Perhaps try this.. might prove more accurate:
Code:
/*
* PsIsProcess32bit
*
* Purpose:
*
* Return TRUE if process is wow64.
*
*/
BOOL PsIsProcess32bit(
_In_ HANDLE hProcess
)
{
NTSTATUS Status;
PROCESS_EXTENDED_BASIC_INFORMATION pebi{};
if (hProcess == NULL) {
return FALSE;
}
RtlSecureZeroMemory(&pebi, sizeof(pebi));
pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
if (NT_SUCCESS(Status)) {
return (pebi.IsWow64Process == 1);
}
return FALSE;
}
Quote:
Originally Posted by Teerayoot
https://ibb.co/y5sjcsW
Code:
bool is64BitProcess(DWORD pid)
{
BOOL f64 = FALSE;
//fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess == 0)
return -1;
IsWow64Process(hProcess, &f64) ;
return f64;
}
I suspect detection is wrong.
Here whole Sorce code
https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file
compile with VS2019 x64bit.
|