Instantly share code, notes, and snippets.

Embed
What would you like to do?
Checks if the system is 32 or 64 bit
#ifdef _MSC_VER
#include <stdint.h>
#else
#include <inttypes.h>
#endif
#include <stdio.h>
bool is_system64_bit()
{
uint32_t flag = 0;
#ifdef _MSC_VER
__asm {
xor eax, eax
mov ax, cs
shr eax, 5
mov flag, eax
};
#else
__asm__ volatile (
"xor %%eax, %%eax \n"
"mov %%cs, %%ax \n"
"shr $5, %%eax \n"
"mov %%eax, %0 \n"
:"=r"(flag) /* flag is output operand */
: /* no input operand */
:"%eax"); /* %eax is clobbered */
#endif
return (flag > 0);
}
int main()
{
bool is64bit = is_system64_bit();
if (is64bit) {
printf("64 bit\n");
} else {
printf("32 bit\n");
}
return is64bit;
}
@hasherezade

This comment has been minimized.

Owner

hasherezade commented Aug 15, 2017

This is a trick that I found in Kronos malware. I am not the author.
Read also this document: https://github.com/corkami/docs/blob/master/InitialValues.md

@CodeMaxx

This comment has been minimized.

CodeMaxx commented Aug 16, 2017

Interesting! Does this help in avoiding detection in any way? Like instead of using something like sizeof(int) or value of size_t ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment