Hi, after seeing how kronos malware detect the bitness of Windows and jj2007‘s topic on MASM32 forums, i have decided to write a small application and learn how to detect windows’ bit level by using MASM32 and WINAPI.
hasherezade’s approach
Thanks to hasherezade, the technique which she had found in kronos malware is unique. Interestingly cs returns 5-bit value when OS is 32-bit and 6-bit when OS is 64-bit. So by checking the 6th bit from right to left you can dedect the bitness of operating system.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
is_system64_bit PROC ; _______________________________________________________________________________ ; Is your OS 64bit or not procedure ; Author : hasherezade - https://gist.github.com/hasherezade/0994447e9d3dc184888fb2afd5a57301 ; Receives : ; Returns : eax > 0 = 64-bit ; ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ LOCAL flag:DWORD xor eax, eax mov ax, cs shr eax, 5 mov flag, eax .IF flag > 0 mov eax, TRUE .ELSE mov eax, FALSE .ENDIF ret is_system64_bit ENDP ;02.hasherezade's apprach from kronos malware: invoke StdOut, chr$("[ 1 ] hasherezade's apprach from kronos malware:",13,10) invoke is_system64_bit .if Zero? print chr$("[ + ] 32-bit",13,10) .else print chr$("[ + ] 64-bit",13,10) .endif invoke StdOut, chr$(13,10,) |