C/C++ - Check if program is running x86 / x64

AceInfinity · Feb 13, 2016

Code:

[NO-PARSE]// CS = 0x23 (35) = x86 mode
// CS = 0x33 (51) = x64 mode

UINT16 __declspec(naked) WINAPI CS()
{
  __asm
  {
    MOV AX, CS
    RET
  }
}

#define IsX86() (CS() == 0x23)[/NO-PARSE]

For every x86 & x64 process on 64bit Windows there are two allocated code segments. My code checks the CS register and this is probably one of the easiest methods to use. :)

:thumbsup2:

AceInfinity · Feb 15, 2016

Re: C/C++ - Check if program is running x86/x64

Almost similarly, you can check if the program is running under Wow64 emulation in the following way:

Code:

[plain]#include <Windows.h>
#include <stdio.h>

BOOL __declspec(naked) WINAPI IsWow64(void)
{
  __asm
  {
    MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
    SHR EAX, 30
    RET
  }
}

int main(void)
{
  printf("IsWow64: %s\n", IsWow64() ? "True" : "False");
  return 0;
}[/plain]

wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..

GooonE · Jun 26, 2016

Re: C/C++ - Check if program is running x86/x64

AceInfinity said:
Almost similarly, you can check if the program is running under Wow64 emulation in the following way:

Code:

[plain]#include <Windows.h> #include <stdio.h> BOOL __declspec(naked) WINAPI IsWow64(void) { __asm { MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode SHR EAX, 30 RET } } int main(void) { printf("IsWow64: %s\n", IsWow64() ? "True" : "False"); return 0; }[/plain]

wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..

Hi,

can you please make a tutorial about __declspec(naked) vs export?
I don't understand it.

And also explains what are you doing here:
MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
SHR EAX, 30

RET is returning address or variable?

MOV EAX, FS:[0xC0]; I know it's put FS:[0xC0] into EAX but what is the dots and bracets?
SHR is shift right i think. Shift right EAX by 30. Why to do that?

AceInfinity · Jun 27, 2016

Re: C/C++ - Check if program is running x86/x64

GooonE said:
AceInfinity said:

Almost similarly, you can check if the program is running under Wow64 emulation in the following way:

Code:

[plain]#include <Windows.h> #include <stdio.h> BOOL __declspec(naked) WINAPI IsWow64(void) { __asm { MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode SHR EAX, 30 RET } } int main(void) { printf("IsWow64: %s\n", IsWow64() ? "True" : "False"); return 0; }[/plain]

wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..

Click to expand...

Hi,

can you please make a tutorial about __declspec(naked) vs export?
I don't understand it.

And also explains what are you doing here:
MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
SHR EAX, 30

RET is returning address or variable?

MOV EAX, FS:[0xC0]; I know it's put FS:[0xC0] into EAX but what is the dots and bracets?
SHR is shift right i think. Shift right EAX by 30. Why to do that?

A tutorial is not required, if you look up information on each you should find plenty of information..

Also, they aren't even related so I don't think a tutorial about the two would make much sense. _declspec(dllexport) refers to data that is meant to be exported (EAT), and naked has to due with what assembly code is NOT generated for a function marked as __declspec(naked), but it is Microsoft specific too.

RET is mainly just returning back to the caller the value within the EAX register. No stack frame is necessary to set up, the first line populates the EAX register with the value of the FS register at offset 0xC0. You won't understand much if you don't know anything about x64 and x86, along with assembly, and how Wow64 works.

Read this if you're interested: Mixing x86 with x64 code

CS register = 0x23 (35) = x86 mode
CS register = 0x33 (51) = x64 mode

GooonE · Jun 28, 2016

Re: C/C++ - Check if program is running x86/x64

AceInfinity said:
GooonE said:

AceInfinity said:

Almost similarly, you can check if the program is running under Wow64 emulation in the following way:

Code:

[plain]#include <Windows.h> #include <stdio.h> BOOL __declspec(naked) WINAPI IsWow64(void) { __asm { MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode SHR EAX, 30 RET } } int main(void) { printf("IsWow64: %s\n", IsWow64() ? "True" : "False"); return 0; }[/plain]

wow64cpu!X86SwitchTo64BitMode is a jmp to wow64cpu!CpupReturnFromSimulatedCode for Wow64. For people who don't want to use inline assembly, there's also the C/C++ intrinsic __readfsdword for the FS register from <intrin.h>..

Click to expand...

Hi,

can you please make a tutorial about __declspec(naked) vs export?
I don't understand it.

And also explains what are you doing here:
MOV EAX, FS:[0xC0] ; wow64cpu!X86SwitchTo64BitMode
SHR EAX, 30

RET is returning address or variable?

MOV EAX, FS:[0xC0]; I know it's put FS:[0xC0] into EAX but what is the dots and bracets?
SHR is shift right i think. Shift right EAX by 30. Why to do that?

Click to expand...

A tutorial is not required, if you look up information on each you should find plenty of information..

Also, they aren't even related so I don't think a tutorial about the two would make much sense. _declspec(dllexport) refers to data that is meant to be exported (EAT), and naked has to due with what assembly code is NOT generated for a function marked as __declspec(naked), but it is Microsoft specific too.

RET is mainly just returning back to the caller the value within the EAX register. No stack frame is necessary to set up, the first line populates the EAX register with the value of the FS register at offset 0xC0. You won't understand much if you don't know anything about x64 and x86, along with assembly, and how Wow64 works.

Read this if you're interested: Mixing x86 with x64 code

CS register = 0x23 (35) = x86 mode
CS register = 0x33 (51) = x64 mode

Hi,

can you share resources for learning?

I watched video:
x64 Assembly and C++ Tutorial 27: Calling C++ from ASM - YouTube

And I didn't understand it, he said something that first there is shadow space for 20 hex and you allocate it for function maybe?
And then pass arguments ..

GooonE · Jun 29, 2016

Re: C/C++ - Check if program is running x86/x64

No response?

AceInfinity · Jul 1, 2016

Re: C/C++ - Check if program is running x86/x64

GooonE said:
No response?

I'm not on the forums everyday so it's best to allow at least 48 hours for a response.

Videos are usually not very reliable, grab a book/ebook as it's most likely been reviewed by many other programmers who have given insights on the topic. Look up resources for ASM on StackOverflow as well. If you're not resourceful, learning a new language like ASM, or even C or C++ is going to be nearly impossible because they require a lot of research in most cases.

Also, that's not for x86 ASM, that's for x64 ASM which is completely different. I would suggest starting off with x86 ASM first. x86asm.net has some interesting articles, but you'll want to understand how the stack works, among a few other things before most of the concepts will make sense. :)

I will say that learning Assembly is not a "watch one video and know everything" kind of learning curve, it will take you perhaps at least a year to fully understand what you're doing without having to look things up every few minutes.

tekz · Oct 15, 2016

Re: C/C++ - Check if program is running x86/x64

If you want to avoid assembly, you could check size_t, which is a type guaranteed to hold any array index.

Code:

unsigned char is_object_size_x64()
{
    return ((size_t)-1 > 0xfffffffful) ? 1 : 0;
}

AceInfinity · Oct 18, 2016

Re: C/C++ - Check if program is running x86/x64

One thing to keep in mind is that you wouldn't be able to use that inline assembly too if you compiled it as a 64-bit target because it's using x86 instructions.

Another thing is that the solution against the size_t type is also going to be more of a compile-time evaluation, in which case you could just use the preprocessor directives themselves which determine the size_t (in Windows VS, it's _WIN64 for me), or use sizeof() operator on a pointer type like void* and check how many bytes it returns.

Code:

constexpr bool IsX64() { return sizeof(void *) == 8; }

Otherwise, a combination of a WOW64 check and if it's running in x86 mode or not, but without direct inline asm.

C/C++ - Check if program is running x86 / x64

AceInfinity

Emeritus, Contributor

AceInfinity

Emeritus, Contributor

GooonE

Well-known member

AceInfinity

Emeritus, Contributor

GooonE

Well-known member

GooonE

Well-known member

AceInfinity

Emeritus, Contributor

tekz

Active member

AceInfinity

Emeritus, Contributor