Reading memory of x64 process from x86 process

Some of you probably know that there is no easy way to read, write or enumerate memory regions of native x64 processes from x86 process that is running under WOW64 layer. Probably the only way it can be done is to use hack that I’ve described few months ago (Mixing x86 with x64 code). In that case there will be need to get address of x64 version of NtReadVirtualMemory / NtWriteVirtualMemory / NtQueryVirtualMemory and call it through X64Call(). Including all those hacky lines of code into even very small project doesn’t sound good even for me :) So I’ve decided to wrap it into glossy, shiny library called WOW64Ext.dll.
Library is very small and can be downloaded from http://code.google.com/p/rewolf-wow64ext/. For now it includes only 6 functions:

  • X64Call
  • GetModuleHandle64
  • GetProcAddress64
  • VirtualQueryEx64
  • ReadProcessMemory64
  • WriteProcessMemory64

Description of all functions can be found on a wiki page http://code.google.com/p/rewolf-wow64ext/wiki/ExportedFunctions. There is also sample application that utilizes described library to enumerate and dump all allocated memory regions from both x86 and x64 processes http://code.google.com/p/rewolf-wow64ext/source/browse/sample/main.cpp. I’m planning to extend this library over time with some more functions, but it will probably depends on my needs and requests from users (if there will be any users of course :))

Library is licensed unde LGPL, so you may use even in commercial projects.

13 Comments

  1. Is there any real-world example where this is needed, except for trying to get existing tools to explode?
    Just curious because you obviously put a good amount of time into it, so there must be a good reason ;)

    Reply

    1. Well, I can imagine that someone has x86 software, that was developed for years, and now for example he can’t read memory from x64 processes. So he need to port whole project to x64 and it might not be an easy task. With this library it is possible with only a little amount of additional code.

      Speaking about “amount of time”, I was researching it over one year ago, I was just curious about WOW64 internals, this project is just side effect of mentioned research.

      Reply

  2. Hi ReWolf
    May I ask kindly for your help. I’m trying to use your fantastic (!) dll (ReadProcessMemory64) for a VB.NET project.
    The correct amount of bytes are read at the correct location and the values in the buffer are also correct. But then the program stops with a PInvokeStackImbalance error. Sounds like I have something wrong in the declaration of my VB function:

        Public Declare Function ReadProcessMemory64 Lib "wow64ext.dll" ( _
             ByVal hProcess As Int32, _
             ByVal lpBaseAddress As Long, _
             ByVal lpBuffer() As Byte, _
             ByVal nSize As Int32, _
             ByRef lpNumberOfBytesRead As Int32) _
       As Int32

    compared to the original C++ declaration:

    BOOL ReadProcessMemory64(
                            HANDLE hProcess,
                             DWORD64 lpBaseAddress, 
                             LPVOID lpBuffer,
                             SIZE_T nSize, 
                             SIZE_T *lpNumberOfBytesRead)

    I don’t see the reason for the error. Can you help me?
    Kind regards
    Thomas

    Reply

    1. I have no idea what might be wrong, as I don’t know VB.NET, but ‘stack imbalance’ sounds like wrong declaration, so one of the arguments is probably wrongly declared, or calling convention is missing (I don’t know how VB.NET treats your declaration by default).

      Reply

  3. Thank you ReWolf for your thoughts. For the moment I resolved it with an error trap – very dirty though, LOL

    Reply

  4. Hello
    There is a lot of errors:
    Error 3 error C3861: ‘offsetof’: identifier not found C:\Users\home\Desktop\rewolf-wow64ext-master\rewolf-wow64ext-master\src\wow64ext.cpp 300 1 wow64ext
    Error 2 error C2065: ‘InLoadOrderModuleList’ : undeclared identifier C:\Users\home\Desktop\rewolf-wow64ext-master\rewolf-wow64ext-master\src\wow64ext.cpp 300 1 wow64ext
    Error 1 error C2275: ‘PEB_LDR_DATA64’ : illegal use of this type as an expression C:\Users\home\Desktop\rewolf-wow64ext-master\rewolf-wow64ext-master\src\wow64ext.cpp 300 1 wow64ext
    How can i solve this ?

    Reply

  5. Never mind, I solved the errors. I don’t have words to say how much you have helped me with this library!!! You are the greatest!!! God bless you and your family!!!

    Reply

Leave a Reply to Wiliam Cancel reply

Your email address will not be published. Required fields are marked *