Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Checks if the system is 32 or 64 bit
#ifdef _MSC_VER
#include <stdint.h>
#else
#include <inttypes.h>
#endif
#include <stdio.h>
bool is_system64_bit()
{
uint32_t flag = 0;
#ifdef _MSC_VER
__asm {
xor eax, eax
mov ax, cs
shr eax, 5
mov flag, eax
};
#else
__asm__ volatile (
"xor %%eax, %%eax \n"
"mov %%cs, %%ax \n"
"shr $5, %%eax \n"
"mov %%eax, %0 \n"
:"=r"(flag) /* flag is output operand */
: /* no input operand */
:"%eax"); /* %eax is clobbered */
#endif
return (flag > 0);
}
int main()
{
bool is64bit = is_system64_bit();
if (is64bit) {
printf("64 bit\n");
} else {
printf("32 bit\n");
}
return is64bit;
}
Owner

hasherezade commented Aug 15, 2017 edited

This is a trick that I found in Kronos malware. I am not the author.
Read also this document: https://github.com/corkami/docs/blob/master/InitialValues.md

CodeMaxx commented Aug 16, 2017 edited

Interesting! Does this help in avoiding detection in any way? Like instead of using something like sizeof(int) or value of size_t ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment