-
Notifications
You must be signed in to change notification settings - Fork 17
/
Wow64Local.h
72 lines (54 loc) · 1.63 KB
/
Wow64Local.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#pragma once
#include <windows.h>
#include <winternl.h>
#include <stdint.h>
#include <memory>
#include "Internal.h"
#include "Native.h"
namespace ds_wow64
{
class Wow64Local
{
friend class WoW64dm;
public:
Wow64Local(void);
~Wow64Local(void);
/*
*/
DWORD64 X64Call(DWORD64 func, int argC, ...);
DWORD64 X64Syscall(int idx, int argC, ...);
/*
*/
DWORD64 X64CallV(DWORD64 func, int argC, va_list args);
DWORD64 X64SyscallV(int idx, int argC, va_list args );
/*
*/
void memcpy64(DWORD64 /*dst*/, DWORD64 /*src*/, DWORD /*size*/);
/*
*/
DWORD64 getTEB64(TEB64& out);
/*
*/
DWORD64 GetModuleHandle64( wchar_t* lpModuleName, DWORD* pSize = nullptr );
/*
*/
DWORD64 getNTDLL64(DWORD* pSize = nullptr);
/*
*/
DWORD64 getLdrGetProcedureAddress();
/*
*/
DWORD64 GetProcAddress64( DWORD64 hModule, char* funcName );
/*
*/
DWORD64 LoadLibrary64( const wchar_t* path );
private:
fnNtWow64QIP _NtWow64QIP; // NtWow64QueryInformationProcess64
fnNtWow64VmOp _NtRPM, _NtWPM; // NtWow64WriteVirtualMemory64/fnNtWow64ReadVirtualMemory64
DWORD64 _ntdll64; // 64bit ntdll address
DWORD64 _LdrGetProcedureAddress; // LdrGetProcedureAddress address in 64bit ntdll
DWORD _ntdll64Size; // size of ntdll64 image
DWORD64 ntqvm, ntavm, ntfvm, ntrvm, ntwvm, ntpvm; // 64bit memory functions (Nt*VirtualMemory)
DWORD64 gtc, stc; // Get(Set)ThreadContext
};
}