is_64_bit potentionally incorrect

srounet / Pymem

A python library for windows, providing the needed functions to start working on your own with memory editing.

MIT License

303 stars 45 forks source link

is_64_bit potentionally incorrect #113

Closed StarrFox closed 7 months ago

StarrFox commented 8 months ago

I believe the is_64_bit function which checks the wow64 status of the process might be incorrect https://github.com/srounet/Pymem/blob/4d8380c2e095461783f3f5f214843c40d2ea7684/pymem/process.py#L435-L450

based on https://learn.microsoft.com/en-us/windows/win32/api/wow64apiset/nf-wow64apiset-iswow64process#parameters I'm thinking that returning a True here is for 32 bit processes instead of 64 bit processes as the function name suggests

is this the case?

StarrFox commented 8 months ago

this currently causes an issue with the resolve_offsets method which uses it to check the bitness of the process, looking at the iswow64process docs I don't think this is effective enough since for example if the OS is 32 bit then wow64 will be false in those cases also

so perhaps a fixed version of is_64_bit would include the bitness of the OS in it's logic

StarrFox commented 8 months ago

I think this would work

import platform

def is_wow64(handle): 
    Wow64Process = ctypes.c_long() 
    pymem.ressources.kernel32.IsWow64Process(handle, ctypes.byref(Wow64Process)) 
    return bool(Wow64Process.value)

def is_64_bit(handle):
    return platform.architecture()[0] == "64bit" and not is_wow64(handle)