search

winsiderss / phnt

Native API header files for the System Informer project.
https://github.com/winsiderss/systeminformer
MIT License
991 stars 166 forks source link

STATUS_DATATYPE_MISALIGNMENT for 64-Bit structures used by Wow64 process #21

Closed odzhan closed 1 year ago

odzhan commented 1 year ago

64-Bit system calls executed by a wow64 process require structures aligned on a 16 byte boundary. A misaligned structure will sometimes result in the system call returning STATUS_DATATYPE_MISALIGNMENT. For example fix, OBJECT_ATTRIBUTES64 in phnt_ntdef.h would be defined like:

typedef struct DECLSPEC_ALIGN(16) _OBJECT_ATTRIBUTES64
{
    ULONG Length;
    ULONG64 RootDirectory;
    ULONG64 ObjectName;
    ULONG Attributes;
    ULONG64 SecurityDescriptor;
    ULONG64 SecurityQualityOfService;
} OBJECT_ATTRIBUTES64, *POBJECT_ATTRIBUTES64;

The only change required here is using DECLSPEC_ALIGN(16) or __declspec(align(16))

:+1:

dmex commented 1 year ago

For example fix, OBJECT_ATTRIBUTES64 in phnt_ntdef.h would be defined like:

The definition we're using exactly matches what's included in the Windows SDK?

image

64-Bit system calls executed by a wow64 process

There are a number of cases where this won't work. You should be using the 32bit versions.

odzhan commented 1 year ago

Okay, fair enough.