search

winsiderss / phnt

Native API header files for the System Informer project.
https://github.com/winsiderss/systeminformer
MIT License
991 stars 166 forks source link

Missing function `ZwWow64IsProcessorFeaturePresent` (WOW64-only) #25

Open mrexodia opened 1 year ago

mrexodia commented 1 year ago

According to my research:

NTSYSCALLAPI
BOOLEAN
NTAPI
ZwWow64IsProcessorFeaturePresent(
    _In_ ULONG ProcessorFeature
    );
mrexodia commented 1 year ago

A bunch of other ZwWow64* functions also appear to be missing. I’ll try to gather a complete list. Should I contribute here or at the system informer repo?

dmex commented 1 year ago

ZwWow64* functions also appear to be missing

There's no functions named ZwWow64 in ntdll or ntoskrnl? A quick search for wow in the export table shows only RtlWow exists:

image

mrexodia commented 1 year ago

They are only present in the 32-bit ntdll.dll on a wow64 system. Not exactly sure what code they execute in the kernel, but they have a syscall number.

mrexodia commented 1 year ago

image

image

Windows 10 22H2 19045.2604

dmex commented 1 year ago

Not exactly sure what code they execute in the kernel, but they have a syscall number.

I don't see any syscalls for these functions in IDA. They're just calling Wow64Transition and the 64bit ntdll?

mrexodia commented 1 year ago

I see, they are implemented directly in wow64.dll. Would still be nice to have their prototypes somewhere though.