Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /var/www/wptbox/wp-includes/script-loader.php on line 2901
After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware
[code language=”C”]
xor eax,eax
mov ax,cs
shr eax,5
[/code]
I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.
Using ES
[code language=”C”]
; Author : @OsandaMalith
main:
xor eax,eax
mov ax,es
ror ax, 0x3
and eax,0x1
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit
thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
exit:
invoke ExitProcess, 0
[/code]
Using GS
[code language=”C”]
; Author : @OsandaMalith
main:
xor eax, eax
mov eax, gs
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit
thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
exit:
invoke ExitProcess, 0
.end main
[/code]
Using TEB
Apart from that, you can also use TEB + 0xc0 entry which is ‘WOW32Reserved’.
[code language=”C”]
; Author : @OsandaMalith
main:
xor eax, eax
mov eax, [FS:0xc0]
test eax, eax
je thirtytwo
invoke MessageBox,0, ‘You are Running 64-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
jmp exit
thirtytwo:
invoke MessageBox,0, ‘You are Running 32-bit’, ‘Architecture’, MB_OK + MB_ICONINFORMATION
exit:
invoke ExitProcess, 0
.end main
[/code]
I included all in one and coded a small C application. I’m sure there might be many other tricks to detect the architecture. This might come handy in shellcoding 😉
Shares:
http://www.hackplayers.com/2017/09/detectando-la-arquitectura-en-windows.html