in Windows
* Link : http://osandamalith.com/2017/09/24/detecting-architecture-in-windows/
*/
BOOL detectArch_ES() {
#if defined(_MSC_VER)
_asm {
xor eax, eax
mov ax, es
ror ax, 0x3
and eax, 0x1
}
#elif defined(__GNUC__)
asm(
".intel_syntax noprefix;"
"xor eax, eax;"
"mov ax, es;"
"ror ax, 0x3;"
"and eax, 0x1;"
);
#endif
}
BOOL detectArch_GS() {
#if defined(_MSC_VER)
_asm {
xor eax, eax
mov ax, gs
}
#elif defined(__GNUC__)
asm(
".intel_syntax noprefix;"
"xor eax, eax;"
"mov ax, gs;"
);
#endif
}
BOOL detectArch_TEB() {
#if defined(_MSC_VER)
_asm {
xor eax, eax
mov eax, fs:[0xc0]
}
#elif defined(__GNUC__)
asm(
".intel_syntax noprefix;"
"xor eax, eax;"
"mov eax, fs:[0xc0];"
);
#endif
}
int main(int argc, char* argv[]) {
wprintf(
!detectArch_ES() ?
L"You are Running 32-bit\n" :
L"You are Running 64-bit\n"
);
wprintf(
!detectArch_GS() ?
L"You are Running 32-bit\n" :
L"You are Running 64-bit\n"
);
wprintf(
!detectArch_TEB() ?
L"You are Running 32-bit\n" :
L"You are Running 64-bit\n"
);
return 1337;
}

view raw
detectArch.c
hosted with ❤ by GitHub

Shares:
http://www.hackplayers.com/2017/09/detectando-la-arquitectura-en-windows.html

Leave a Reply