Windows - Read x64 bits process memory from a x86 process

[AlessandroZ]

I have spent to much time to try to read x64 bit process memory from a x86 bit process without success, so maybe someone could help me.

There are some points I have noticed:

• VirtualQueryEx64 should be used instead of VirtualQueryEx used right now to iter memory address space. So this function should be uncommented.

• From a x86 process, NtWow64ReadVirtualMemory64 should be used automatically if the remote process it a x64 bits.

• When I call this function, I always have a Windows error code "2" which I suppose the offset does not exists. I think casting the address as an int is not a good idea (but even removing the cast, it does not change anything).

I already have tested all points I have noticed, without success. All functions needed to read x64 memory process from a x86 process are already defined in the project so I suppose you already work on it.

Technically it should be possible. Some projects already implement it:

• https://github.com/giampaolo/psutil/blob/master/psutil/arch/windows/process_info.c
• https://github.com/rwfpl/rewolf-wow64ext
• https://cybercoding.wordpress.com/2011/10/14/delphipeb-from-wow64-process/

[n1nj4sec]

I worked on it at some point but eventually gave up because it did not worked as expected ... A lot of products (like the sysinternals) just drop the x64 binary on disk to handle those problems because it's too much pain even for microsoft ;)