Reading/Writing Memory in x64

[wraithdu]

I recently upgraded my home PC to x64, my dev laptop is still 32 bit, but it got me thinking about how AutoIt interacts with x64 and the whole WOW64 subsystem. Here's the scenario I'm thinking about. In a UDF like my API hooking script, virtual memory is directly read and modified. Some of this memory is pointers. So in a native x64 to x64 interaction, the pointers would all be 64 bit numbers (reading and writing), no mystery there. But how does this work in the other scenarios - what does the process see when it reads the memory, and what does it have to write back to function properly? Consider process A is the AutoIt script, and process B is the target process running on x64.

A is 32 bit and B is 32 bit - both run under WOW64, do we treat all pointers as 32 bit numbers when reading and writing?

A is 32 bit and B is 64 bit - target is x64, does WOW64 do some kind of translation for us during read and write?

A is 64 bit and B is 32 bit - target is 32 bit, does WOW64 do some reverse traslation as above?

The problem I can see here is when using Read/WriteProcessMemory we provide a byte structure, so the function has no idea what kind of data is contained (bytes, chars, pointers, etc). As a first guess, I'd say that to properly accomplish a Read/Write, the script would have to know how it is compiled (32 or 64) and check the target process as well.

Anyone have better information? Maybe a good online resource for x64 programming best practices?

Edited November 5, 2009 by wraithdu

[Richard Robertson]

The best way to do it is to compile for the target. When using a 64 bit OS, compile to 64 bit.

As for 64 to 32 bit interaction, I would assume there is some kind of translation that already happened at the WOW level.