0

The MSDN page for MEMORY_BASIC_INFORMATION points out in the remarks section that MEMORY_BASIC_INFORMATION32 and MEMORY_BASIC_INFORMATION64 should be specified in situations where the target process is running on a different architecture than the querying program (when using VirtualQueryEx). I also found some SO posts which pointed this out in their answers to related questions. I discovered though that the version of MEMORY_BASIC_INFORMATION I was being passed by VirtualQUeryEx was the same as the architecture of my program, despite that of the target. I want to make sure I am parsing the information from VirtualQueryEx correctly. Do I really need to specify the version of MEMORY_BASIC_INFORMATION I am using to match the architecture of the target? If so, why is VirtualQueryEx returning only the version of my program's architecture and how can I get around that?

kansas_bulldog382
  • 73
  • 8
  • 1
    this can be used only in case when debugging process run on different computer. when both process run on the same comp (with same kernel) - this useless. native process always can use `MEMORY_BASIC_INFORMATION` as is and wow64 process can query only another wow64 proces – RbMm Mar 24 '20 at 18:52
  • Ok, that makes sense. So if I want to get info about both 32-bit and 64-bit processes on my computer, I will have to compile separate programs? – kansas_bulldog382 Mar 24 '20 at 18:57
  • 1
    no, you mistake. for get info only form same computer always use only `MEMORY_BASIC_INFORMATION` as is. native process always got correct info about any process (both 32 and 64). wow64 process can query only 32bit process anyway – RbMm Mar 24 '20 at 19:19
  • Ok, I think I understand now. So long as my debugger is native, I can be safe using the default MEMORY_BASIC_INFORMATION with either native or wow64 targets. Is that correct? – kansas_bulldog382 Mar 24 '20 at 19:25
  • 1
    yes. really debugger always must be native (so always 64bit on 64bit windows). and 64 bit process always get correct info inside `MEMORY_BASIC_INFORMATION` from 32 and 64 bit processes – RbMm Mar 24 '20 at 19:27
  • Excellent! Thank you! – kansas_bulldog382 Mar 24 '20 at 19:28

1 Answers1

-1

In my experience, the best solution is to use the regular macro MEMORY_BASIC_INFORMATION and to build separate executable for x86 and x64. In addition use a macro for all addresses, offsets and pointers that resolve for the correct size depending on what architecture you build for. Then use the corresponding executable based on the target process's architecture. This will lead to the least amount of headache.

In this case, if you use MEMORY_BASIC_INFORMATION from a x64 process and target a x86 or x64 process it should work fine. But I wouldn't assume this to work with all structures and Windows API functions as that will only get you in trouble down the road which is why I recommend the above method.

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59