我使用Windows 7家庭premium 64。我想知道到底为什么在NTOSKRNL在我的system32目录下的报头中的IMAGE_MACHINETYPE字段指定的x86。 IDA甚至会让我拆开它作为原生x86。

I am using windows 7 home premium x64. I was wondering why exactly the IMAGE_MACHINETYPE field in the header of ntoskrnl in my system32 directory specifies x86. IDA will even let me disassemble it as native x86.

然而，在我的Windows 7专业机，image_machinetype是64位。我只是失去了一些东西..或者为什么ntoskrnl的32位在64位操作系统？

Yet on my windows 7 pro machine, image_machinetype is x64. Am I just missing something.. or why is ntoskrnl 32 bit on a 64 bit OS?

推荐答案

我的猜测是在x64架构BIOS引导ntoskrnl.exe中的main（）入口点切换到长模式（64位）之前被调用。因此，这将是迄今为切入点，在x86应用程序，但是在exe文件的内核映像的其余部分将是64位的。

My guess is on x64 architecture with a BIOS boot ntoskrnl.exe's main() entry point is called before the switch to long mode (64bit). Thus it would be an x86 application in so far as its entry point, but the remainder of the kernel image in the exe would be 64bit.