Wow64 on 32 bit system : Revert

Question

This thread explains how to manage Wow64DisableWow64FsRedirection function to work both on a 32 bits and 64 bits systems: Wow64DisableWow64FsRedirection on 32-bit Windows XP

However, they do not seem to Revert after having disable the Wow64.

Normally, the code is:

PVOID pOldValue = NULL;
Wow64DisableWow64FsRedirection(&pOldValue);
std::string path = C:/Windows/system32/prog.exe;
ShellExecuteA(NULL, ("open"), LPCSTR(path.c_str()), NULL, NULL, SW_SHOWNORMAL);
Wow64RevertWow64FsRedirection(pOldValue);

However, with the code shown in the other thread, the is no "Revert":

typedef BOOL WINAPI fntype_Wow64DisableWow64FsRedirection(PVOID *OldValue);
auto pfnWow64DisableWow64FsRedirection = (fntype_Wow64DisableWow64FsRedirection*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");

if (pfnWow64DisableWow64FsRedirection) {
   // function found, call it via pointer
   PVOID arg;
   (*pfnWow64DisableWow64FsRedirection)(&arg);
    std::string path = C:/Windows/system32/prog.exe;
ShellExecuteA(NULL, ("open"), LPCSTR(path.c_str()), NULL, NULL, SW_SHOWNORMAL);
}

I think I should do the following but I'm not sure with all the * and &

typedef BOOL WINAPI fntype_Wow64DisableWow64FsRedirection(PVOID *OldValue);
auto pfnWow64DisableWow64FsRedirection =(fntype_Wow64DisableWow64FsRedirection*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64DisableWow64FsRedirection");

typedef BOOL WINAPI fntype_Wow64RevertWow64FsRedirection(PVOID OldValue);
auto pfnWow64RevertWow64FsRedirection = (fntype_Wow64RevertWow64FsRedirection*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "Wow64RevertWow64FsRedirection");

if (pfnWow64DisableWow64FsRedirection) 
{
    // function found, call it via pointer
    PVOID arg;
    (*pfnWow64DisableWow64FsRedirection)(&arg);
    std::string path = C:/Windows/system32/prog.exe;
    ShellExecuteA(NULL, ("open"), LPCSTR(path.c_str()), NULL, NULL, SW_SHOWNORMAL);
    ShellExecuteA(NULL, ("open"), LPCSTR(path.c_str()), NULL, NULL, SW_SHOWNORMAL);
    (*pfnWow64RevertWow64FsRedirection)(arg);
}

Thank you very much,

Alex

Use `LoadLibrary`, then `GetProcAddress` to get the address of `Wow64DisableWow64FsRedirection`. This will work on Windows 10, and fail to get the address on Windows XP. You will need to remove all automatically imported calls to `Wow64DisableWow64FsRedirection` for this method to work. — Richard Critten, Apr 09 '17 at 22:54

score 0 · Answer 1 · answered Apr 10 '17 at 01:03

0

You must detect a run-time whether the function is available or not.

This can be done by getting the functions address by calling LoadLibrary + GetProcAddress. Normally delay loading would be a alternative but it is not supported on kernel32.dll.

typedef BOOL (WINAPI*W64DW64FR)(PVOID *OldValue);
W64DW64FR w64dw64fr = (W64DW64FR) GetProcAddress(LoadLibraryA("kernel32"), "Wow64DisableWow64FsRedirection");

if (w64dw64fr) 
{
   PVOID old;
   w64dw64fr(&old);
}

answered Apr 10 '17 at 01:03

Anders

97,548
12
110
164

Thank you very much for your answer. Following suggestions from other people, I edited the question since the answer is already in another thread (I tried that one before but a mistake I made elsewhere in the code made me think it did not work). However, with your answer and their answer, there's no "Revert" after the "Disable". Shouldn't I include a "Revert". I'm not sure how to do it right. I included more details in the question. Thanks ! Alex – alecs26 Apr 10 '17 at 12:21
Yes you most likely should revert. – Anders Apr 10 '17 at 12:52
Thank you. And do you think the way I do it in the question is right ? I'm not sure with all the * and &...Thanks again ! – alecs26 Apr 10 '17 at 12:59

Wow64 on 32 bit system : Revert

1 Answers1