使用IsWow64Process可以检测当前进程是否运行在WOW64环境下(WOW64 is the x86 emulator that allows Win32-based applications to run on 64-bit Windows),有些人也把它用来检测CPU位数(这用法是错误的)
在MSDN上也有这个函数的使用方法,当然我还是写了个,注意的是IsWow64Process第一个参数是一个有QUERY权限的进程句柄.
BOOL IsWow64Current() { FARPROC fnIsWow64Process; BOOL bIsWow64; bIsWow64 = FALSE; fnIsWow64Process = GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "IsWow64Process"); if(fnIsWow64Process) if(((BOOL (WINAPI *)(HANDLE, PBOOL))fnIsWow64Process)(GetCurrentProcess(), &bIsWow64)) return bIsWow64; return FALSE; }
嗯哼~那么来看看IsWow64Process的实现吧~
KERNELBASE!IsWow64Process: 759f8c8e 8bff mov edi,edi 759f8c90 55 push ebp 759f8c91 8bec mov ebp,esp 759f8c93 56 push esi 759f8c94 6a00 push 0 //ReturnLength 759f8c96 6a04 push 4 //ProcessInformationLength 759f8c98 8d4508 lea eax,[ebp+8] 759f8c9b 50 push eax //ProcessInformation 759f8c9c 6a1a push 1Ah //ProcessInformationClass::ProcessWow64Information 759f8c9e ff7508 push dword ptr [ebp+8] //ProcessHandle 759f8ca1 ff1528109f75 call dword ptr [KERNELBASE!_imp__NtQueryInformationProcess (759f1028)] 759f8ca7 8bf0 mov esi,eax 759f8ca9 85f6 test esi,esi ;NtQueryInformationProcess失败 759f8cab 0f8c35170200 jl KERNELBASE!IsWow64Process+0x1f (75a1a3e6) KERNELBASE!IsWow64Process+0x27: 759f8cb1 8b4d0c mov ecx,dword ptr [ebp+0Ch] 759f8cb4 33c0 xor eax,eax 759f8cb6 394508 cmp dword ptr [ebp+8],eax 759f8cb9 0f95c0 setne al 759f8cbc 8901 mov dword ptr [ecx],eax //把结果放在第二个参数的指向 KERNELBASE!IsWow64Process+0x34: 759f8cbe 33c0 xor eax,eax 759f8cc0 85f6 test esi,esi 759f8cc2 0f9dc0 setge al //return (esi >= 0); 759f8cc5 5e pop esi 759f8cc6 5d pop ebp 759f8cc7 c20800 ret 8 KERNELBASE!IsWow64Process+0x1f: 75a1a3e6 56 push esi 75a1a3e7 e8b9c7fdff call KERNELBASE!BaseSetLastNTError (759f6ba5) 75a1a3ec e9cde8fdff jmp KERNELBASE!IsWow64Process+0x34 (759f8cbe)
于是乎~很简单实现了IsWow64Process(顺便学会set指令怎么用了)