BlackBone
Windows memory hacking library
 All Classes Functions
Wow64Subsystem.h
1 #pragma once
2 
3 #include "NativeSubsystem.h"
4 #include "Wow64Local.h"
5 
6 namespace blackbone
7 {
8 
9 class NativeWow64 : public Native
10 {
11 public:
12  BLACKBONE_API NativeWow64( HANDLE hProcess );
13  BLACKBONE_API ~NativeWow64();
14 
23  virtual NTSTATUS VirualAllocExT( ptr_t& lpAddress, size_t dwSize, DWORD flAllocationType, DWORD flProtect );
24 
32  virtual NTSTATUS VirualFreeExT( ptr_t lpAddress, size_t dwSize, DWORD dwFreeType );
33 
42  virtual NTSTATUS VirtualProtectExT( ptr_t lpAddress, DWORD64 dwSize, DWORD flProtect, DWORD* flOld );
43 
52  virtual NTSTATUS ReadProcessMemoryT( ptr_t lpBaseAddress, LPVOID lpBuffer, size_t nSize, DWORD64 *lpBytes = nullptr );
53 
62  virtual NTSTATUS WriteProcessMemoryT( ptr_t lpBaseAddress, LPCVOID lpBuffer, size_t nSize, DWORD64 *lpBytes = nullptr );
63 
70  virtual NTSTATUS VirtualQueryExT( ptr_t lpAddress, PMEMORY_BASIC_INFORMATION64 lpBuffer );
71 
78  virtual NTSTATUS VirtualQueryExT( ptr_t lpAddress, MEMORY_INFORMATION_CLASS infoClass, LPVOID lpBuffer, size_t bufSize );
79 
87  virtual NTSTATUS QueryProcessInfoT( PROCESSINFOCLASS infoClass, LPVOID lpBuffer, uint32_t bufSize );
88 
96  virtual NTSTATUS SetProcessInfoT( PROCESSINFOCLASS infoClass, LPVOID lpBuffer, uint32_t bufSize );
97 
106  virtual NTSTATUS CreateRemoteThreadT( HANDLE& hThread, ptr_t entry, ptr_t arg, CreateThreadFlags flags );
107 
114  virtual NTSTATUS GetThreadContextT( HANDLE hThread, _CONTEXT64& ctx );
115 
122  virtual NTSTATUS GetThreadContextT( HANDLE hThread, _CONTEXT32& ctx );
123 
130  virtual NTSTATUS SetThreadContextT( HANDLE hThread, _CONTEXT64& ctx );
131 
138  virtual NTSTATUS SetThreadContextT( HANDLE hThread, _CONTEXT32& ctx );
139 
145  virtual ptr_t getPEB( _PEB32* ppeb );
146 
152  virtual ptr_t getPEB( _PEB64* ppeb );
153 
159  virtual ptr_t getTEB( HANDLE hThread, _TEB32* pteb );
160 
166  virtual ptr_t getTEB( HANDLE hThread, _TEB64* pteb );
167 
168 private:
169  Wow64Local _local; // WOW64 helpers
170 };
171 
172 }
blackbone::NativeWow64::VirtualQueryExT
virtual NTSTATUS VirtualQueryExT(ptr_t lpAddress, PMEMORY_BASIC_INFORMATION64 lpBuffer)
Query virtual memory
Definition: Wow64Subsystem.cpp:67
blackbone::NativeWow64::ReadProcessMemoryT
virtual NTSTATUS ReadProcessMemoryT(ptr_t lpBaseAddress, LPVOID lpBuffer, size_t nSize, DWORD64 *lpBytes=nullptr)
Read virtual memory
Definition: Wow64Subsystem.cpp:112
blackbone::NativeWow64::VirtualProtectExT
virtual NTSTATUS VirtualProtectExT(ptr_t lpAddress, DWORD64 dwSize, DWORD flProtect, DWORD *flOld)
Change memory protection
Definition: Wow64Subsystem.cpp:95
blackbone::Native
Definition: NativeSubsystem.h:27
blackbone::NativeWow64::VirualAllocExT
virtual NTSTATUS VirualAllocExT(ptr_t &lpAddress, size_t dwSize, DWORD flAllocationType, DWORD flProtect)
Allocate virtual memory
Definition: Wow64Subsystem.cpp:32
blackbone::NativeWow64::getTEB
virtual ptr_t getTEB(HANDLE hThread, _TEB32 *pteb)
Get WOW64 TEB
Definition: Wow64Subsystem.cpp:325
blackbone::NativeWow64::WriteProcessMemoryT
virtual NTSTATUS WriteProcessMemoryT(ptr_t lpBaseAddress, LPCVOID lpBuffer, size_t nSize, DWORD64 *lpBytes=nullptr)
Write virtual memory
Definition: Wow64Subsystem.cpp:129
blackbone::_PEB_T
Definition: NativeStructures.h:163
blackbone::_TEB_T
Definition: NativeStructures.h:71
blackbone::NativeWow64::QueryProcessInfoT
virtual NTSTATUS QueryProcessInfoT(PROCESSINFOCLASS infoClass, LPVOID lpBuffer, uint32_t bufSize)
Call NtQueryInformationProcess for underlying process
Definition: Wow64Subsystem.cpp:145
blackbone::NativeWow64::getPEB
virtual ptr_t getPEB(_PEB32 *ppeb)
Get WOW64 PEB
Definition: Wow64Subsystem.cpp:283
blackbone::NativeWow64::GetThreadContextT
virtual NTSTATUS GetThreadContextT(HANDLE hThread, _CONTEXT64 &ctx)
Get native thread context
Definition: Wow64Subsystem.cpp:233
blackbone::NativeWow64::CreateRemoteThreadT
virtual NTSTATUS CreateRemoteThreadT(HANDLE &hThread, ptr_t entry, ptr_t arg, CreateThreadFlags flags)
Creates new thread in the remote process
Definition: Wow64Subsystem.cpp:176
blackbone::NativeWow64::SetProcessInfoT
virtual NTSTATUS SetProcessInfoT(PROCESSINFOCLASS infoClass, LPVOID lpBuffer, uint32_t bufSize)
Call NtSetInformationProcess for underlying process
Definition: Wow64Subsystem.cpp:159
blackbone::NativeWow64::SetThreadContextT
virtual NTSTATUS SetThreadContextT(HANDLE hThread, _CONTEXT64 &ctx)
Set native thread context
Definition: Wow64Subsystem.cpp:269
blackbone::Wow64Local
WOW64-x64 interface
Definition: Wow64Local.h:17
blackbone::NativeWow64
Definition: Wow64Subsystem.h:9
blackbone::_CONTEXT_T< DWORD64 >
Definition: NativeStructures.h:442
blackbone
Definition: AsmHelper32.cpp:6
blackbone::_CONTEXT_T< DWORD >
Definition: NativeStructures.h:412
blackbone::NativeWow64::VirualFreeExT
virtual NTSTATUS VirualFreeExT(ptr_t lpAddress, size_t dwSize, DWORD dwFreeType)
Free virtual memory
Definition: Wow64Subsystem.cpp:49