flat assembler
Message board for the users of flat assembler.

Index > Windows > how recognize mode of processor x64

Author
Thread Post new topic Reply to topic
melvin



Joined: 03 Oct 2011
Posts: 2
melvin
Hello

I'd like to recognize the mode in which 64 bit cpu is currently running.
is it long mode or compatible mode.

I read it is possible by checking flags L and D in CS register but as I see it is only 16 bit. These flags L and D are 21 and 22 bit.
I want to check mode in user mode.

Thank you
Post 27 Feb 2013, 19:29
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
If you're running a 32-bit program (Wow64), then you're in 32-bit.
If you're running a 64-bit program, then you are in long mode.

That is, you force the OS to put the CPU in whatever mode by running a program requiring that mode. There is really nothing to detect?

Am I understanding you correctly?
Post 27 Feb 2013, 19:57
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Like comrade said, however, if you actually intended to post your question in Main forum or your code runs in an unknown context, then:
Code:
use64
xor eax, eax
mov rax, rax ; in 32-bit mode this is DEC EAX | MOV EAX, EAX
jnz .32_bit

.64_bit:

use32
.32_bit:    
Post 27 Feb 2013, 23:06
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
hah, i wonder if melvin is coding an exploit
Post 28 Feb 2013, 10:01
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 977
Location: Czechoslovakia
MazeGen
If it is an exploit, it should use trickier code Wink
Code:
use64
xor eax, eax
DB 48h   ; DEC EAX in 32-bit mode, otherwise REX.W swallowed by JNZ
jnz .32_bit

.64_bit:

use32
.32_bit:    
Post 28 Feb 2013, 10:30
View user's profile Send private message Visit poster's website Reply with quote
melvin



Joined: 03 Oct 2011
Posts: 2
melvin
No I am not coding exploit Smile

Thanks for replies. Your code is great. I would never thought to do it that way. But I want to recognize mode without executing any code.

It is because I write x64 debugger for both 32 and 64 bit application. If breakpoint is hit on api function I want to know what is the size of the return address.

In wow64 process there are dlls both x64 and x86.
I suppose that these 64 bit dll is executing in long mode.
For instance C:\Windows\SYSTEM32\ntdll.dll.
Post 28 Feb 2013, 21:09
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
melvin wrote:
It is because I write x64 debugger for both 32 and 64 bit application. If breakpoint is hit on api function I want to know what is the size of the return address.

Wow64 emulates the debugging APIs (DebugActiveProcess etc) such that you can use a 32-bit debugger on a 64-bit machine, with the intention of debugging a 32-bit program.

You will run into many difficulties by having a 64-bit process debugging a 32-bit Wow64 process.

And again, if you have attached to a particular process, you can query whether it is 32-bit or 64-bit by calling IsWow64Process.

_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 01 Mar 2013, 07:46
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.