switched to rewolf-wow64ext

Author: DarthTon

contrib/rewolf-wow64ext/.gitignore

@@ -0,0 +1,14 @@
+*.opensdf
+*.sdf
+*.suo
+*.obj
+*.ilk
+*.db
+*.user
+*.opendb
+*.pdb
+src/Release/*
+src/Debug/*
+sample/*.exe
+sample/*.dll
+sample/*.lib

contrib/rewolf-wow64ext/.hgignore

@@ -0,0 +1,2 @@
+# rewolf-wow64ext
+WOW64Ext is a helper library for x86 programs that runs under WOW64 layer on x64 versions of Microsoft Windows operating systems. It enables x86 applications to read, write and enumerate memory of a native x64 applications. There is also possibility to call any x64 function from 64-bits version of NTDLL through a special function called X64Call(). As a bonus, wow64ext.h contains definitions of some structures that might be useful for programs that want to access PEB, TEB, TIB etc. 

contrib/rewolf-wow64ext/README.md

@@ -0,0 +1,180 @@
+--------------------------------------------------------------------------------
+Name....: WOW64Ext Library
+Author..: ReWolf
+Rel.Date: 12.I.2012
+Update..: 18.I.2017
+Version.: 1.0.0.9
+
+
+e.mail..: [email protected]
+www.....: http://blog.rewolf.pl
+--------------------------------------------------------------------------------
+
+WOW64Ext is a helper  library for x86  programs that  runs under  WOW64 layer on
+x64 versions of Microsoft Windows operating systems. It enables x86 applications
+to read, write  and enumerate memory of a native x64 applications. There is also
+possibility  to call  any x64  function from  64-bits version  of NTDLL  through
+a special function called X64Call(). As a bonus, wow64ext.h contains definitions
+of some  structures that might  be useful for programs  that want to access PEB,
+TEB, TIB etc.
+
+Sample application that uses this library can be found in \sample\ directory, it
+is simple memory dumper.
+
+--------------------------------------------------------------------------------
+
+Functions:
+
+--------------------------------------------------------------------------------
+
+DWORD64 X64Call(DWORD64 func, int argC, ...);
+
+Low level function that can call any x64 API from NTDLL.
+
+func - address of x64 function, can be obtained by GetProcAddress64()
+argC - number of arguments that will be passed to the 'func'
+...  - rest of arguments for 'func', all values should be casted to DWORD64
+
+--------------------------------------------------------------------------------
+
+DWORD64 GetModuleHandle64(wchar_t* lpModuleName);
+
+Behaviour similar to x86 version of GetModuleHandle, but it looks for the module
+name  in the list  of loaded x64  libraries.  Usually x86  processes under WOW64
+layer   have   four  x64  libraries:  ntdll.dll,   wow64.dll,  wow64cpu.dll  and
+wow64win.dll
+
+lpModuleName - unicode string that represents module name
+
+--------------------------------------------------------------------------------
+
+DWORD64 GetProcAddress64(DWORD64 hModule, char* funcName);
+
+Behaviour  similar  to  x86 version of GetProcAddress(), internally it  uses x64
+version of LdrGetProcedureAddress() from NTDLL.
+
+hModule  - base of x64 module
+funcName - function name
+
+--------------------------------------------------------------------------------
+
+SIZE_T VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, 
+                        MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength)
+
+Behaviour  similar to  x86 version of  VirtualQueryEx(), internally it uses  x64
+version of NtQueryVirtualMemory() from NTDLL.
+
+hProcess  - handle of the process, can  be  obtained by  standard x86 version of
+            OpenProcess() function
+lpAddress - base address of the region of pages to be queried
+lpBuffer  - a pointer to a MEMORY_BASIC_INFORMATION64  structure, it  is defined
+            in the standard SDK headers
+dwLength  - size of the buffer pointed to by the lpBuffer parameter
+
+--------------------------------------------------------------------------------
+
+DWORD64 VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize,
+                         DWORD flAllocationType, DWORD flProtect)
+
+Behaviour  similar to  x86 version of VirtualAllocEx64(), internally it uses x64
+version of NtAllocateVirtualMemory() from NTDLL.
+
+hProcess         - handle  of  the  process,  can  be  obtained  by standard x86
+                   version of OpenProcess() function
+lpAddress        - desired base address of the region that will be allocated
+dwSize           - size of the region that will be allocated
+flAllocationType - type of memory allocation
+flProtect        - memory protection for the region
+
+--------------------------------------------------------------------------------
+
+BOOL VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize,
+                     DWORD dwFreeType)
+
+Behaviour  similar to  x86 version of  VirtualFreeEx64(), internally it uses x64
+version of NtFreeVirtualMemory() from NTDLL.
+
+hProcess   - handle of the process, can be  obtained by  standard x86 version of
+             OpenProcess() function
+lpAddress  - base address of the memory region to free
+dwSize     - size (in bytes) of the memory region to free
+dwFreeType - type of free operation (MEM_RELEASE, MEM_DECOMMIT)
+
+--------------------------------------------------------------------------------
+
+BOOL VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, 
+                        DWORD flNewProtect, DWORD* lpflOldProtect);
+                        
+Behaviour  similar to  x86 version of  VirtualProtectEx64(), internally  it uses
+x64 version of NtProtectVirtualMemory() from NTDLL.                     
+
+hProcess       - handle  of  the  process,  can  be  obtained  by  standard  x86
+                 version of OpenProcess() function
+lpAddress      - base  address  of  the  memory region  that  will  have changed
+                 protection
+dwSize         - size (in  bytes) of  the memory  region that  will have changed
+                 protection
+flNewProtect   - the memory protection option (see MSDN)
+lpflOldProtect - pointer to the variable that receives old protection value
+
+--------------------------------------------------------------------------------
+
+BOOL ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, 
+                         LPVOID lpBuffer, SIZE_T nSize, 
+                         SIZE_T *lpNumberOfBytesRead);
+
+Behaviour similar to x86 version of  ReadProcessMemory(), internally it uses x64
+version of NtReadVirtualMemory() from NTDLL.
+
+hProcess            - handle of  the process,  can be  obtained by  standard x86
+                      version of OpenProcess() function
+lpBaseAddress       - base address of the region that will be read
+lpBuffer            - output memory buffer for the read data
+nSize               - number of bytes to be read
+lpNumberOfBytesRead - pointer to a variable that receives number of read bytes
+
+--------------------------------------------------------------------------------
+
+BOOL WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, 
+                          LPVOID lpBuffer, SIZE_T nSize, 
+                          SIZE_T *lpNumberOfBytesWritten);
+
+Behaviour similar to x86 version of WriteProcessMemory(), internally it uses x64
+version of NtWriteVirtualMemory() from NTDLL.
+
+hProcess            - handle of  the process,  can be  obtained by  standard x86
+                      version of OpenProcess() function
+lpBaseAddress       - base address of the region that will be written
+lpBuffer            - input memory buffer with the data to write
+nSize               - number of bytes that will be written
+lpNumberOfBytesRead - pointer to variable that receives number of written bytes
+
+--------------------------------------------------------------------------------
+
+BOOL GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);
+
+Behaviour similar to  x86 version of GetThreadContext(), internally  it uses x64
+version  of  NtGetContextThread()  from NTDLL.  Definition  of _CONTEXT64 can be
+found in wow64ext.h file.
+
+hThread             - handle of  the process,  can be  obtained by  standard x86
+                      version of OpenProcess() function
+lpContext           - A pointer to  a _CONTEXT64  structure  that  will  receive
+                      context data  from  specified  thread. Structure  will  be
+                      filled according to ContextFlags field.
+
+--------------------------------------------------------------------------------
+
+BOOL SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext);
+
+Behaviour  similar to x86 version of SetThreadContext(), internally  it uses x64
+version  of  NtSetContextThread()  from NTDLL.  Definition  of _CONTEXT64 can be
+found in wow64ext.h file.
+
+hThread             - handle of  the process,  can be  obtained by  standard x86
+                      version of OpenProcess() function
+lpContext           - A pointer to  a _CONTEXT64  structure  that  will be  used
+                      to  fill context  data in specified thread. Structure will
+                      use only fields defined by ContextFlags.
+
+--------------------------------------------------------------------------------

contrib/rewolf-wow64ext/doc/wow64ext.txt

@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

contrib/rewolf-wow64ext/lgpl-3.0.txt

@@ -0,0 +1 @@
+cl /Zi /D "UNICODE" ../bin/wow64ext.lib main.cpp