This question is not directly related to madKernel,
but the users on this board might be able to answer it
Does somebody know which parameters should be passed to RtlWow64CallFunction64 (32-bit) to succeed (call 64-bit RtlpQueryProcessDebugInformationFromWow64)?
Here is a Delphi snippet that tests the 'Nop' function:
Have you found a way to list the handles of a process in a 32bit process on a 64bit OS? NtQuerySystemInformation fails listing the handles when run in a 32bit process, unfortunately...
madshi wrote:Have you found a way to list the handles of a process in a 32bit process on a 64bit OS?
Not yet.
All attempts - that I have seen and/or tested - to call the native API function (as you already know, the native ntdll/wow64/wow64win/wow64cpu DLLs are loaded in the 32-bit process and accessible are via the native 64-bit TEB/PEB in segment GS) are not stable enough for production systems. For now, the "best workaround" is a native process that provides this information via IPC.
However, my time is limited. If you need some code snippets to get the 64-Bit TEB/PEB, enumerating the native modules, and getting native procedure addresses... drop me a note :]
I'd be happy to receive the code snippets/information you mentioned. I've not yet played around with this kind of 64bit stuff yet. I got madCodeHook working in 64bit without it. But I find it very interesting and it might help me in the future.
madshi wrote:Have you found a way to list the handles of a process in a 32bit process on a 64bit OS? NtQuerySystemInformation fails listing the handles when run in a 32bit process, unfortunately...
In the meantime I had some spare time to investigate it further...
There is a quite simple (of course undocumented) way to call native system calls (with up to 4 parameters) directly - without emulation.
Just send me an e-mail if you still need a workaround for NtQuerySystemInformation.
FYI: SystemExtendedHandleInformation is correctly emulated by WOW64 (at least on Windows Vista). However, the pointers are (of course) truncated to 32-bit (you need external 64-bit code or have to use Turbo Dispatching to retrieve the native pointers).