Detecting Architecture in Windows

[Nytro]

September 24, 2017

Detecting Architecture in Windows

• Leave a comment

After a while I thought of posting something interesting I noticed. Some of you know this old method of detecting the architecture using the CS segment register. This was also used in the Kronos malware

1 2 3

xor   eax,eax   mov   ax,cs    shr   eax,5

I had a look at the segment registers last night and I found out that we can use ES, GS and FS segment registers for detecting the architecture as well.

Using ES

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

; Author : @OsandaMalith main:         xor eax,eax         mov ax,es         ror ax, 0x3         and eax,0x1         test eax, eax         je thirtytwo         invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION         jmp exit   thirtytwo:         invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION   exit:         invoke ExitProcess, 0

 

Using GS

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

; Author : @OsandaMalith main:         xor eax, eax         mov eax, gs         test eax, eax         je thirtytwo         invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION         jmp exit   thirtytwo:         invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION   exit:         invoke ExitProcess, 0   .end main

Using TEB

Apart from that, you can also use TEB + 0xc0 entry which is ‘WOW32Reserved’.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

; Author : @OsandaMalith main:         xor eax, eax         mov eax, [FS:0xc0]         test eax, eax         je thirtytwo         invoke MessageBox,0, 'You are Running 64-bit', 'Architecture', MB_OK + MB_ICONINFORMATION         jmp exit   thirtytwo:         invoke MessageBox,0, 'You are Running 32-bit', 'Architecture', MB_OK + MB_ICONINFORMATION   exit:         invoke ExitProcess, 0   .end main

I included all in one and coded a small C application. I’m sure there might be many other tricks to detect the architecture. This might come handy in shellcoding

 

#include <Windows.h>

#include <wchar.h>

/*

* Author: Osanda Malith Jayathissa - @OsandaMalith

* Website: https://osandamalith.com

* Description: Few tricks that you can use to detect the architecture in Windows

* Link : http://osandamalith.com/2017/09/24/detecting-architecture-in-windows/

*/

BOOL detectArch_ES() {

#if defined(_MSC_VER)

_asm {

xor eax, eax

mov ax, es

ror ax, 0x3

and eax, 0x1

}

#elif defined(__GNUC__)

asm(

".intel_syntax noprefix;"

"xor eax, eax;"

"mov ax, es;"

"ror ax, 0x3;"

"and eax, 0x1;"

);

#endif

}

BOOL detectArch_GS() {

#if defined(_MSC_VER)

_asm {

xor eax, eax

mov ax, gs

}

#elif defined(__GNUC__)

asm(

".intel_syntax noprefix;"

"xor eax, eax;"

"mov ax, gs;"

);

#endif

}

BOOL detectArch_TEB() {

#if defined(_MSC_VER)

_asm {

xor eax, eax

mov eax, fs:[0xc0]

}

#elif defined(__GNUC__)

asm(

".intel_syntax noprefix;"

"xor eax, eax;"

"mov eax, fs:[0xc0];"

);

#endif

}

int main(int argc, char* argv[]) {

wprintf(

!detectArch_ES() ?

L"You are Running 32-bit\n" :

L"You are Running 64-bit\n"

);

wprintf(

!detectArch_GS() ?

L"You are Running 32-bit\n" :

L"You are Running 64-bit\n"

);

wprintf(

!detectArch_TEB() ?

L"You are Running 32-bit\n" :

L"You are Running 64-bit\n"

);

return 1337;

}

view raw detectArch.c hosted with  by GitHub

 

Sursa: https://osandamalith.com/2017/09/24/detecting-architecture-in-windows/

[explo1t]

Interesting method! Always useful to perform such tasks purely through assembly language instead of calling some API