ntdll.dll dynamic linking

i am trying to get imagebase address of a process i just loaded in memory.
For that i have to dynamic link ntdll using loadlibrary and use getprocaddress to get to the function NtWow64QueryInformationProcess64(for 64 bit) and NtQueryInformationProcess(32 bit). in 32 bit its working just fine, but in 64 bit mode GetProcAddress returns NULL. here is the code . thanks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
  typedef NTSTATUS(WINAPI* pfnNtWow64QueryInformationProcess64)
(HANDLE ProcessHandle, UINT32 ProcessInformationClass,
    PVOID ProcessInformation, UINT32 ProcessInformationLength,
    UINT32* ReturnLength);

pfnNtWow64QueryInformationProcess64 gNtQueryInformationProcess64;

wchar_t pName[] = { L"1-64bit-practiceApp.exe" };

int main()
{
    //create destination process - this is the process to be hollowed out
    LPSTARTUPINFO si = new STARTUPINFO();
    LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();
    PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION();    // 32-64
    DWORD returnLength = 0;
    //wchar_t pName[] = { L"1-32bit-practiceApp.exe"};   //LPTSTR name = _tcsdup(TEXT("C:\\Windows\\Notepad.exe"));



    if (!CreateProcessW(pName, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi))
    {
        MessageBox(NULL, L"failed to create process", L"error", MB_OK | MB_TOPMOST);
        return 0;
    }
    HANDLE destProcess = pi->hProcess;


    //dynamic linking of ntdll.dll
    /*HMODULE hNtDll = LoadLibrary(L"C:\\Users\\bhara\\Desktop\\ntdll.dll");
    if (hNtDll == NULL)
    {
        MessageBox(NULL, L"failed to load ntdll.dll", L"error", MB_OK | MB_TOPMOST);
        return 0;
    }*/

    HMODULE NtdllModule = GetModuleHandle(L"ntdll.dll");
    if (NtdllModule == NULL)
    {
        MessageBox(NULL, L"failed to load ntdll.dll", L"error", MB_OK | MB_TOPMOST);
        return 0;
    }
    gNtQueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");


    /*gNtQueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(hNtDll, "NtWow64QueryInformationProcess64"); */   //for 64 bit - NtWow64QueryInformationProcess64().   32 bit-  NtQueryInformationProcess
    if (gNtQueryInformationProcess64 == NULL)
    {
        MessageBox(NULL, L"failed to get procaddress for NtQueryInformationProcess", L"error", MB_OK | MB_TOPMOST);
        return 0;
    }
> gNtQueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");
You've got L"" everywhere else, why not here?

Getprocaddress() does not require widestring even when using Unicode as character set
NtWow64QueryInformationProcess64 seems not to exist. It is not even documented (anymore?).

See this:

https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess


ProcessWow64Information
26

Determines whether the process is running in the WOW64 environment (WOW64 is the x86 emulator that allows Win32-based applications to run on 64-bit Windows).

Use the IsWow64Process2 function to obtain this information.
So it looks like NtQueryInformationProcess() suffice. Maybe in combination with IsWow64Process2().
yeah I figured it out turns out NtWow64QueryInformationProcess64 is not anymore and NtQueryInformationProcess() works for both 32 and 64 bit architecture.
In 64 bit u have to declare a new PROCESS_BASIC_INFORMATION64 struct and pass its pointer in the ntquery func like this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
typedef struct _PROCESS_BASIC_INFORMATION64
{
    NTSTATUS ExitStatus;
    UINT32 Reserved0;
    UINT64 PebBaseAddress;
    UINT64 AffinityMask;
    UINT32 BasePriority;
    UINT32 Reserved1;
    UINT64 UniqueProcessId;
    UINT64 InheritdFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION64;

ROCESS_BASIC_INFORMATION64* pbi64 = new PROCESS_BASIC_INFORMATION64;

NTSTATUS dwStatus = gNtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi64, sizeof(PROCESS_BASIC_INFORMATION), &returnLength);


thanks coder777
You are welcome
Topic archived. No new replies allowed.