面临API-Ntdll.dll中的NtWow64QueryVirtualMemory64问题 [英] Facing issue with API - NtWow64QueryVirtualMemory64 in ntdll.dll

问题描述

Hello Developers，

Hello Developers,

我面临API问题 -
NtWow64QueryVirtualMemory64 ，
ntdll.dll 在Windows 10（C＃应用程序）中。相同的API在Windows 7中工作。我在下面的文章中读到了类似的问题。但没有答案。如果存在，请帮我解决问题或建议替代API。

I am facing issue with API - NtWow64QueryVirtualMemory64 in ntdll.dll in windows 10 (C# application). Same API is working in windows 7. I read below article which refers to similar issue. But there is no answer. Please help me to resolve the issue or suggest me alternative API if exist.

类似
问题：https：//social.technet。 microsoft.com/forums/en-us/0eb630e5-ecf8-47b3-ac2b-3ad267d5164a/ntwow64queryvirtualmemory64-not-exposed-in-ntdll-on-windows-10-x64

错误讯息："无法在DLL'ntdll.dll'中找到名为'NtWow64QueryVirtualMemory64'的入口点。" 

Error message: "Unable to find an entry point named 'NtWow64QueryVirtualMemory64' in DLL 'ntdll.dll'." 

谢谢，

Thanks,

Kishor

推荐答案

我很确定该API仍然在32位版本的ntdll.dll中公开。 （即：Windows \ SysWOW64文件夹中的版本）

I'm pretty sure that the API is still exposed in 32-bit version of ntdll.dll . (i.e.: the version in Windows\SysWOW64folder)

以下是"dumpbin / exports％windir％\ SysWOW64 \ antdll.dll"的输出：

The following is the output for "dumpbin /exports %windir%\SysWOW64\ntdll.dll":

Microsoft (R) COFF/PE Dumper Version 14.00.24215.1
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file ntdll.dll

File Type: DLL

  Section contains the following exports for ntdll.dll

    00000000 characteristics
    319E0A75 time date stamp
        0.00 version
           8 ordinal base
        2381 number of functions
        2381 number of names

    ordinal hint RVA      name

         15    0 00020EF0 A_SHAFinal
         16    1 0007F470 A_SHAInit
         17    2 00020FB0 A_SHAUpdate
.
.
.
        663  288 0006A8C0 NtWorkerFactoryWorkerReady
        664  289 0006C690 NtWow64AllocateVirtualMemory64
        665  28A 0006C6C0 NtWow64CallFunction64
        666  28B 0006C5E0 NtWow64CsrAllocateCaptureBuffer
        667  28C 0006C600 NtWow64CsrAllocateMessagePointer
        668  28D 0006C610 NtWow64CsrCaptureMessageBuffer
        669  28E 0006C620 NtWow64CsrCaptureMessageString
        670  28F 0006C5D0 NtWow64CsrClientCallServer
        671  290 0006C5B0 NtWow64CsrClientConnectToServer
        672  291 0006C5F0 NtWow64CsrFreeCaptureBuffer
        673  292 0006C630 NtWow64CsrGetProcessId
        674  293 0006C5C0 NtWow64CsrIdentifyAlertableThread
        675  294 0006C640 NtWow64CsrVerifyRegion
        676  295 0006C650 NtWow64DebuggerCall
        677  296 0006C660 NtWow64GetCurrentProcessorNumberEx
        678  297 0006C670 NtWow64GetNativeSystemInformation
        679  298 0006C6D0 NtWow64IsProcessorFeaturePresent
        680  299 0006C680 NtWow64QueryInformationProcess64
        681  29A 0006C6A0 NtWow64ReadVirtualMemory64
        682  29B 0006C6B0 NtWow64WriteVirtualMemory64
        683  29C 0006A930 NtWriteFile
.
.
.
       2386  94A 00072B00 wcstol
       2387  94B 00072B80 wcstombs
       2388  94C 00072B50 wcstoul

  Summary

        1000 .00cfg
        6000 .data
        3000 .mrdata
        5000 .reloc
       6C000 .rsrc
      113000 .text
        1000 RT

确保你的程序如果需要使用它，则编译为以32位进程运行。如果您需要访问64位进程的内存信息，只需使用NtQueryVirtualMemory（）

Make sure your program is compiled to run as 32-bit process if you need to use this. If you need to access memory information on 64-bit process, just use NtQueryVirtualMemory()

这篇关于面临API-Ntdll.dll中的NtWow64QueryVirtualMemory64问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！