Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Process type detaction (https://forum.exetools.com/showthread.php?t=20323)

Teerayoot 10-28-2022 00:22
Process type detaction
 
https://ibb.co/y5sjcsW
Code:
bool is64BitProcess(DWORD pid)
                {
                        BOOL f64 = FALSE;

                        //fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");


                        HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

                        if (hProcess == 0)
                                return -1;
                        IsWow64Process(hProcess, &f64) ;
                        return f64;

                }
I suspect detection is wrong.

Here whole Sorce code

https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file

compile with VS2019 x64bit.

sendersu 10-28-2022 03:01
Some recommendations:
1) instead of calling GetProcAddress() on each call, better do it once (eg add this checkup:
if (fnIsWow64Process != nullptr)
fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernel32"), "IsWow64Process");

2) the recommendation is to use the PROCESS_QUERY_LIMITED_INFORMATION for desired access, not PROCESS_ALL_ACCESS
3) I guess you need to check the result of winapi call, eg:
if (!IsWow64Process(hProcess, &f64))
{
//error here
}
4) instead of "kernelbase.dll" use "kernel32" string

Fyyre 10-29-2022 15:05
Perhaps try this.. might prove more accurate:

Code:
/*
* PsIsProcess32bit
*
* Purpose:
*
* Return TRUE if process is wow64.
*
*/
BOOL PsIsProcess32bit(
    _In_ HANDLE hProcess
)
{
    NTSTATUS Status;
    PROCESS_EXTENDED_BASIC_INFORMATION pebi{};

    if (hProcess == NULL) {
        return FALSE;
    }

    RtlSecureZeroMemory(&pebi, sizeof(pebi));
    pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
    Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
    if (NT_SUCCESS(Status)) {
        return (pebi.IsWow64Process == 1);
    }
    return FALSE;
}
Quote:
Originally Posted by Teerayoot (Post 126369)
https://ibb.co/y5sjcsW
Code:
bool is64BitProcess(DWORD pid)
                {
                        BOOL f64 = FALSE;

                        //fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");


                        HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

                        if (hProcess == 0)
                                return -1;
                        IsWow64Process(hProcess, &f64) ;
                        return f64;

                }
I suspect detection is wrong.

Here whole Sorce code

https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file

compile with VS2019 x64bit.


All times are GMT +8. The time now is 10:14.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX