Detect if your Windows version is 32- or 64-bit

[blue_devil]

i am sorry
i have find this after asking the question in the macros/macros.asm

Code: [Select]

  ; -----------------------
  ; test if file exists
  ; return values
  ; 1 = file exists
  ; 0 = file does not exist
  ; -----------------------
    fexist MACRO name_of_file
      IFNDEF __UNICODE__
        EXITM <rv(exist,name_of_file)>
      ELSE
        EXITM <rv(existW,name_of_file)>
      ENDIF
    ENDM
  ; -----------------------
And works nicely!

[jj2007]

@jochen
how does your "Exist Macro" run on masm32
...
This is from MasmBasic.inc, but i cant find "MbExistP"

It's in \Masm32\MasmBasic\MasmBasic.lib

[blue_devil]

It's in \Masm32\MasmBasic\MasmBasic.lib

I know it is in MasmBasic.lib but there is no MasmBasic.asm :icon_redface: right?

[blue_devil]

invoke GetNativeSystemInfo, addr lp_SYSTEM_INFO

Thanks, Michael - that's what I use already:

Code: [Select]

Win64 MACRO
  pushad
  ifndef SysInfo
.DATA?
SysInfo SYSTEM_INFO <>
.CODE
  endif
  mov ebx, offset SysInfo
  invoke GetNativeSystemInfo, ebx
  cmp [ebx.SYSTEM_INFO.wProcessorArchitecture], PROCESSOR_ARCHITECTURE_AMD64
  popad
  EXITM <Zero?>
ENDM

@jj .SYSTEM_INFO.wProcessorArchitecture returns the bitness of processor not the operating system right? Or am i missing something?

from MSDN network - SYSTEM_INFO

wProcessorArchitecture

    The processor architecture of the installed operating system. This member can be one of the following values.

[jj2007]

@jj .SYSTEM_INFO.wProcessorArchitecture returns the bitness of processor not the operating system right? Or am i missing something?

Good question! And precise answer:

wProcessorArchitecture

    The processor architecture of the installed operating system. This member can be one of the following values.

::)

[blue_devil]

Last night i have worked too much late. Then, i couldn't understand what i have read. :icon_redface:

wProcessorArchitecture

    The processor architecture of the installed operating system. This member can be one of the following values.

I already have given answer to my question :icon_eek:

[blue_devil]

So we have 4 approaches to get bitness of windows

1.Hasherezade dedected an approach from the malware kronos. Interestingly cs returns 5 bit value when OS is 32bit and 6bit when OS is 64bit. So by checking the 6th bit from right to left you can dedect the bitness of operating system.

Code: [Select]

;hasherezade's apprach from kronos malware:
invoke StdOut, chr$("[ 1 ] hasherezade's apprach from kronos malware:",13,10)
invoke is_system64_bit
.if Zero?
print chr$("[ + ] 32-bit",13,10)
.else
print chr$("[ + ] 64-bit",13,10)
.endif
invoke StdOut, chr$(13,10,)


is_system64_bit PROC
; _______________________________________________________________________________
; Is your OS 64bit or not procedure
; Author    : hasherezade - https://gist.github.com/hasherezade/0994447e9d3dc184888fb2afd5a57301
; Receives  :
; Returns   : eax > 0 = 64-bit
; ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    LOCAL flag:DWORD
   
    xor eax, eax
    mov ax, cs
    shr eax, 5
    mov flag, eax
    .IF flag > 0
        mov eax, TRUE
    .ELSE
        mov eax, FALSE
    .ENDIF
    ret
is_system64_bit ENDP
2. Checking the existance of  C:\Windows\SysWow64 we can dedect the bit level  of windows.

Code: [Select]

; Check if there is C:\Windows\SysWow64 directory:
print chr$("[ 2 ] SysWow64 directory exists?",13,10)
.if fexist("C:\Windows\SysWow64")
print chr$("[ + ] 64-bit",13,10)
.else
print chr$("[ + ] 32-bit",13,10)
.endif
invoke StdOut, chr$(13,10)
3. IsWow64ProcessAPI return value if the OS is running WOW64 or not.

Code: [Select]

; IsWow64ProcessAPI checks our OS runs WOW64:
print cfm$("[ 3 ] Query bitness with IsWow64Process APIs:\n")
xchg ebx, rv(GetProcAddress, rv(GetModuleHandle, "kernel32") , "IsWow64Process")
.if ebx
print "[ + ] IsWow64Process found: retval="
push eax
invoke IsWow64Process, rv(GetCurrentProcess), esp
pop ecx
mov bayrakIsWow64,cl
print str$(ecx),13,10
.if bayrakIsWow64==1
print chr$("[ + ] 64-bit",13,10)
.else
print chr$("[ + ] 32-bit",13,10)
.endif
.else
print "[ + ] IsWow64Process not found", 13, 10, 10
.endif
invoke StdOut, chr$(13,10)
4. Using GetNativeSystemInfo API with SYSTEM_INFO structure we can dedect our "installed operating systems processor type"

Code: [Select]

;05 GetNativeSystemInfo returns info to SYSTEM_INFO structure:
print cfm$("[ 4 ] Query bitness of OS with GetNativeSystemInfo API:\n")
mov ebx, offset sysinf
invoke GetNativeSystemInfo,ebx
cmp [ebx.SYSTEM_INFO.wProcessorArchitecture], PROCESSOR_ARCHITECTURE_AMD64
.if Zero?
print chr$("[ + ] 64-bit",13,10)
.else
print chr$("[ + ] 32-bit",13,10)
.endif
I add my sources; tested positive on vm/rm win10 x64 and vm win7 x86

@jj2007
You had shared 2 macros, but i have used the functions inside the macros in my sources. How can we use these macros inside the code as macros? I got error :/

[jj2007]

@jj2007
You had shared 2 macros, but i have used the functions inside the macros in my sources. How can we use these macros inside the code as macros? I got error :/

Sorry, tonight my crystal ball is not working properly :(

[blue_devil]

@jj2007
You had shared 2 macros, but i have used the functions inside the macros in my sources. How can we use these macros inside the code as macros? I got error :/

Sorry, tonight my crystal ball is not working properly :(

 ::) :(

[jj2007]

a) which macros?
b) how did you use them?
c) how do you want to use them?
d) which errors?

[blue_devil]

a) which macros?
b) how did you use them?
c) how do you want to use them?
d) which errors?

@jj sorry to bother you.
Macros are working, i just forgot to put paranthesis  :icon_redface: :(
wrong -> Win64
true -> Win64()

[felipe]

I have do it this in my little free time, i thought is not worthed to put this in a separete thread. Is just another bloated, but maybe effective too, way of get the bitness of the os. The .exe and .asm are attached. Here an explanation for those without the time to see the code:

Basically: 1) Run the systeminfo command from cmd redirecting the output to a .txt file.
                2) Scan the file for the string x32 or x64. This are unique strings in this output.
                3) And that's all folks.  :P

I have tested successfully in just 1 64 bit os (of course a windows one). It will be nice if someone can test it in a 32 bit system too. Ok bye.  :icon14:

Btw this is a 32 bits version, maybe if i have the time i will do it in a 64 bit one.  :icon14:

[felipe]

Here it is the same program that i uploaded above, but this is the 64 bit version (files .asm and .exe attached).  :icon14:

[Raistlin]

Don't we know 32 bit code runs on 64?
Don't we know 32 bit code is currently
faster than 64? Why the double effort?

[felipe]

Raistlin: If you are asking me why two versions of a program (32 and 64 bits) i think is worth the effort if you like to learn... :icon14:
If i had the time, i would learn even the itanium architecture (IA64)...