问题
I am using windows 7 home premium x64. I was wondering why exactly the IMAGE_MACHINETYPE field in the header of ntoskrnl in my system32 directory specifies x86. IDA will even let me disassemble it as native x86.
Yet on my windows 7 pro machine, image_machinetype is x64. Am I just missing something.. or why is ntoskrnl 32 bit on a 64 bit OS?
回答1:
My guess is on x64 architecture with a BIOS boot ntoskrnl.exe's main() entry point is called before the switch to long mode (64bit). Thus it would be an x86 application in so far as its entry point, but the remainder of the kernel image in the exe would be 64bit.
来源:https://stackoverflow.com/questions/7457298/why-is-the-ntoskrnl-exe-image-machinetype-header-field-set-to-x86-on-only-certai