--------------------------------------------------------------------------------
Name....: WOW64Ext Library
Author..: ReWolf
Rel.Date: 12.I.2012
Update..: 18.I.2017
Version.: 1.0.0.9


e.mail..: rewolf@rewolf.pl
www.....: http://blog.rewolf.pl
--------------------------------------------------------------------------------

WOW64Ext is a helper  library for x86  programs that  runs under  WOW64 layer on
x64 versions of Microsoft Windows operating systems. It enables x86 applications
to read, write  and enumerate memory of a native x64 applications. There is also
possibility  to call  any x64  function from  64-bits version  of NTDLL  through
a special function called X64Call(). As a bonus, wow64ext.h contains definitions
of some  structures that might  be useful for programs  that want to access PEB,
TEB, TIB etc.

Sample application that uses this library can be found in \sample\ directory, it
is simple memory dumper.

--------------------------------------------------------------------------------

Functions:

--------------------------------------------------------------------------------

DWORD64 X64Call(DWORD64 func, int argC, ...);

Low level function that can call any x64 API from NTDLL.

func - address of x64 function, can be obtained by GetProcAddress64()
argC - number of arguments that will be passed to the 'func'
...  - rest of arguments for 'func', all values should be casted to DWORD64

--------------------------------------------------------------------------------

DWORD64 GetModuleHandle64(wchar_t* lpModuleName);

Behaviour similar to x86 version of GetModuleHandle, but it looks for the module
name  in the list  of loaded x64  libraries.  Usually x86  processes under WOW64
layer   have   four  x64  libraries:  ntdll.dll,   wow64.dll,  wow64cpu.dll  and
wow64win.dll

lpModuleName - unicode string that represents module name

--------------------------------------------------------------------------------

DWORD64 GetProcAddress64(DWORD64 hModule, char* funcName);

Behaviour  similar  to  x86 version of GetProcAddress(), internally it  uses x64
version of LdrGetProcedureAddress() from NTDLL.

hModule  - base of x64 module
funcName - function name

--------------------------------------------------------------------------------

SIZE_T VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, 
                        MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength)

Behaviour  similar to  x86 version of  VirtualQueryEx(), internally it uses  x64
version of NtQueryVirtualMemory() from NTDLL.

hProcess  - handle of the process, can  be  obtained by  standard x86 version of
            OpenProcess() function
lpAddress - base address of the region of pages to be queried
lpBuffer  - a pointer to a MEMORY_BASIC_INFORMATION64  structure, it  is defined
            in the standard SDK headers
dwLength  - size of the buffer pointed to by the lpBuffer parameter

--------------------------------------------------------------------------------

DWORD64 VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize,
                         DWORD flAllocationType, DWORD flProtect)

Behaviour  similar to  x86 version of VirtualAllocEx64(), internally it uses x64
version of NtAllocateVirtualMemory() from NTDLL.

hProcess         - handle  of  the  process,  can  be  obtained  by standard x86
                   version of OpenProcess() function
lpAddress        - desired base address of the region that will be allocated
dwSize           - size of the region that will be allocated
flAllocationType - type of memory allocation
flProtect        - memory protection for the region

--------------------------------------------------------------------------------

BOOL VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize,
                     DWORD dwFreeType)

Behaviour  similar to  x86 version of  VirtualFreeEx64(), internally it uses x64
version of NtFreeVirtualMemory() from NTDLL.

hProcess   - handle of the process, can be  obtained by  standard x86 version of
             OpenProcess() function
lpAddress  - base address of the memory region to free
dwSize     - size (in bytes) of the memory region to free
dwFreeType - type of free operation (MEM_RELEASE, MEM_DECOMMIT)

--------------------------------------------------------------------------------

BOOL VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, 
                        DWORD flNewProtect, DWORD* lpflOldProtect);
                        
Behaviour  similar to  x86 version of  VirtualProtectEx64(), internally  it uses
x64 version of NtProtectVirtualMemory() from NTDLL.                     

hProcess       - handle  of  the  process,  can  be  obtained  by  standard  x86
                 version of OpenProcess() function
lpAddress      - base  address  of  the  memory region  that  will  have changed
                 protection
dwSize         - size (in  bytes) of  the memory  region that  will have changed
                 protection
flNewProtect   - the memory protection option (see MSDN)
lpflOldProtect - pointer to the variable that receives old protection value

--------------------------------------------------------------------------------

BOOL ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, 
                         LPVOID lpBuffer, SIZE_T nSize, 
                         SIZE_T *lpNumberOfBytesRead);

Behaviour similar to x86 version of  ReadProcessMemory(), internally it uses x64
version of NtReadVirtualMemory() from NTDLL.

hProcess            - handle of  the process,  can be  obtained by  standard x86
                      version of OpenProcess() function
lpBaseAddress       - base address of the region that will be read
lpBuffer            - output memory buffer for the read data
nSize               - number of bytes to be read
lpNumberOfBytesRead - pointer to a variable that receives number of read bytes

--------------------------------------------------------------------------------

BOOL WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, 
                          LPVOID lpBuffer, SIZE_T nSize, 
                          SIZE_T *lpNumberOfBytesWritten);

Behaviour similar to x86 version of WriteProcessMemory(), internally it uses x64
version of NtWriteVirtualMemory() from NTDLL.

hProcess            - handle of  the process,  can be  obtained by  standard x86
                      version of OpenProcess() function
lpBaseAddress       - base address of the region that will be written
lpBuffer            - input memory buffer with the data to write
nSize               - number of bytes that will be written
lpNumberOfBytesRead - pointer to variable that receives number of written bytes

--------------------------------------------------------------------------------

BOOL GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);

Behaviour similar to  x86 version of GetThreadContext(), internally  it uses x64
version  of  NtGetContextThread()  from NTDLL.  Definition  of _CONTEXT64 can be
found in wow64ext.h file.

hThread             - handle of  the process,  can be  obtained by  standard x86
                      version of OpenProcess() function
lpContext           - A pointer to  a _CONTEXT64  structure  that  will  receive
                      context data  from  specified  thread. Structure  will  be
                      filled according to ContextFlags field.

--------------------------------------------------------------------------------

BOOL SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);

Behaviour  similar to x86 version of SetThreadContext(), internally  it uses x64
version  of  NtSetContextThread()  from NTDLL.  Definition  of _CONTEXT64 can be
found in wow64ext.h file.

hThread             - handle of  the process,  can be  obtained by  standard x86
                      version of OpenProcess() function
lpContext           - A pointer to  a _CONTEXT64  structure  that  will be  used
                      to  fill context  data in specified thread. Structure will
                      use only fields defined by ContextFlags.

--------------------------------------------------------------------------------