Reading memory of x64 process from x86 process

Some of you probably know that there is no easy way to read, write or enumerate memory regions of native x64 processes from x86 process that is running under WOW64 layer. Probably the only way it can be done is to use hack that I’ve described few months ago (Mixing x86 with x64 code). In that case there will be need to get address of x64 version of NtReadVirtualMemory / NtWriteVirtualMemory / NtQueryVirtualMemory and call it through X64Call(). Including all those hacky lines of code into even very small project doesn’t sound good even for me :) So I’ve decided to wrap it into glossy, shiny library called WOW64Ext.dll.
Library is very small and can be downloaded from http://code.google.com/p/rewolf-wow64ext/. For now it includes only 6 functions:

  • X64Call
  • GetModuleHandle64
  • GetProcAddress64
  • VirtualQueryEx64
  • ReadProcessMemory64
  • WriteProcessMemory64

Description of all functions can be found on a wiki page http://code.google.com/p/rewolf-wow64ext/wiki/ExportedFunctions. There is also sample application that utilizes described library to enumerate and dump all allocated memory regions from both x86 and x64 processes http://code.google.com/p/rewolf-wow64ext/source/browse/sample/main.cpp. I’m planning to extend this library over time with some more functions, but it will probably depends on my needs and requests from users (if there will be any users of course :))

Library is licensed unde LGPL, so you may use even in commercial projects.

Comments (13)

  1. 00:46, January 13, 2012Ange  / Reply

    awesome!

  2. 18:57, January 13, 2012Mario Vilas  / Reply

    Cool :)

    How about exporting VirtualAllocEx too? That’s useful for code injection and API hooking tricks.

    • 23:32, January 13, 2012ReWolf  / Reply

      Sure, I can add this function.

  3. 20:51, January 15, 2012znakes  / Reply

    Is there any real-world example where this is needed, except for trying to get existing tools to explode?
    Just curious because you obviously put a good amount of time into it, so there must be a good reason ;)

    • 21:12, January 15, 2012ReWolf  / Reply

      Well, I can imagine that someone has x86 software, that was developed for years, and now for example he can’t read memory from x64 processes. So he need to port whole project to x64 and it might not be an easy task. With this library it is possible with only a little amount of additional code.

      Speaking about “amount of time”, I was researching it over one year ago, I was just curious about WOW64 internals, this project is just side effect of mentioned research.

  4. 00:23, April 6, 2014T#0M4$  / Reply

    Hi ReWolf
    May I ask kindly for your help. I’m trying to use your fantastic (!) dll (ReadProcessMemory64) for a VB.NET project.
    The correct amount of bytes are read at the correct location and the values in the buffer are also correct. But then the program stops with a PInvokeStackImbalance error. Sounds like I have something wrong in the declaration of my VB function:

        Public Declare Function ReadProcessMemory64 Lib "wow64ext.dll" ( _
             ByVal hProcess As Int32, _
             ByVal lpBaseAddress As Long, _
             ByVal lpBuffer() As Byte, _
             ByVal nSize As Int32, _
             ByRef lpNumberOfBytesRead As Int32) _
       As Int32

    compared to the original C++ declaration:

    BOOL ReadProcessMemory64(
                            HANDLE hProcess,
                             DWORD64 lpBaseAddress, 
                             LPVOID lpBuffer,
                             SIZE_T nSize, 
                             SIZE_T *lpNumberOfBytesRead)

    I don’t see the reason for the error. Can you help me?
    Kind regards
    Thomas

    • 09:17, April 6, 2014ReWolf  / Reply

      I have no idea what might be wrong, as I don’t know VB.NET, but ‘stack imbalance’ sounds like wrong declaration, so one of the arguments is probably wrongly declared, or calling convention is missing (I don’t know how VB.NET treats your declaration by default).

    • 13:03, July 24, 2014distenz  / Reply

      @T#0M4$
      Hi!
      May I have a silly question?
      I want to reference this dll in my VB.NET project too, but every time I do that I get this message:
      http://kepfeltoltes.hu/140724/dll_www.kepfeltoltes.hu_.png

  5. 23:00, April 6, 2014T#0M4$  / Reply

    Thank you ReWolf for your thoughts. For the moment I resolved it with an error trap – very dirty though, LOL

    • 23:06, April 6, 2014ReWolf  / Reply

      Maybe You can try asking on related stack overflow, they will probably spot the problem easily.

  6. 22:01, April 10, 2014T#0M4$  / Reply

    http://www.xsimulator.net/community/marketplace/nolimits-rollercoaster-simulation-plugin.31/updates
    Thank you, ReWolf for your dll! You will make many dads and children happy while riding a rollercoaster at home :)

  7. 23:33, March 24, 2016Wiliam  / Reply

    Hello
    There is a lot of errors:
    Error 3 error C3861: ‘offsetof’: identifier not found C:\Users\home\Desktop\rewolf-wow64ext-master\rewolf-wow64ext-master\src\wow64ext.cpp 300 1 wow64ext
    Error 2 error C2065: ‘InLoadOrderModuleList’ : undeclared identifier C:\Users\home\Desktop\rewolf-wow64ext-master\rewolf-wow64ext-master\src\wow64ext.cpp 300 1 wow64ext
    Error 1 error C2275: ‘PEB_LDR_DATA64’ : illegal use of this type as an expression C:\Users\home\Desktop\rewolf-wow64ext-master\rewolf-wow64ext-master\src\wow64ext.cpp 300 1 wow64ext
    How can i solve this ?

  8. 07:03, March 25, 2016Wiliam  / Reply

    Never mind, I solved the errors. I don’t have words to say how much you have helped me with this library!!! You are the greatest!!! God bless you and your family!!!

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.