wow64 

WOW64的32位程序其实拥有64位程序的全部功能
包括32注入64位、枚举64位进程模块、Hook64位模块、调用64位API等等等等....
因为WOW64程序不是完全的虚拟化的,是伪虚拟化,本身就是一个64位进程
只是自己以为是32位程序而已
就如黑客帝国里面一样,只要你意识到了,就能超越你认为所不能的。

RtlGetNativeSystemInformation = _NtWow64GetNativeSystemInformation@16
RtlQueueApcWow64Thread = _RtlQueueApcWow64Thread@20
RtlWow64CallFunction64 = _RtlWow64CallFunction64@28
RtlWow64EnableFsRedirection = _RtlWow64EnableFsRedirection@4
RtlWow64EnableFsRedirectionEx = _RtlWow64EnableFsRedirectionEx@8
RtlWow64LogMessageInEventLogger = _RtlWow64LogMessageInEventLogger@12
ZwWow64CallFunction64 = _ZwWow64CallFunction64@28
ZwWow64CsrAllocateCaptureBuffer = _NtWow64CsrAllocateCaptureBuffer@8
ZwWow64CsrAllocateMessagePointer = _ZwWow64CsrAllocateMessagePointer@12
ZwWow64CsrCaptureMessageBuffer = _ZwWow64CsrCaptureMessageBuffer@16
ZwWow64CsrCaptureMessageString = _NtWow64CsrCaptureMessageString@20
ZwWow64CsrClientCallServer = _ZwWow64CsrClientCallServer@16
ZwWow64CsrClientConnectToServer = _ZwWow64CsrClientConnectToServer@20
ZwWow64CsrFreeCaptureBuffer = _NtWow64CsrFreeCaptureBuffer@4
ZwWow64CsrGetProcessId = _NtWow64CsrGetProcessId@0
ZwWow64CsrIdentifyAlertableThread = _ZwWow64CsrIdentifyAlertableThread@0
ZwWow64CsrVerifyRegion = _NtWow64CsrVerifyRegion@8
ZwWow64DebuggerCall = _ZwWow64DebuggerCall@20
ZwWow64GetCurrentProcessorNumberEx = _NtWow64GetCurrentProcessorNumberEx@4
ZwWow64GetNativeSystemInformation = _NtWow64GetNativeSystemInformation@16
ZwWow64InterlockedPopEntrySList = _NtWow64InterlockedPopEntrySList@4
ZwWow64QueryInformationProcess64 = _NtWow64QueryInformationProcess64@20
ZwWow64QueryVirtualMemory64 = _ZwWow64QueryVirtualMemory64@32
ZwWow64ReadVirtualMemory64 = _ZwWow64ReadVirtualMemory64@28
ZwWow64WriteVirtualMemory64 = _NtWow64WriteVirtualMemory64@28

 

posted @ 2014-11-04 23:34  Yvan.lin  阅读(2805)  评论(0)    收藏  举报