Skip to content

Instantly share code, notes, and snippets.

@0xbadfca11

0xbadfca11/.md

Created June 10, 2018 12:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xbadfca11/15849d1a03e58e8ae31f8f3c6ad34319 to your computer and use it in GitHub Desktop.
Save 0xbadfca11/15849d1a03e58e8ae31f8f3c6ad34319 to your computer and use it in GitHub Desktop.
Download ZIP
IsWow64Process2() を使わずにWowA64を検出する
Raw
.md

TLDR IsWow64Process2()使え。

WowA64ではIsWow64Process()GetNativeSystemInfo()を使うとx86版Windowsと誤認するようになっている。 バグではなく意図的な仕様と考えられる。(理由考察は省略)

しかしそれらのAPIで得られる値やIsWow64Process2()以外のAPIでも一部の挙動がx86版Windowsと違う。

AMD64 x86 Arm64
IsWow64Process() *Wow64Process TRUE 0 0
GetSystemInfo() wProcessorArchitecture PROCESSOR_ARCHITECTURE_INTEL PROCESSOR_ARCHITECTURE_INTEL PROCESSOR_ARCHITECTURE_INTEL
lpMaximumApplicationAddress /LARGEADDRESSAWARE:NO 0x7FFEFFFF 0x7FFEFFFF 0x7FFEFFFF
/LARGEADDRESSAWARE 0xFFFEFFFF 0xBFFEFFFF 0xFFFEFFFF
GetNativeSystemInfo() wProcessorArchitecture PROCESSOR_ARCHITECTURE_AMD64 PROCESSOR_ARCHITECTURE_INTEL PROCESSOR_ARCHITECTURE_INTEL
lpMaximumApplicationAddress /LARGEADDRESSAWARE:NO 0xFFFEFFFF 0x7FFEFFFF 0x7FFEFFFF
/LARGEADDRESSAWARE 0xFFFEFFFF 0xBFFEFFFF 0xFFFEFFFF
IsOS(OS_WOW6432) TRUE 0 TRUE
IsWow64Process2() *pNativeMachine IMAGE_FILE_MACHINE_AMD64 IMAGE_FILE_MACHINE_I386 IMAGE_FILE_MACHINE_ARM64

よって

  • wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL && lpMaximumApplicationAddress >= 0xC0000000 && /LARGEADDRESSAWARE
  • wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL && IsOS(OS_WOW6432)

のどちらかを満たす場合今現在はARM64上のWoW64ということになる。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment