strange thing about wow64 process call GetThreadContext

#27280 by vs2099
Sat Nov 21, 2015 8:52 pm

Hi,
Everyone knows that if a process call kernel32!GetThreadContext, it will through nt!NtGetContextThread.
But I found that if wow64 process call kernel32!GetThreadContext, it will not through nt!NtGetContextThread.
I use BP(WINDBG) even KERNEL INLINE HOOK and try to catch something, but I failed.
It only can catch the call of native (64-bit) process.
Who can tell me the reason.

Best regards,
VS2099.

Username

vs2099

Posts

Joined

Wed Jul 17, 2013 2:45 am

Re: strange thing about wow64 process call GetThreadContext

#27284 by Brock
Sun Nov 22, 2015 6:19 am

If you disasm kernel32!GetThreadContext it does call ntdll!NtGetContextThread which in turn will call into fs:[0xC0] (wow64cpu!X86SwitchTo64BitMode). It's handled by the WOW layer before the native system call is issued

Accept nothing less than STATUS_SUCCESS

Username

Brock

Posts

222

Joined

Wed Apr 28, 2010 3:13 am

Location

Valparaiso, Florida USA

Contact

Re: strange thing about wow64 process call GetThreadContext

#27293 by myid
Tue Nov 24, 2015 1:57 am

bp PspGetContextThreadInternal
Maybe this is the answer. :D

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am

Page 1 of 1
3 posts