I am trying to disassemble the 64-bit ntdll.dll using IDA. From my understand, this DLL is located in C:\Windows\System32 on a Windows 64-bit OS. When I disassemble this DLL, it shows 32-bit addresses and a 32-bit instruction set. However, in the debugger, when I load this library into a process from the same directory, it has a 64-bit instruction set during runtime.
How can I disassemble the 64-bit ntdll?
Please check whether IDA is a 32 bit application in Task Manager (on the
Processespage 32 bit processes should have the suffix(32 bit). If you switch to theDetailspage in Task Manager perform a right click on the column header and chooseSelect columnsfrom the context menu. SelectPlatformto display the bit-ness of a process and close the dialog. 32 bit processes are listed as32 bitin thePlatformcolumn.If IDA is a 32 bit application, use the path
c:\windows\sysnative\ntdll.dllto open the DLL. If you specifysysnativeinstead ofSystem32, Windows uses theSYSTEM32directory instead of theSysWOW64for 32 bit apps.