Is it possible to get driver base address in WOW64 process?

#25657 by fsdhook
Thu Apr 16, 2015 2:23 pm

Hi, we all know that we can use EnumDeviceDrivers or ZwQuerySystemInformation to get driver base address.
But is it possible to get driver base address in WIN64 system by a 32-bit process? NOT USE DRIVER.

Username

fsdhook

Posts

45

Joined

Wed May 14, 2014 8:27 am

Re: Is it possible to get driver base address in WOW64 proce

#25663 by EP_X0FF
Fri Apr 17, 2015 3:47 am

https://github.com/rwfpl/rewolf-wow64ext

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Is it possible to get driver base address in WOW64 proce

#25668 by cziter15
Fri Apr 17, 2015 1:43 pm

EP_X0FF wrote:https://github.com/rwfpl/rewolf-wow64ext

I've had few problems on few machines. It was crashing at X64Call on few Win8 machines.
Anyway, another solution is to call NtWow64GetNativeSystemInformation.

Code: Select all

NTSTATUS NTAPI
NtWow64GetNativeSystemInformation(
     SYSTEM_INFORMATION_CLASS SystemInformationClass,
     PVOID SystemInformation,
     ULONG SystemInformationLength,
     PULONG ReturnLength
);

Code: Select all

typedef NTSTATUS (NTAPI *tNtWow64GetNativeSystemInformation)
(
     SYSTEM_INFORMATION_CLASS SystemInformationClass,
     PVOID SystemInformation,
     ULONG SystemInformationLength,
     PULONG ReturnLength
);

tNtWow64GetNativeSystemInformation NtWow64GetNativeSystemInformation = (tNtWow64GetNativeSystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWow64GetNativeSystemInformation");

if (NtWow64GetNativeSystemInformation != NULL)
{
      NtWow64GetNativeSystemInformation(.....); //call it like NtQuerySystemInformation
}
else
{
      OutputDebugStringW(L"We are not on WOW64 !!");
}

This function is exported by wow64 ntdll.dll, get it's pointer using GetProcAddress.

You have to use X64 variable to get driver base address (use ULONGLONG instead of PVOID, which has 4 byte in 32bit process)

Username

cziter15

Posts

18

Joined

Tue Apr 07, 2015 9:37 am

Re: Is it possible to get driver base address in WOW64 proce

#25672 by Brock
Fri Apr 17, 2015 3:53 pm

@cziter15,

NtWow64GetNativeSystemInformation() doesn't work with SystemModuleInformation (enum ordinal value 11) from a 32-bit (WOW64) process on any 64-bit OS I've ever tried. You'll get STATUS_INVALID_INFO_CLASS (0xC0000003) since it's not implemented through the WOW layer. Do I appear to be missing an important detail if you're somehow succeeding? Only a few select classes are actually implemented through WOW and unfortunately SystemModuleInformation doesn't seem to be one of them

Best Regards,
Brock

Accept nothing less than STATUS_SUCCESS

Username

Brock

Posts

222

Joined

Wed Apr 28, 2010 3:13 am

Location

Valparaiso, Florida USA

Contact