Thread: Process type detaction
View Single Post
  #3  
Old 10-29-2022, 15:05
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
  
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 260
Rept. Given: 77
Rept. Rcvd 85 Times in 38 Posts
Thanks Given: 147
Thanks Rcvd at 336 Times in 114 Posts
Fyyre Reputation: 85
Perhaps try this.. might prove more accurate:

Code:
/*
* PsIsProcess32bit
*
* Purpose:
*
* Return TRUE if process is wow64.
*
*/
BOOL PsIsProcess32bit(
    _In_ HANDLE hProcess
)
{
    NTSTATUS Status;
    PROCESS_EXTENDED_BASIC_INFORMATION pebi{};

    if (hProcess == NULL) {
        return FALSE;
    }

    RtlSecureZeroMemory(&pebi, sizeof(pebi));
    pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
    Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
    if (NT_SUCCESS(Status)) {
        return (pebi.IsWow64Process == 1);
    }
    return FALSE;
}
Quote:
Originally Posted by Teerayoot View Post
https://ibb.co/y5sjcsW
Code:
bool is64BitProcess(DWORD pid)
		{
			BOOL f64 = FALSE;

			//fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");


			HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

			if (hProcess == 0)
				return -1;
			IsWow64Process(hProcess, &f64) ;
			 return f64;

		}
I suspect detection is wrong.

Here whole Sorce code

https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file

compile with VS2019 x64bit.
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following User Gave Reputation+1 to Fyyre For This Useful Post:
user1 (10-30-2022)
The Following 3 Users Say Thank You to Fyyre For This Useful Post:
MarcElBichon (10-29-2022), tonyweb (10-29-2022), user1 (10-30-2022)