[_Lynn]

excuse my english so bear along with me:

what proper method used by most to detect thunk layer in windows x64 the thread currently use? suppose we check instruction pointer but i not seem to find "proper" way.

[everdox]

hello,

to answer your question, the kernel itself checks the cs selector, and then determines the exception code. but so you are aware.. if the thread is executing in the wow64 thunk layer special exception codes will be raised that you need to look out for.

for example STATUS_WX86_SINGLE_STEP or STATUS_WX86_BREAKPOINT but you must use these:

http://msdn.microsoft.com/en-us/library ... 85%29.aspx

because under the hood, the x86 context is stored in usermode :D

[Brock]

Not hard to gather thread context and check if a thread is in WoW64 or not. Anyhow, A 32-bit *process* running under a 64-bit OS environment can be seen through ZwQueryInformationProcess-> ProcessWow64Information, IsWow64Process() API (documented) which already does this. If this is a WOW64 process get the context through Wow64GetThreadContext, thunking is handled for you

[Brock]

By the way, you can avoid the WOW64 layer altogether since a native 64-bit image of NTDLL.DLL is loaded by even 32-bit process but I will not elaborate on this at present. Layers of abstraction are what blind most people