wow64ext v1.0.0.5

New version of wow64ext library is available for download:


  • Added VirtualProtectEx64
  • Bugfix for ReadProcessMemory64 / WriteProcessMemory64 lpNumberOfBytesRead / lpNumberOfBytesWritten is declared as SIZE_T pointer. SIZE_T on x64 platforms is 64bit value, but wow64ext library is 32bit, so SIZE_T will be 32bit. Passing this pointer directly to the x64 version of NtReadVirtualMemory / NtWriteVirtualMemory would lead to a buffer overflow. To keep backward compatibility, I’ve introduced intermediate DWORD64 value that is used internally by ReadProcessMemory64 / WriteProcessMemory64, result is cropped to 32bit value, but it shouldn’t be a problem most cases.
    Link to described fix:

Comments (6)

  1. 09:08, July 3, 2014vlad  / Reply

    i’ve discovered some strange issue – when i enabled GlobalFlag=2 for my application, in order to see ldr debug output, calling GetProcAddress64 gives me fault while calling LdrGetProcedureAddress (unhandled exception 0x80000002: datatype misaligned). windbg shows that exception occured in ntdll.dll, while executing sse code with not 16-byte aligned argument.

    • 09:24, July 3, 2014ReWolf  / Reply

      I’ll check it and let you know what could possibly go wrong.

  2. 10:38, July 3, 2014vlad  / Reply

    i’ve found problem in X64Call. You are incorrectly aligning stack. Stack must be aligned to 16 (not 8 bytes). rsp before “call func” in X64Call must be (rsp%16)==0.

    • 19:23, July 3, 2014ReWolf  / Reply

      Thanks for the info! I’ll fix & release it asap.

  3. 01:54, August 3, 2014just saying  / Reply

    Stack should be aligned by 16 minus 8.
    The 8 is reserved for return address when CALL is executed.

    • 21:08, August 3, 2014ReWolf  / Reply

      Thanks, this was fixed in v1.0.0.6

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.