Home > Enterprise >  How does this Is64BitOS pointer-arithmetic-based function work?
How does this Is64BitOS pointer-arithmetic-based function work?

Time:01-10

Reversed this function. It works. But stepping through I can't figure out how. Why does this work?

bool   _Is64BitOS(void) {
    unsigned int version = *(unsigned int*)0x7FFE026C;
    unsigned int address = version == 10 ? 0x7FFE0308 : 0x7FFE0300;
    ILog("Running %u-bit system\n", *(void**)address ? 32 : 64);

    return (*(void**)address ? false : true);
};

Why do we find 0x0A at 0x7FFE026C on a 64 bit Windows install? Its beyond the address space of all modules on a 32bit binary, looking at memory it looks like it's just before the heap.

CodePudding user response:

It is accessing the KUSER_SHARED_DATA structure using its conventional address of 0x7FFE0000. 0x7FFE026C corresponds to the NtMajorVersion field. Then it tries to access SystemCall field, which is at different offsets depending on if it is pre or post Windows 10, hence the check:

SystemCall

On AMD64, this value is initialized to a nonzero value if the system operates with an altered view of the system service call mechanism.

Also see: Why doesn’t Windows use the 64-bit virtual address space below 0x00000000`7ffe0000?

Page link:https//www.codepudding.com/Enterprise/668021.html

Prev:fwrite() doesn't write the full string
Next:No matching function for lambda with reference argument
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding