-1

I am trying to disassemble the 64-bit ntdll.dll using IDA. From my understand, this DLL is located in C:\Windows\System32 on a Windows 64-bit OS. When I disassemble this DLL, it shows 32-bit addresses and a 32-bit instruction set. However, in the debugger, when I load this library into a process from the same directory, it has a 64-bit instruction set during runtime.

How can I disassemble the 64-bit ntdll?

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
rewioyrqew
  • 1
  • Maybe show more details; which 32-bit values are you talking about exactly? – tenfour Apr 08 '20 at 11:36
  • @tenfour the instruction set is 32 bit in the disassembler so the registars are like eax instead of rax. – rewioyrqew Apr 08 '20 at 11:42
  • 5
    [File System Redirector](https://learn.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector). – IInspectable Apr 08 '20 at 11:59
  • You can check if `ntdll.dll` is `64bit` or `32bit` using: `dumpbin /headers "c:\windows\system32\ntdll.dll"`. It will give you, for example, `8664 machine (x64)` on a Windows 64-bit OS. – Rita Han Apr 09 '20 at 07:08
  • @rit: That doesn't help you understand, which binary you are looking at when using a different tool (like IDA Pro). – IInspectable Apr 09 '20 at 12:32

1 Answers1

1

Please check whether IDA is a 32 bit application in Task Manager (on the Processes page 32 bit processes should have the suffix (32 bit). If you switch to the Details page in Task Manager perform a right click on the column header and choose Select columns from the context menu. Select Platform to display the bit-ness of a process and close the dialog. 32 bit processes are listed as 32 bit in the Platform column.

If IDA is a 32 bit application, use the path c:\windows\sysnative\ntdll.dll to open the DLL. If you specify sysnative instead of System32, Windows uses the SYSTEM32 directory instead of the SysWOW64 for 32 bit apps.

Olaf Hess
  • 1,453
  • 11
  • 18