https://en.wikipedia.org/wiki/WoW64
NTSystem/Commons/ProcessAPI.pas
https://github.com/wyrover/NTSystem/find/master
delphi-code-coverage/JwaWinternl.pas at master - GitHub
freepascal/jwanative.pas at master - GitHub
Process API pas jedi NtQueryInformationProcess
NTSystem/NTLauncher 3.0/
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getprocessid
https://docs.microsoft.com/en-us/dotnet/api/system.management?redirectedfrom=MSDN&view=dotnet-plat-ext-6.0
https://docs.microsoft.com/en-us/windows/win32/api/wow64apiset/nf-wow64apiset-iswow64process
https://docs.microsoft.com/en-us/windows/win32/winprog64/file-system-redirector
https://stackoverflow.com/questions/3540930/getting-syswow64-directory-using-32-bit-application
https://blog.30cm.tw/2021/06/32-wow64.html
TurboThunkDispatch Windows 10 TurboDispatchJumpAddressEnd CpupReturnFromSimulatedCode
CpupReturnFromSimulatedCode system interrupt wow64cpu.dll TurboDispatchJumpAddressEnd 64-bit ntdll
TurboDispatchJumpAddressEnd wow64.dll Wow64SystemServiceEx TurboDispatchJumpAddressStart Wow64SystemServiceEx
dumpbin /exports %windir%\SysWOW64\ntdll.dll"
663 288 0006A8C0 NtWorkerFactoryWorkerReady
664 289 0006C690 NtWow64AllocateVirtualMemory64
665 28A 0006C6C0 NtWow64CallFunction64
666 28B 0006C5E0 NtWow64CsrAllocateCaptureBuffer
667 28C 0006C600 NtWow64CsrAllocateMessagePointer
668 28D 0006C610 NtWow64CsrCaptureMessageBuffer
669 28E 0006C620 NtWow64CsrCaptureMessageString
670 28F 0006C5D0 NtWow64CsrClientCallServer
671 290 0006C5B0 NtWow64CsrClientConnectToServer
672 291 0006C5F0 NtWow64CsrFreeCaptureBuffer
673 292 0006C630 NtWow64CsrGetProcessId
674 293 0006C5C0 NtWow64CsrIdentifyAlertableThread
675 294 0006C640 NtWow64CsrVerifyRegion
676 295 0006C650 NtWow64DebuggerCall
677 296 0006C660 NtWow64GetCurrentProcessorNumberEx
678 297 0006C670 NtWow64GetNativeSystemInformation
679 298 0006C6D0 NtWow64IsProcessorFeaturePresent
680 299 0006C680 NtWow64QueryInformationProcess64
681 29A 0006C6A0 NtWow64ReadVirtualMemory64
682 29B 0006C6B0 NtWow64WriteVirtualMemory64
683 29C 0006A930 NtWriteFile
[DllImport("NTDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
public static extern int NtWow64ReadVirtualMemory64(IntPtr Process, UInt64 BaseAddress, IntPtr Buffer, UInt64 Size, UInt64[] NumberOfBytesRead);
https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s/42789684
TppWorkerThread Peb->ProcessParameters->LoaderThreads.
LoaderThreads
_RTL_USER_PROCESS_PARAMETERS
LoaderThreads CreateProcess ZwCreateUserProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<app name>
MaxLoaderThreads=dword:xxxx
LdrpWorkQueue
LdrpEnableParallelLoading
ntdll LdrpMapAndSnapDependency
ntdll LdrpWorkCallback
ntdll LdrpProcessWork
ntdll LdrpDrainWorkQueue
ntdll!LdrpWorkQueue (LIST_ENTRY)
ntdll!LdrpWorkQueueTail (LIST_ENTRY)
ntdll!LdrpWorkQueueLock (CRITICAL_SECTION)
ntdll!LdrpRetryQueue (LIST_ENTRY)
ntdll!LdrpRetryQueueTail (LIST_ENTRY)
ntdll!LdrpLoadCompleteEvent (HANDLE)
ntdll!LdrpWorkCompleteEvent (HANDLE)
NtTerminateThread LdrShutdownThread LdrpDrainWorkQueue LdrpLoadCompleteEvent msvcrt!CrtLock_Exit DLL_PROCESS_ATTACH
https://stackoverflow.com/questions/42789199/why-there-are-three-unexpected-worker-threads-when-a-win32-console-application-s
https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Bing%20Sun%20and%20Chong%20Xu%20-%20Bypassing%20Memory%20Mitigation%20Using%20Data-Only%20Exploitation%20Techniques.pdf
syswow64 VirtualAlloc ntdll virtualalloc globalalloc
virtualalloc heapalloc globalalloc localalloc _malloca CoTaskMemAlloc
https://docs.microsoft.com/zh-tw/windows/win32/memory/comparing-memory-allocation-methods
https://blogs.blackberry.com/en/2018/03/windows-maps-64-bit-ntdll-to-wow64-process
沒有留言:
張貼留言