Process type detaction

Teerayoot · #1 10-28-2022, 00:22

https://ibb.co/y5sjcsW

Code:

bool is64BitProcess(DWORD pid)
		{
			BOOL f64 = FALSE;

			//fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");


			HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

			if (hProcess == 0)
				return -1;
			IsWow64Process(hProcess, &f64) ;
			 return f64;

		}

I suspect detection is wrong.

Here whole Sorce code

https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file

compile with VS2019 x64bit.

sendersu · #2 10-28-2022, 03:01

Some recommendations:
1) instead of calling GetProcAddress() on each call, better do it once (eg add this checkup:
if (fnIsWow64Process != nullptr)
fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernel32"), "IsWow64Process");

2) the recommendation is to use the PROCESS_QUERY_LIMITED_INFORMATION for desired access, not PROCESS_ALL_ACCESS
3) I guess you need to check the result of winapi call, eg:
if (!IsWow64Process(hProcess, &f64))
{
//error here
}
4) instead of "kernelbase.dll" use "kernel32" string

Fyyre · #3 10-29-2022, 15:05

Perhaps try this.. might prove more accurate:

Code:

/*
* PsIsProcess32bit
*
* Purpose:
*
* Return TRUE if process is wow64.
*
*/
BOOL PsIsProcess32bit(
    _In_ HANDLE hProcess
)
{
    NTSTATUS Status;
    PROCESS_EXTENDED_BASIC_INFORMATION pebi{};

    if (hProcess == NULL) {
        return FALSE;
    }

    RtlSecureZeroMemory(&pebi, sizeof(pebi));
    pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
    Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
    if (NT_SUCCESS(Status)) {
        return (pebi.IsWow64Process == 1);
    }
    return FALSE;
}

Quote:

Originally Posted by Teerayoot

https://ibb.co/y5sjcsW

Code:

bool is64BitProcess(DWORD pid)
		{
			BOOL f64 = FALSE;

			//fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");


			HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

			if (hProcess == 0)
				return -1;
			IsWow64Process(hProcess, &f64) ;
			 return f64;

		}

I suspect detection is wrong.

Here whole Sorce code

https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file

compile with VS2019 x64bit.

The Following User Says Thank You to sendersu For This Useful Post:
tonyweb (10-28-2022)

The Following User Gave Reputation+1 to Fyyre For This Useful Post:
user1 (10-30-2022)

The Following 4 Users Say Thank You to Fyyre For This Useful Post:
MarcElBichon (10-29-2022), Teerayoot (02-15-2025), tonyweb (10-29-2022), user1 (10-30-2022)