Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing function ZwWow64IsProcessorFeaturePresent (WOW64-only) #25

Open
mrexodia opened this issue Feb 26, 2023 · 6 comments
Open

Missing function ZwWow64IsProcessorFeaturePresent (WOW64-only) #25

mrexodia opened this issue Feb 26, 2023 · 6 comments

Comments

@mrexodia
Copy link
Contributor

According to my research:

NTSYSCALLAPI
BOOLEAN
NTAPI
ZwWow64IsProcessorFeaturePresent(
    _In_ ULONG ProcessorFeature
    );
@mrexodia
Copy link
Contributor Author

mrexodia commented Feb 26, 2023

A bunch of other ZwWow64* functions also appear to be missing. I’ll try to gather a complete list. Should I contribute here or at the system informer repo?

@dmex
Copy link
Member

dmex commented Feb 26, 2023

ZwWow64* functions also appear to be missing

There's no functions named ZwWow64 in ntdll or ntoskrnl? A quick search for wow in the export table shows only RtlWow exists:

image

@mrexodia
Copy link
Contributor Author

They are only present in the 32-bit ntdll.dll on a wow64 system. Not exactly sure what code they execute in the kernel, but they have a syscall number.

@mrexodia
Copy link
Contributor Author

image

image

Windows 10 22H2 19045.2604

@dmex
Copy link
Member

dmex commented Feb 27, 2023

Not exactly sure what code they execute in the kernel, but they have a syscall number.

I don't see any syscalls for these functions in IDA. They're just calling Wow64Transition and the 64bit ntdll?

@mrexodia
Copy link
Contributor Author

I see, they are implemented directly in wow64.dll. Would still be nice to have their prototypes somewhere though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants