wow64ext v1.0.0.5

New version of wow64ext library is available for download:
http://rewolf.pl/stuff/rewolf.wow64ext.v1.0.0.5.zip

Changelog

  • Added VirtualProtectEx64
  • Bugfix for ReadProcessMemory64 / WriteProcessMemory64 lpNumberOfBytesRead / lpNumberOfBytesWritten is declared as SIZE_T pointer. SIZE_T on x64 platforms is 64bit value, but wow64ext library is 32bit, so SIZE_T will be 32bit. Passing this pointer directly to the x64 version of NtReadVirtualMemory / NtWriteVirtualMemory would lead to a buffer overflow. To keep backward compatibility, I’ve introduced intermediate DWORD64 value that is used internally by ReadProcessMemory64 / WriteProcessMemory64, result is cropped to 32bit value, but it shouldn’t be a problem most cases.
    Link to described fix:
    https://code.google.com/p/rewolf-wow64ext/source/detail?r=474542f2eb4fc29fd1dde4cd852c419bd6ad1ea0#

6 Comments

  1. i’ve discovered some strange issue – when i enabled GlobalFlag=2 for my application, in order to see ldr debug output, calling GetProcAddress64 gives me fault while calling LdrGetProcedureAddress (unhandled exception 0x80000002: datatype misaligned). windbg shows that exception occured in ntdll.dll, while executing sse code with not 16-byte aligned argument.

    Reply

  2. i’ve found problem in X64Call. You are incorrectly aligning stack. Stack must be aligned to 16 (not 8 bytes). rsp before “call func” in X64Call must be (rsp%16)==0.

    Reply

  3. Stack should be aligned by 16 minus 8.
    The 8 is reserved for return address when CALL is executed.

    Reply

Leave a Reply

Your email address will not be published.