Missing function `ZwWow64IsProcessorFeaturePresent` (WOW64-only)

Question

Missing function `ZwWow64IsProcessorFeaturePresent` (WOW64-only)

mrexodia opened this issue a year ago · comments

According to my research:

NTSYSCALLAPI
BOOLEAN
NTAPI
ZwWow64IsProcessorFeaturePresent(
    _In_ ULONG ProcessorFeature
    );

Duncan Ogilvie · Answer 1 · Sun Feb 26 2023 23:44:20 GMT+0800 (China Standard Time)

A bunch of other ZwWow64* functions also appear to be missing. I’ll try to gather a complete list. Should I contribute here or at the system informer repo?

dmex · Answer 2 · Mon Feb 27 2023 03:12:29 GMT+0800 (China Standard Time)

ZwWow64* functions also appear to be missing

There's no functions named ZwWow64 in ntdll or ntoskrnl? A quick search for wow in the export table shows only RtlWow exists:

Duncan Ogilvie · Answer 3 · Mon Feb 27 2023 06:30:19 GMT+0800 (China Standard Time)

They are only present in the 32-bit ntdll.dll on a wow64 system. Not exactly sure what code they execute in the kernel, but they have a syscall number.

Duncan Ogilvie · Answer 4 · Mon Feb 27 2023 06:32:44 GMT+0800 (China Standard Time)

Windows 10 22H2 19045.2604

dmex · Answer 5 · Mon Feb 27 2023 13:03:49 GMT+0800 (China Standard Time)

Not exactly sure what code they execute in the kernel, but they have a syscall number.

I don't see any syscalls for these functions in IDA. They're just calling Wow64Transition and the 64bit ntdll?

Duncan Ogilvie · Answer 6 · Mon Feb 27 2023 18:49:42 GMT+0800 (China Standard Time)

I see, they are implemented directly in wow64.dll. Would still be nice to have their prototypes somewhere though.