Problem with VirtualQueryEx

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

2.97k stars 420 forks source link

Problem with VirtualQueryEx #120

Closed helloobaby closed 10 months ago

helloobaby commented 10 months ago

If compiled for an x86 platform and run on a host 64-bit operating system, it seems that only the working set of the 32-bit process can be correctly enumerated. And it seems that using VirtualQueryEx is not possible to completely enumerate the working set of a 64-bit process on a 32-bit process.

helloobaby commented 10 months ago

have to use VirtualQueryEx64

hasherezade commented 10 months ago

@helloobaby - yeah, using VirtualQueryEx64 would help, but it is not the official Windows API, but a custom extension library wowext64, so I decided not to use it here. I just recommend using 64-bit version of PE-sieve for a 64-bit system.