wow64ext v1.0.0.5

New version of wow64ext library is available for download:


  • Added VirtualProtectEx64
  • Bugfix for ReadProcessMemory64 / WriteProcessMemory64 lpNumberOfBytesRead / lpNumberOfBytesWritten is declared as SIZE_T pointer. SIZE_T on x64 platforms is 64bit value, but wow64ext library is 32bit, so SIZE_T will be 32bit. Passing this pointer directly to the x64 version of NtReadVirtualMemory / NtWriteVirtualMemory would lead to a buffer overflow. To keep backward compatibility, I’ve introduced intermediate DWORD64 value that is used internally by ReadProcessMemory64 / WriteProcessMemory64, result is cropped to 32bit value, but it shouldn’t be a problem most cases.
    Link to described fix:


  1. i’ve discovered some strange issue – when i enabled GlobalFlag=2 for my application, in order to see ldr debug output, calling GetProcAddress64 gives me fault while calling LdrGetProcedureAddress (unhandled exception 0x80000002: datatype misaligned). windbg shows that exception occured in ntdll.dll, while executing sse code with not 16-byte aligned argument.


  2. i’ve found problem in X64Call. You are incorrectly aligning stack. Stack must be aligned to 16 (not 8 bytes). rsp before “call func” in X64Call must be (rsp%16)==0.


  3. Stack should be aligned by 16 minus 8.
    The 8 is reserved for return address when CALL is executed.


Leave a Reply

Your email address will not be published. Required fields are marked *