{"id":319,"date":"2012-01-12T22:54:36","date_gmt":"2012-01-12T21:54:36","guid":{"rendered":"http:\/\/blog.rewolf.pl\/blog\/?p=319"},"modified":"2013-06-28T16:55:47","modified_gmt":"2013-06-28T14:55:47","slug":"reading-memory-of-x64-process-from-x86-process","status":"publish","type":"post","link":"http:\/\/blog.rewolf.pl\/blog\/?p=319","title":{"rendered":"Reading memory of x64 process from x86 process"},"content":{"rendered":"<p style=\"text-align: justify;\">Some of you probably know that there is no easy way to read, write or enumerate memory regions of native <strong>x64<\/strong> processes from <strong>x86<\/strong> process that is running under <strong>WOW64<\/strong> layer. Probably the only way it can be done is to use <span style=\"font-style: italic;\">hack<\/span> that I&#8217;ve described few months ago (<a href=\"http:\/\/blog.rewolf.pl\/blog\/?p=102\" title=\"Mixing x86 with x64 code\" target=\"_blank\">Mixing x86 with x64 code<\/a>). In that case there will be need to get address of <strong>x64<\/strong> version of <span style=\"color: #0066FF\">NtReadVirtualMemory<\/span> \/ <span style=\"color: #0066FF\">NtWriteVirtualMemory<\/span> \/ <span style=\"color: #0066FF\">NtQueryVirtualMemory<\/span> and call it through <span style=\"color: #ff00ff;\"><strong>X64Call()<\/strong><\/span>. Including all those <span style=\"font-style: italic;\">hacky<\/span> lines of code into even very small project doesn&#8217;t sound good even for me :) So I&#8217;ve decided to wrap it into glossy, shiny library called <strong>WOW64Ext.dll<\/strong>.<!--more--><br \/>\nLibrary is very small and can be downloaded from <a href=\"http:\/\/code.google.com\/p\/rewolf-wow64ext\/\" target=\"_blank\">http:\/\/code.google.com\/p\/rewolf-wow64ext\/<\/a>. For now it includes only 6 functions:<\/p>\n<ul>\n<li><strong>X64Call<\/strong><\/li>\n<li><strong>GetModuleHandle64<\/strong><\/li>\n<li><strong>GetProcAddress64<\/strong><\/li>\n<li><strong>VirtualQueryEx64<\/strong><\/li>\n<li><strong>ReadProcessMemory64<\/strong><\/li>\n<li><strong>WriteProcessMemory64<\/strong><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">\nDescription of all functions can be found on a wiki page <a href=\"http:\/\/code.google.com\/p\/rewolf-wow64ext\/wiki\/ExportedFunctions\" target=\"_blank\">http:\/\/code.google.com\/p\/rewolf-wow64ext\/wiki\/ExportedFunctions<\/a>. There is also sample application that utilizes described library to enumerate and dump all allocated memory regions from both x86 and x64 processes <a href=\"http:\/\/code.google.com\/p\/rewolf-wow64ext\/source\/browse\/sample\/main.cpp\" target=\"_blank\">http:\/\/code.google.com\/p\/rewolf-wow64ext\/source\/browse\/sample\/main.cpp<\/a>. I&#8217;m planning to extend this library over time with some more functions, but it will probably depends on my needs and requests from users (if there will be any users of course :))<\/p>\n<p>Library is licensed unde LGPL, so you may use even in commercial projects.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some of you probably know that there is no easy way to read, write or enumerate memory regions of native x64 processes from x86 process that is running under WOW64 layer. Probably the only way it can be done is to use hack that I&#8217;ve described few months ago (Mixing x86 with x64 code). In [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10,5,16,11],"tags":[],"_links":{"self":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/319"}],"collection":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=319"}],"version-history":[{"count":24,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/319\/revisions"}],"predecessor-version":[{"id":670,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/319\/revisions\/670"}],"wp:attachment":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=319"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}