[native] RtlWow64CallFunction64

delphi package - easy access to kernel objects etc.
Kuzya69
Posts: 2
Joined: Tue Dec 15, 2015 1:32 am

Re: [native] RtlWow64CallFunction64

Post by Kuzya69 »

Nico Bendlin wrote:Does somebody know which parameters should be passed to RtlWow64CallFunction64 (32-bit) to succeed (call 64-bit RtlpQueryProcessDebugInformationFromWow64)?
I somewhere found such information. Can do it to you it is useful.

Code: Select all

DWORD64 X64Call(DWORD64 func, int argC, ...);

Low level function that can call any x64 API from NTDLL.

func - address of x64 function, can be obtained by GetProcAddress64()
argC - number of arguments that will be passed to the 'func'
...  - rest of arguments for 'func', all values should be casted to DWORD64
Excuse me, I didn't look at date of the message. :confused:
Nico Bendlin
Posts: 46
Joined: Fri Apr 28, 2006 1:17 pm

Re: [native] RtlWow64CallFunction64

Post by Nico Bendlin »

Kuzya69 wrote:Excuse me, I didn't look at date of the message.
No need to apologize, many thanks for sharing this information.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [native] RtlWow64CallFunction64

Post by madshi »

Does this really make it possible to call *any* 64bit function from a 32bit process? E.g. you can use that to create remote threads in 64bit processes?

Which OSs is this function supported?
Kuzya69
Posts: 2
Joined: Tue Dec 15, 2015 1:32 am

Re: [native] RtlWow64CallFunction64

Post by Kuzya69 »

I too am interested in this question of this function. If at you is, something new, show me please. I want to write the program for 32 bits to read memory of others 64 and 32 bits process. But I can't guess as from the 32-bit program to cause 64-bit function GetProcAddress.
I am beginning programmer, excuse me.
madshi wrote:Does this really make it possible to call *any* 64bit function from a 32bit process? E.g. you can use that to create remote threads in 64bit processes?
I told everything that I know about this function. I am not sure that my information will be suitable for your function. Maybe this info for ZwWow64CallFunction64 or NtWow64CallFunction64.
madshi wrote: Which OSs is this function supported?
It is necessary to look at the table of the exported functions for library "ntdll.dll" from the necessary operating system. If this function is in the table of export, the operating system means is supported.
In "Win7 max 64bit" this function is supported (Ordinal = 1281, EntryPoint = 19910).
Post Reply