windowsprocess32bit-64bitwow64

How to enum modules in a 64bit process from a 32bit WOW process


I have a requirement to retrieve all modules of a 64bit process in a 32bit WOW process in Windows, EnumProcessModules would fail as described:

If this function is called from a 32-bit application running on WOW64, it can only enumerate the modules of a 32-bit process. If the process is a 64-bit process, this function fails and the last error code is ERROR_PARTIAL_COPY (299).

So as to EnumProcessModulesEx and CreateToolhelp32Snapshot.

Do you have any idea on how to achieve it?

Thanks.


Solution

  • Without going into undocumented APIs, you can't do this. In general, reading a 64-bit process' memory from a 32-bit process won't work due to the address space differences.

    EnumProcessModulesEx, which has LIST_MODULES_32BIT and LIST_MODULES_64BIT filter flags, has this to say:

    This function is intended primarily for 64-bit applications. If the function is called by a 32-bit application running under WOW64, the dwFilterFlag option is ignored and the function provides the same results as the EnumProcessModules function.

    You could do this by converting your program to 64-bit, using an out-of-proc 64-bit COM server (specifically using a DLL surrogate), or having a separate process that you communicate with. Alternatively, depending on when your process starts relative to your target process, you could use WMI to get module load events. See the Win32_ModuleLoadTrace event.

    Process Explorer, a single 32-bit exe, can show you modules for both 32- and 64-bit processes, but it's really smoke and mirrors: the 32-bit exe contains a 64-bit version of itself that gets written out to disk and executed on 64-bit machines.