1. #1
    AceInfinity's Avatar
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,725

    C/C++ - Check if program is running x86 / x64

    Code:
    // CS = 0x23 (35) = x86 mode
    // CS = 0x33 (51) = x64 mode
    
    UINT16 __declspec(naked) WINAPI CS()
    {
      __asm
      {
        MOV AX, CS
        RET
      }
    }
    
    #define IsX86() (CS() == 0x23)
    For every x86 & x64 process on 64bit Windows there are two allocated code segments. My code checks the CS register and this is probably one of the easiest methods to use. :)

    Last edited by AceInfinity; 10-18-2016 at 04:31 PM.
    blueelvis says thanks for this.
    Automation Programmer
    Microsoft MVP [2012 - 2018]


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    AceInfinity's Avatar
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,725

    Re: C/C++ - Check if program is running x86/x64

    Almost similarly, you can check if the program is running under Wow64 emulation in the following way:
    Code:
    #include <Windows.h>
    #include <stdio.h>
    
    BOOL __declspec(naked) WINAPI IsWow64(void)
    {
      __asm
      {
        MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
        SHR EAX, 30
        RET
      }
    }
    
    int main(void)
    {
      printf("IsWow64: %s\n", IsWow64() ? "True" : "False");
      return 0;
    }
    wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..
    Last edited by AceInfinity; 02-15-2016 at 11:50 PM.
    GooonE says thanks for this.
    Automation Programmer
    Microsoft MVP [2012 - 2018]

  3. #3

    Re: C/C++ - Check if program is running x86/x64

    Quote Originally Posted by AceInfinity View Post
    Almost similarly, you can check if the program is running under Wow64 emulation in the following way:
    Code:
    #include <Windows.h>
    #include <stdio.h>
    
    BOOL __declspec(naked) WINAPI IsWow64(void)
    {
      __asm
      {
        MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
        SHR EAX, 30
        RET
      }
    }
    
    int main(void)
    {
      printf("IsWow64: %s\n", IsWow64() ? "True" : "False");
      return 0;
    }
    wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..
    Hi,

    can you please make a tutorial about __declspec(naked) vs export?
    I don't understand it.

    And also explains what are you doing here:
    MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
    SHR EAX, 30


    RET is returning address or variable?

    MOV EAX, FS:[0xC0]; I know it's put FS:[0xC0] into EAX but what is the dots and bracets?
    SHR is shift right i think. Shift right EAX by 30. Why to do that?

  4. #4
    AceInfinity's Avatar
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,725

    Re: C/C++ - Check if program is running x86/x64

    Quote Originally Posted by GooonE View Post
    Quote Originally Posted by AceInfinity View Post
    Almost similarly, you can check if the program is running under Wow64 emulation in the following way:
    Code:
    #include <Windows.h>
    #include <stdio.h>
    
    BOOL __declspec(naked) WINAPI IsWow64(void)
    {
      __asm
      {
        MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
        SHR EAX, 30
        RET
      }
    }
    
    int main(void)
    {
      printf("IsWow64: %s\n", IsWow64() ? "True" : "False");
      return 0;
    }
    wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..
    Hi,

    can you please make a tutorial about __declspec(naked) vs export?
    I don't understand it.

    And also explains what are you doing here:
    MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
    SHR EAX, 30


    RET is returning address or variable?

    MOV EAX, FS:[0xC0]; I know it's put FS:[0xC0] into EAX but what is the dots and bracets?
    SHR is shift right i think. Shift right EAX by 30. Why to do that?
    A tutorial is not required, if you look up information on each you should find plenty of information..

    Also, they aren't even related so I don't think a tutorial about the two would make much sense. _declspec(dllexport) refers to data that is meant to be exported (EAT), and naked has to due with what assembly code is NOT generated for a function marked as __declspec(naked), but it is Microsoft specific too.

    RET is mainly just returning back to the caller the value within the EAX register. No stack frame is necessary to set up, the first line populates the EAX register with the value of the FS register at offset 0xC0. You won't understand much if you don't know anything about x64 and x86, along with assembly, and how Wow64 works.

    Read this if you're interested: Mixing x86 with x64 code

    CS register = 0x23 (35) = x86 mode
    CS register = 0x33 (51) = x64 mode
    Last edited by AceInfinity; 06-27-2016 at 09:59 PM.
    Automation Programmer
    Microsoft MVP [2012 - 2018]

  5. #5

    Re: C/C++ - Check if program is running x86/x64

    Quote Originally Posted by AceInfinity View Post
    Quote Originally Posted by GooonE View Post
    Quote Originally Posted by AceInfinity View Post
    Almost similarly, you can check if the program is running under Wow64 emulation in the following way:
    Code:
    #include <Windows.h>
    #include <stdio.h>
    
    BOOL __declspec(naked) WINAPI IsWow64(void)
    {
      __asm
      {
        MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
        SHR EAX, 30
        RET
      }
    }
    
    int main(void)
    {
      printf("IsWow64: %s\n", IsWow64() ? "True" : "False");
      return 0;
    }
    wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..
    Hi,

    can you please make a tutorial about __declspec(naked) vs export?
    I don't understand it.

    And also explains what are you doing here:
    MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
    SHR EAX, 30


    RET is returning address or variable?

    MOV EAX, FS:[0xC0]; I know it's put FS:[0xC0] into EAX but what is the dots and bracets?
    SHR is shift right i think. Shift right EAX by 30. Why to do that?
    A tutorial is not required, if you look up information on each you should find plenty of information..

    Also, they aren't even related so I don't think a tutorial about the two would make much sense. _declspec(dllexport) refers to data that is meant to be exported (EAT), and naked has to due with what assembly code is NOT generated for a function marked as __declspec(naked), but it is Microsoft specific too.

    RET is mainly just returning back to the caller the value within the EAX register. No stack frame is necessary to set up, the first line populates the EAX register with the value of the FS register at offset 0xC0. You won't understand much if you don't know anything about x64 and x86, along with assembly, and how Wow64 works.

    Read this if you're interested: Mixing x86 with x64 code

    CS register = 0x23 (35) = x86 mode
    CS register = 0x33 (51) = x64 mode
    Hi,

    can you share resources for learning?

    I watched video:
    x64 Assembly and C++ Tutorial 27: Calling C++ from ASM - YouTube

    And I didn't understand it, he said something that first there is shadow space for 20 hex and you allocate it for function maybe?
    And then pass arguments ..

  6. #6

    Re: C/C++ - Check if program is running x86/x64

    No response?

  7. #7
    AceInfinity's Avatar
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,725

    Re: C/C++ - Check if program is running x86/x64

    Quote Originally Posted by GooonE View Post
    No response?
    I'm not on the forums everyday so it's best to allow at least 48 hours for a response.

    Videos are usually not very reliable, grab a book/ebook as it's most likely been reviewed by many other programmers who have given insights on the topic. Look up resources for ASM on StackOverflow as well. If you're not resourceful, learning a new language like ASM, or even C or C++ is going to be nearly impossible because they require a lot of research in most cases.

    Also, that's not for x86 ASM, that's for x64 ASM which is completely different. I would suggest starting off with x86 ASM first. x86asm.net has some interesting articles, but you'll want to understand how the stack works, among a few other things before most of the concepts will make sense. :)

    I will say that learning Assembly is not a "watch one video and know everything" kind of learning curve, it will take you perhaps at least a year to fully understand what you're doing without having to look things up every few minutes.
    Last edited by AceInfinity; 07-01-2016 at 07:44 PM.
    GooonE says thanks for this.
    Automation Programmer
    Microsoft MVP [2012 - 2018]

  8. #8

    Re: C/C++ - Check if program is running x86/x64

    If you want to avoid assembly, you could check size_t, which is a type guaranteed to hold any array index.

    Code:
    unsigned char is_object_size_x64()
    {
        return ((size_t)-1 > 0xfffffffful) ? 1 : 0;
    }

  9. #9
    AceInfinity's Avatar
    Join Date
    Feb 2012
    Location
    Canada
    Posts
    1,725

    Re: C/C++ - Check if program is running x86/x64

    One thing to keep in mind is that you wouldn't be able to use that inline assembly too if you compiled it as a 64-bit target because it's using x86 instructions.

    Another thing is that the solution against the size_t type is also going to be more of a compile-time evaluation, in which case you could just use the preprocessor directives themselves which determine the size_t (in Windows VS, it's _WIN64 for me), or use sizeof() operator on a pointer type like void* and check how many bytes it returns.

    Code:
    constexpr bool IsX64() { return sizeof(void *) == 8; }
    Otherwise, a combination of a WOW64 check and if it's running in x86 mode or not, but without direct inline asm.
    Last edited by AceInfinity; 10-18-2016 at 04:31 PM.
    Automation Programmer
    Microsoft MVP [2012 - 2018]

Similar Threads

  1. [C++] KWIC program
    By Will Watts in forum Programming
    Replies: 15
    Last Post: 07-12-2015, 05:13 PM

Log in

Log in