2016-09-08 14:13:00 +08:00
|
|
|
/**
|
|
|
|
*
|
|
|
|
* WOW64Ext Library
|
|
|
|
*
|
|
|
|
* Copyright (c) 2014 ReWolf
|
|
|
|
* http://blog.rewolf.pl/
|
|
|
|
*
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Lesser General Public License as published
|
|
|
|
* by the Free Software Foundation, either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
|
|
|
|
#include <windows.h>
|
|
|
|
|
|
|
|
#ifndef STATUS_SUCCESS
|
|
|
|
# define STATUS_SUCCESS 0
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#pragma pack(push)
|
|
|
|
#pragma pack(1)
|
|
|
|
template <class T>
|
|
|
|
struct _LIST_ENTRY_T
|
|
|
|
{
|
|
|
|
T Flink;
|
|
|
|
T Blink;
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
struct _UNICODE_STRING_T
|
|
|
|
{
|
|
|
|
union
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
WORD Length;
|
|
|
|
WORD MaximumLength;
|
|
|
|
};
|
|
|
|
T dummy;
|
|
|
|
};
|
|
|
|
T Buffer;
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
struct _NT_TIB_T
|
|
|
|
{
|
|
|
|
T ExceptionList;
|
|
|
|
T StackBase;
|
|
|
|
T StackLimit;
|
|
|
|
T SubSystemTib;
|
|
|
|
T FiberData;
|
|
|
|
T ArbitraryUserPointer;
|
|
|
|
T Self;
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T>
|
2018-04-13 14:05:08 +08:00
|
|
|
struct _WOW64_CLIENT_ID
|
2016-09-08 14:13:00 +08:00
|
|
|
{
|
|
|
|
T UniqueProcess;
|
|
|
|
T UniqueThread;
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
struct _TEB_T_
|
|
|
|
{
|
|
|
|
_NT_TIB_T<T> NtTib;
|
|
|
|
T EnvironmentPointer;
|
2018-04-13 14:05:08 +08:00
|
|
|
_WOW64_CLIENT_ID<T> ClientId;
|
2016-09-08 14:13:00 +08:00
|
|
|
T ActiveRpcHandle;
|
|
|
|
T ThreadLocalStoragePointer;
|
|
|
|
T ProcessEnvironmentBlock;
|
|
|
|
DWORD LastErrorValue;
|
|
|
|
DWORD CountOfOwnedCriticalSections;
|
|
|
|
T CsrClientThread;
|
|
|
|
T Win32ThreadInfo;
|
|
|
|
DWORD User32Reserved[26];
|
|
|
|
//rest of the structure is not defined for now, as it is not needed
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
struct _LDR_DATA_TABLE_ENTRY_T
|
|
|
|
{
|
|
|
|
_LIST_ENTRY_T<T> InLoadOrderLinks;
|
|
|
|
_LIST_ENTRY_T<T> InMemoryOrderLinks;
|
|
|
|
_LIST_ENTRY_T<T> InInitializationOrderLinks;
|
|
|
|
T DllBase;
|
|
|
|
T EntryPoint;
|
|
|
|
union
|
|
|
|
{
|
|
|
|
DWORD SizeOfImage;
|
|
|
|
T dummy01;
|
|
|
|
};
|
|
|
|
_UNICODE_STRING_T<T> FullDllName;
|
|
|
|
_UNICODE_STRING_T<T> BaseDllName;
|
|
|
|
DWORD Flags;
|
|
|
|
WORD LoadCount;
|
|
|
|
WORD TlsIndex;
|
|
|
|
union
|
|
|
|
{
|
|
|
|
_LIST_ENTRY_T<T> HashLinks;
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
T SectionPointer;
|
|
|
|
T CheckSum;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
union
|
|
|
|
{
|
|
|
|
T LoadedImports;
|
|
|
|
DWORD TimeDateStamp;
|
|
|
|
};
|
|
|
|
T EntryPointActivationContext;
|
|
|
|
T PatchInformation;
|
|
|
|
_LIST_ENTRY_T<T> ForwarderLinks;
|
|
|
|
_LIST_ENTRY_T<T> ServiceTagLinks;
|
|
|
|
_LIST_ENTRY_T<T> StaticLinks;
|
|
|
|
T ContextInformation;
|
|
|
|
T OriginalBase;
|
|
|
|
_LARGE_INTEGER LoadTime;
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
struct _PEB_LDR_DATA_T
|
|
|
|
{
|
|
|
|
DWORD Length;
|
|
|
|
DWORD Initialized;
|
|
|
|
T SsHandle;
|
|
|
|
_LIST_ENTRY_T<T> InLoadOrderModuleList;
|
|
|
|
_LIST_ENTRY_T<T> InMemoryOrderModuleList;
|
|
|
|
_LIST_ENTRY_T<T> InInitializationOrderModuleList;
|
|
|
|
T EntryInProgress;
|
|
|
|
DWORD ShutdownInProgress;
|
|
|
|
T ShutdownThreadId;
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
template <class T, class NGF, int A>
|
|
|
|
struct _PEB_T
|
|
|
|
{
|
|
|
|
union
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
BYTE InheritedAddressSpace;
|
|
|
|
BYTE ReadImageFileExecOptions;
|
|
|
|
BYTE BeingDebugged;
|
|
|
|
BYTE BitField;
|
|
|
|
};
|
|
|
|
T dummy01;
|
|
|
|
};
|
|
|
|
T Mutant;
|
|
|
|
T ImageBaseAddress;
|
|
|
|
T Ldr;
|
|
|
|
T ProcessParameters;
|
|
|
|
T SubSystemData;
|
|
|
|
T ProcessHeap;
|
|
|
|
T FastPebLock;
|
|
|
|
T AtlThunkSListPtr;
|
|
|
|
T IFEOKey;
|
|
|
|
T CrossProcessFlags;
|
|
|
|
T UserSharedInfoPtr;
|
|
|
|
DWORD SystemReserved;
|
|
|
|
DWORD AtlThunkSListPtr32;
|
|
|
|
T ApiSetMap;
|
|
|
|
T TlsExpansionCounter;
|
|
|
|
T TlsBitmap;
|
|
|
|
DWORD TlsBitmapBits[2];
|
|
|
|
T ReadOnlySharedMemoryBase;
|
|
|
|
T HotpatchInformation;
|
|
|
|
T ReadOnlyStaticServerData;
|
|
|
|
T AnsiCodePageData;
|
|
|
|
T OemCodePageData;
|
|
|
|
T UnicodeCaseTableData;
|
|
|
|
DWORD NumberOfProcessors;
|
|
|
|
union
|
|
|
|
{
|
|
|
|
DWORD NtGlobalFlag;
|
|
|
|
NGF dummy02;
|
|
|
|
};
|
|
|
|
LARGE_INTEGER CriticalSectionTimeout;
|
|
|
|
T HeapSegmentReserve;
|
|
|
|
T HeapSegmentCommit;
|
|
|
|
T HeapDeCommitTotalFreeThreshold;
|
|
|
|
T HeapDeCommitFreeBlockThreshold;
|
|
|
|
DWORD NumberOfHeaps;
|
|
|
|
DWORD MaximumNumberOfHeaps;
|
|
|
|
T ProcessHeaps;
|
|
|
|
T GdiSharedHandleTable;
|
|
|
|
T ProcessStarterHelper;
|
|
|
|
T GdiDCAttributeList;
|
|
|
|
T LoaderLock;
|
|
|
|
DWORD OSMajorVersion;
|
|
|
|
DWORD OSMinorVersion;
|
|
|
|
WORD OSBuildNumber;
|
|
|
|
WORD OSCSDVersion;
|
|
|
|
DWORD OSPlatformId;
|
|
|
|
DWORD ImageSubsystem;
|
|
|
|
DWORD ImageSubsystemMajorVersion;
|
|
|
|
T ImageSubsystemMinorVersion;
|
|
|
|
T ActiveProcessAffinityMask;
|
|
|
|
T GdiHandleBuffer[A];
|
|
|
|
T PostProcessInitRoutine;
|
|
|
|
T TlsExpansionBitmap;
|
|
|
|
DWORD TlsExpansionBitmapBits[32];
|
|
|
|
T SessionId;
|
|
|
|
ULARGE_INTEGER AppCompatFlags;
|
|
|
|
ULARGE_INTEGER AppCompatFlagsUser;
|
|
|
|
T pShimData;
|
|
|
|
T AppCompatInfo;
|
|
|
|
_UNICODE_STRING_T<T> CSDVersion;
|
|
|
|
T ActivationContextData;
|
|
|
|
T ProcessAssemblyStorageMap;
|
|
|
|
T SystemDefaultActivationContextData;
|
|
|
|
T SystemAssemblyStorageMap;
|
|
|
|
T MinimumStackCommit;
|
|
|
|
T FlsCallback;
|
|
|
|
_LIST_ENTRY_T<T> FlsListHead;
|
|
|
|
T FlsBitmap;
|
|
|
|
DWORD FlsBitmapBits[4];
|
|
|
|
T FlsHighIndex;
|
|
|
|
T WerRegistrationData;
|
|
|
|
T WerShipAssertPtr;
|
|
|
|
T pContextData;
|
|
|
|
T pImageHeaderHash;
|
|
|
|
T TracingFlags;
|
|
|
|
};
|
|
|
|
|
|
|
|
typedef _LDR_DATA_TABLE_ENTRY_T<DWORD> LDR_DATA_TABLE_ENTRY32;
|
|
|
|
typedef _LDR_DATA_TABLE_ENTRY_T<DWORD64> LDR_DATA_TABLE_ENTRY64;
|
|
|
|
|
|
|
|
typedef _TEB_T_<DWORD> TEB32;
|
|
|
|
typedef _TEB_T_<DWORD64> TEB64;
|
|
|
|
|
|
|
|
typedef _PEB_LDR_DATA_T<DWORD> PEB_LDR_DATA32;
|
|
|
|
typedef _PEB_LDR_DATA_T<DWORD64> PEB_LDR_DATA64;
|
|
|
|
|
|
|
|
typedef _PEB_T<DWORD, DWORD64, 34> PEB32;
|
|
|
|
typedef _PEB_T<DWORD64, DWORD, 30> PEB64;
|
|
|
|
|
|
|
|
struct _XSAVE_FORMAT64
|
|
|
|
{
|
|
|
|
WORD ControlWord;
|
|
|
|
WORD StatusWord;
|
|
|
|
BYTE TagWord;
|
|
|
|
BYTE Reserved1;
|
|
|
|
WORD ErrorOpcode;
|
|
|
|
DWORD ErrorOffset;
|
|
|
|
WORD ErrorSelector;
|
|
|
|
WORD Reserved2;
|
|
|
|
DWORD DataOffset;
|
|
|
|
WORD DataSelector;
|
|
|
|
WORD Reserved3;
|
|
|
|
DWORD MxCsr;
|
|
|
|
DWORD MxCsr_Mask;
|
|
|
|
_M128A FloatRegisters[8];
|
|
|
|
_M128A XmmRegisters[16];
|
|
|
|
BYTE Reserved4[96];
|
|
|
|
};
|
|
|
|
|
|
|
|
struct _CONTEXT64
|
|
|
|
{
|
|
|
|
DWORD64 P1Home;
|
|
|
|
DWORD64 P2Home;
|
|
|
|
DWORD64 P3Home;
|
|
|
|
DWORD64 P4Home;
|
|
|
|
DWORD64 P5Home;
|
|
|
|
DWORD64 P6Home;
|
|
|
|
DWORD ContextFlags;
|
|
|
|
DWORD MxCsr;
|
|
|
|
WORD SegCs;
|
|
|
|
WORD SegDs;
|
|
|
|
WORD SegEs;
|
|
|
|
WORD SegFs;
|
|
|
|
WORD SegGs;
|
|
|
|
WORD SegSs;
|
|
|
|
DWORD EFlags;
|
|
|
|
DWORD64 Dr0;
|
|
|
|
DWORD64 Dr1;
|
|
|
|
DWORD64 Dr2;
|
|
|
|
DWORD64 Dr3;
|
|
|
|
DWORD64 Dr6;
|
|
|
|
DWORD64 Dr7;
|
|
|
|
DWORD64 Rax;
|
|
|
|
DWORD64 Rcx;
|
|
|
|
DWORD64 Rdx;
|
|
|
|
DWORD64 Rbx;
|
|
|
|
DWORD64 Rsp;
|
|
|
|
DWORD64 Rbp;
|
|
|
|
DWORD64 Rsi;
|
|
|
|
DWORD64 Rdi;
|
|
|
|
DWORD64 R8;
|
|
|
|
DWORD64 R9;
|
|
|
|
DWORD64 R10;
|
|
|
|
DWORD64 R11;
|
|
|
|
DWORD64 R12;
|
|
|
|
DWORD64 R13;
|
|
|
|
DWORD64 R14;
|
|
|
|
DWORD64 R15;
|
|
|
|
DWORD64 Rip;
|
|
|
|
_XSAVE_FORMAT64 FltSave;
|
|
|
|
_M128A Header[2];
|
|
|
|
_M128A Legacy[8];
|
|
|
|
_M128A Xmm0;
|
|
|
|
_M128A Xmm1;
|
|
|
|
_M128A Xmm2;
|
|
|
|
_M128A Xmm3;
|
|
|
|
_M128A Xmm4;
|
|
|
|
_M128A Xmm5;
|
|
|
|
_M128A Xmm6;
|
|
|
|
_M128A Xmm7;
|
|
|
|
_M128A Xmm8;
|
|
|
|
_M128A Xmm9;
|
|
|
|
_M128A Xmm10;
|
|
|
|
_M128A Xmm11;
|
|
|
|
_M128A Xmm12;
|
|
|
|
_M128A Xmm13;
|
|
|
|
_M128A Xmm14;
|
|
|
|
_M128A Xmm15;
|
|
|
|
_M128A VectorRegister[26];
|
|
|
|
DWORD64 VectorControl;
|
|
|
|
DWORD64 DebugControl;
|
|
|
|
DWORD64 LastBranchToRip;
|
|
|
|
DWORD64 LastBranchFromRip;
|
|
|
|
DWORD64 LastExceptionToRip;
|
|
|
|
DWORD64 LastExceptionFromRip;
|
|
|
|
};
|
|
|
|
|
|
|
|
// Below defines for .ContextFlags field are taken from WinNT.h
|
|
|
|
#ifndef CONTEXT_AMD64
|
|
|
|
#define CONTEXT_AMD64 0x100000
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#define CONTEXT64_CONTROL (CONTEXT_AMD64 | 0x1L)
|
|
|
|
#define CONTEXT64_INTEGER (CONTEXT_AMD64 | 0x2L)
|
|
|
|
#define CONTEXT64_SEGMENTS (CONTEXT_AMD64 | 0x4L)
|
|
|
|
#define CONTEXT64_FLOATING_POINT (CONTEXT_AMD64 | 0x8L)
|
|
|
|
#define CONTEXT64_DEBUG_REGISTERS (CONTEXT_AMD64 | 0x10L)
|
|
|
|
#define CONTEXT64_FULL (CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT)
|
|
|
|
#define CONTEXT64_ALL (CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS)
|
|
|
|
#define CONTEXT64_XSTATE (CONTEXT_AMD64 | 0x20L)
|
|
|
|
|
|
|
|
#pragma pack(pop)
|
|
|
|
|
|
|
|
#ifdef WOW64EXT_EXPORTS
|
|
|
|
# define SPEC dllexport
|
|
|
|
#define WOW_EXPORT extern "C" __declspec(SPEC)
|
|
|
|
#else
|
|
|
|
# define SPEC dllimport
|
|
|
|
#define WOW_EXPORT extern "C"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
WOW_EXPORT DWORD64 __cdecl X64Call(DWORD64 func, int argC, ...);
|
|
|
|
WOW_EXPORT DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName);
|
|
|
|
WOW_EXPORT DWORD64 __cdecl GetProcAddress64(DWORD64 hModule, char* funcName);
|
|
|
|
WOW_EXPORT SIZE_T __cdecl VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength);
|
|
|
|
WOW_EXPORT DWORD64 __cdecl VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
|
|
|
|
WOW_EXPORT BOOL __cdecl VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD dwFreeType);
|
|
|
|
WOW_EXPORT BOOL __cdecl VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD* lpflOldProtect);
|
|
|
|
WOW_EXPORT BOOL __cdecl ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead);
|
|
|
|
WOW_EXPORT BOOL __cdecl WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);
|
|
|
|
WOW_EXPORT BOOL __cdecl GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);
|
|
|
|
WOW_EXPORT BOOL __cdecl SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);
|
|
|
|
WOW_EXPORT VOID __cdecl SetLastErrorFromX64Call(DWORD64 status);
|
2016-09-09 12:37:10 +08:00
|
|
|
WOW_EXPORT DWORD64 __cdecl LoadLibraryW64(LPWSTR lpLibFileName);
|
2016-09-08 14:13:00 +08:00
|
|
|
WOW_EXPORT void __cdecl InitWow64ext();
|
|
|
|
|