Hi, after seeing how kronos malware detect the bitness of Windows and jj2007‘s topic on MASM32 forums, i have decided to write a small application and learn how to detect windows’ bit level by using MASM32 and WINAPI.
hasherezade’s approach
Thanks to hasherezade, the technique which she had found in kronos malware is unique. Interestingly cs returns 5-bit value when OS is 32-bit and 6-bit when OS is 64-bit. So by checking the 6th bit from right to left you can dedect the bitness of operating system.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
is_system64_bit PROC ; _______________________________________________________________________________ ; Is your OS 64bit or not procedure ; Author : hasherezade - https://gist.github.com/hasherezade/0994447e9d3dc184888fb2afd5a57301 ; Receives : ; Returns : eax > 0 = 64-bit ; ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ LOCAL flag:DWORD xor eax, eax mov ax, cs shr eax, 5 mov flag, eax .IF flag > 0 mov eax, TRUE .ELSE mov eax, FALSE .ENDIF ret is_system64_bit ENDP ;02.hasherezade's apprach from kronos malware: invoke StdOut, chr$("[ 1 ] hasherezade's apprach from kronos malware:",13,10) invoke is_system64_bit .if Zero? print chr$("[ + ] 32-bit",13,10) .else print chr$("[ + ] 64-bit",13,10) .endif invoke StdOut, chr$(13,10,) |
Checking If C:\Windows\SysWow64 Directory Exists
By checking the existance of C:\Windows\SysWow64 directory we can dedect the bit level of windows.
1 2 3 4 5 6 7 |
;03. Check if there is C:\Windows\SysWow64 directory: print chr$("[ 2 ] SysWow64 directory exists?",13,10) .if fexist("C:\Windows\SysWow64") print chr$("[ + ] 64-bit",13,10) .else print chr$("[ + ] 32-bit",13,10) .endif |
Using IsWow64Process API
IsWow64ProcessAPI return value if the OS is running WOW64 or not. So we can detect that if we are on 64-bit or 32-bit windows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
;04. IsWow64ProcessAPI checks our OS runs WOW64: print cfm$("[ 3 ] Query bitness with IsWow64Process APIs:\n") xchg ebx, rv(GetProcAddress, rv(GetModuleHandle, "kernel32") , "IsWow64Process") .if ebx print "[ + ] IsWow64Process found: retval=" push eax invoke IsWow64Process, rv(GetCurrentProcess), esp pop ecx mov bayrakIsWow64,cl print str$(ecx),13,10 .if bayrakIsWow64==1 print chr$("[ + ] 64-bit",13,10) .else print chr$("[ + ] 32-bit",13,10) .endif .else print "[ + ] IsWow64Process not found", 13, 10, 10 .endif |
Using GetNativeSystemInfo API and SYSTEM_INFO struct
Using GetNativeSystemInfo API with SYSTEM_INFO structure, we can detect our “installed operating systems processor type”
1 2 3 4 5 6 7 8 9 |
print cfm$("[ 4 ] Query bitness of OS with GetNativeSystemInfo API:\n") mov ebx, offset sysinf invoke GetNativeSystemInfo,ebx cmp [ebx.SYSTEM_INFO.wProcessorArchitecture], PROCESSOR_ARCHITECTURE_AMD64 .if Zero? print chr$("[ + ] 64-bit",13,10) .else print chr$("[ + ] 32-bit",13,10) .endif |
English Commented RadASM Project:
[dm]172[/dm]
Turkish Commented Source Codes:
[dm]170[/dm]
[dm]171[/dm]
Comments of this post