pe-sieve/process__util_8cpp_source.html

#include "process_util.h"

#include <iostream>


namespace pesieve {

    namespace util {

        HMODULE g_kernel32Hndl = nullptr;


        BOOL(WINAPI *g_IsWow64Process)(IN HANDLE, OUT PBOOL) = nullptr;

        BOOL(WINAPI *g_Wow64DisableWow64FsRedirection) (OUT PVOID* OldValue) = nullptr;

        BOOL(WINAPI *g_Wow64RevertWow64FsRedirection) (IN PVOID OldValue) = nullptr;

        BOOL(WINAPI *g_Wow64GetThreadContext)(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext) = nullptr;


        HMODULE get_kernel32_hndl()

        {

            const char kernel32_dll[] = "kernel32.dll";

            if (!g_kernel32Hndl) {

                g_kernel32Hndl = GetModuleHandleA(kernel32_dll);

            }

            if (!g_kernel32Hndl) {

                g_kernel32Hndl = LoadLibraryA(kernel32_dll);

            }

            return g_kernel32Hndl;

        }


    };

};


BOOL pesieve::util::is_process_wow64(IN HANDLE processHandle, OUT BOOL* isProcWow64)

{

    if (isProcWow64) {

        (*isProcWow64) = FALSE; //set default output value: FALSE

    }

    if (!g_IsWow64Process) {

        HMODULE kernelLib = get_kernel32_hndl();

        if (!kernelLib) return FALSE;


        FARPROC procPtr = GetProcAddress(kernelLib, "IsWow64Process");

        if (!procPtr) return FALSE;


        g_IsWow64Process = (BOOL(WINAPI *)(IN HANDLE, OUT PBOOL))procPtr;

    }

    if (!g_IsWow64Process) {

        return FALSE;

    }

    return g_IsWow64Process(processHandle, isProcWow64);

}


bool pesieve::util::is_process_64bit(IN HANDLE process)

{

    BOOL isScanner32bit = TRUE;

#ifdef _WIN64 //is the scanner 64 bit?

    isScanner32bit = FALSE;

#endif

    BOOL isScannerWow64 = FALSE;

    pesieve::util::is_process_wow64(GetCurrentProcess(), &isScannerWow64);


    const BOOL isSystem64bit = !isScanner32bit || isScannerWow64;

    if (!isSystem64bit) {

        //the system is not 64 bit, so for sure the app is 32 bit

        return false;

    }


    BOOL isProcessWow = FALSE;

    pesieve::util::is_process_wow64(process, &isProcessWow);


    if (isProcessWow) {

        // the system is 64 bit, and the process runs as Wow64, so it is 32 bit

        return false;

    }

    // the system is 64 bit, and the process runs NOT as Wow64, so it is 64 bit

    return true;

}


bool pesieve::util::is_current_wow64()

{

#ifdef _WIN64

    return false;

#else

    BOOL isWow64 = FALSE;

    if (is_process_wow64(GetCurrentProcess(), &isWow64)) {

        return false;

    }

    return (bool)isWow64;

#endif

}


BOOL pesieve::util::wow64_get_thread_context(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext)

{

#ifdef _WIN64

    if (!g_Wow64GetThreadContext) {

        HMODULE kernelLib = get_kernel32_hndl();

        if (!kernelLib) return FALSE;


        FARPROC procPtr = GetProcAddress(get_kernel32_hndl(), "Wow64GetThreadContext");

        if (!procPtr) return FALSE;


        g_Wow64GetThreadContext = (BOOL(WINAPI*)(IN HANDLE, IN OUT PWOW64_CONTEXT))procPtr;

    }

    return g_Wow64GetThreadContext(hThread, lpContext);

#else

    return FALSE;

#endif

}


BOOL pesieve::util::wow64_disable_fs_redirection(OUT PVOID* OldValue)

{

    if (!g_Wow64DisableWow64FsRedirection) {

        HMODULE kernelLib = get_kernel32_hndl();

        if (!kernelLib) return FALSE;


        FARPROC procPtr = GetProcAddress(kernelLib, "Wow64DisableWow64FsRedirection");

        if (!procPtr) return FALSE;


        g_Wow64DisableWow64FsRedirection = (BOOL(WINAPI *) (OUT PVOID*))procPtr;

    }

    if (!g_Wow64DisableWow64FsRedirection) {

        return FALSE;

    }

    return g_Wow64DisableWow64FsRedirection(OldValue);

}


BOOL pesieve::util::wow64_revert_fs_redirection(IN PVOID OldValue)

{

    if (!g_Wow64RevertWow64FsRedirection) {

        HMODULE kernelLib = get_kernel32_hndl();

        if (!kernelLib) return FALSE;


        FARPROC procPtr = GetProcAddress(kernelLib, "Wow64RevertWow64FsRedirection");

        if (!procPtr) return FALSE;


        g_Wow64RevertWow64FsRedirection = (BOOL(WINAPI *) (IN PVOID))procPtr;

    }

    if (!g_Wow64RevertWow64FsRedirection) {

        return FALSE;

    }

    return g_Wow64RevertWow64FsRedirection(OldValue);

}


pesieve::util::is_process_64bit
bool is_process_64bit(IN HANDLE process)
Definition process_util.cpp:47

pesieve::util::wow64_disable_fs_redirection
BOOL wow64_disable_fs_redirection(OUT PVOID *OldValue)
Definition process_util.cpp:104

pesieve::util::is_process_wow64
BOOL is_process_wow64(IN HANDLE processHandle, OUT BOOL *isProcWow64)
Definition process_util.cpp:27

pesieve::util::lpContext
IN OUT PWOW64_CONTEXT lpContext
Definition process_util.cpp:11

pesieve::util::get_kernel32_hndl
HMODULE get_kernel32_hndl()
Definition process_util.cpp:13

pesieve::util::is_current_wow64
bool is_current_wow64()
Definition process_util.cpp:73

pesieve::util::BOOL
BOOL(CALLBACK *_MiniDumpWriteDump)(HANDLE hProcess

pesieve::util::g_kernel32Hndl
HMODULE g_kernel32Hndl
Definition process_util.cpp:6

pesieve::util::PBOOL
OUT PBOOL
Definition process_util.cpp:8

pesieve::util::wow64_get_thread_context
BOOL wow64_get_thread_context(IN HANDLE hThread, IN OUT PWOW64_CONTEXT lpContext)
Definition process_util.cpp:86

pesieve::util::wow64_revert_fs_redirection
BOOL wow64_revert_fs_redirection(IN PVOID OldValue)
Definition process_util.cpp:121

pesieve
Definition pesieve.py:1

process_util.h