Process type detaction

Fyyre · #3 10-29-2022, 15:05

Perhaps try this.. might prove more accurate:

Code:

/*
* PsIsProcess32bit
*
* Purpose:
*
* Return TRUE if process is wow64.
*
*/
BOOL PsIsProcess32bit(
    _In_ HANDLE hProcess
)
{
    NTSTATUS Status;
    PROCESS_EXTENDED_BASIC_INFORMATION pebi{};

    if (hProcess == NULL) {
        return FALSE;
    }

    RtlSecureZeroMemory(&pebi, sizeof(pebi));
    pebi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
    Status = NtQueryInformationProcess(hProcess, ProcessBasicInformation, &pebi, sizeof(pebi), NULL);
    if (NT_SUCCESS(Status)) {
        return (pebi.IsWow64Process == 1);
    }
    return FALSE;
}

Quote:

Originally Posted by Teerayoot

https://ibb.co/y5sjcsW

Code:

bool is64BitProcess(DWORD pid)
		{
			BOOL f64 = FALSE;

			//fnIsWow64Process =(LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(L"kernelbase.dll"), "IsWow64Process");


			HANDLE  hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

			if (hProcess == 0)
				return -1;
			IsWow64Process(hProcess, &f64) ;
			 return f64;

		}

I suspect detection is wrong.

Here whole Sorce code

https://www.mediafire.com/file/z4ul73x3dra8imx/CppCLR_WinformsProject2.rar/file

compile with VS2019 x64bit.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode

The Following User Gave Reputation+1 to Fyyre For This Useful Post:
user1 (10-30-2022)

The Following 4 Users Say Thank You to Fyyre For This Useful Post:
MarcElBichon (10-29-2022), Teerayoot (02-15-2025), tonyweb (10-29-2022), user1 (10-30-2022)