[native] RtlWow64CallFunction64

delphi package - easy access to kernel objects etc.

Re: [native] RtlWow64CallFunction64

Postby Kuzya69 » Tue Dec 15, 2015 1:36 am

Nico Bendlin wrote:Does somebody know which parameters should be passed to RtlWow64CallFunction64 (32-bit) to succeed (call 64-bit RtlpQueryProcessDebugInformationFromWow64)?

I somewhere found such information. Can do it to you it is useful.
Code: Select all
DWORD64 X64Call(DWORD64 func, int argC, ...);

Low level function that can call any x64 API from NTDLL.

func - address of x64 function, can be obtained by GetProcAddress64()
argC - number of arguments that will be passed to the 'func'
...  - rest of arguments for 'func', all values should be casted to DWORD64

Excuse me, I didn't look at date of the message. :confused:
Kuzya69
 
Posts: 2
Joined: Tue Dec 15, 2015 1:32 am

Re: [native] RtlWow64CallFunction64

Postby Nico Bendlin » Tue Dec 15, 2015 8:51 am

Kuzya69 wrote:Excuse me, I didn't look at date of the message.

No need to apologize, many thanks for sharing this information.
Nico Bendlin
 
Posts: 46
Joined: Fri Apr 28, 2006 1:17 pm

Re: [native] RtlWow64CallFunction64

Postby madshi » Tue Dec 15, 2015 8:54 am

Does this really make it possible to call *any* 64bit function from a 32bit process? E.g. you can use that to create remote threads in 64bit processes?

Which OSs is this function supported?
madshi
Site Admin
 
Posts: 9410
Joined: Sun Mar 21, 2004 5:25 pm

Re: [native] RtlWow64CallFunction64

Postby Kuzya69 » Tue Dec 15, 2015 1:28 pm

I too am interested in this question of this function. If at you is, something new, show me please. I want to write the program for 32 bits to read memory of others 64 and 32 bits process. But I can't guess as from the 32-bit program to cause 64-bit function GetProcAddress.
I am beginning programmer, excuse me.

madshi wrote:Does this really make it possible to call *any* 64bit function from a 32bit process? E.g. you can use that to create remote threads in 64bit processes?

I told everything that I know about this function. I am not sure that my information will be suitable for your function. Maybe this info for ZwWow64CallFunction64 or NtWow64CallFunction64.

madshi wrote: Which OSs is this function supported?

It is necessary to look at the table of the exported functions for library "ntdll.dll" from the necessary operating system. If this function is in the table of export, the operating system means is supported.
In "Win7 max 64bit" this function is supported (Ordinal = 1281, EntryPoint = 19910).
Kuzya69
 
Posts: 2
Joined: Tue Dec 15, 2015 1:32 am

Previous

Return to madKernel

Who is online

Users browsing this forum: No registered users and 5 guests