Detect x86_64 process in Windows 10 ARM64 OS

[Biswa96]

How to detect x86_64 process in Windows ARM64 OS? Extending discussion from msys2/msys2-runtime#47

[Biswa96]

@jeremyd2019 Here is the sample code.

typedef enum _MACHINE_ATTRIBUTES
{
    UserEnabled = 1,
    KernelEnabled = 2,
    Wow64Container = 4,
} MACHINE_ATTRIBUTES, * PMACHINE_ATTRIBUTES;

typedef struct _PROCESS_MACHINE_INFORMATION
{
    /* 0x0000 */ USHORT ProcessMachine;
    /* 0x0002 */ USHORT Res0;
    /* 0x0004 */ MACHINE_ATTRIBUTES MachineAttributes;
} PROCESS_MACHINE_INFORMATION, * PPROCESS_MACHINE_INFORMATION; /* size: 0x0008 */

int main()
{
#define ProcessMachineTypeInfo 9
    PROCESS_MACHINE_INFORMATION buf;
    memset(&buf, 0, sizeof buf);
    BOOL ret = GetProcessInformation(-1, ProcessMachineTypeInfo, &buf, sizeof buf);
    printf("ret: %d\n", ret);
    printf("ProcessMachine: 0x%x\n", buf.ProcessMachine);
    printf("Res0: 0x%x\n", buf.Res0);
    printf("MachineAttributes: %d\n", buf.MachineAttributes);

    return 0;
}

Here is the output in Windows 10 ARM64 machine (tiny Rpi4)

• ARM: IMAGE_FILE_MACHINE_ARMNT (0x01c4)
• ARM64: IMAGE_FILE_MACHINE_ARM64 (0xaa64)
• X86: IMAGE_FILE_MACHINE_I386 (0x014c)
• X86_64: IMAGE_FILE_MACHINE_AMD64 (0x8664)

Please reply on different line. GitHub seems to hide many nested discussion.

[Biswa96]

The aforementioned structures and enum are in WinSDK version 10.0.22000.0. I shall add those symbols in mingw-w64. In future, if mingw-w64/w32api cygwin package were updated there will be some redeclaration error.

[jeremyd2019]

Sweet, that's exactly what I want to know. Do you happen to know the minimum Windows version of that call (or I guess ProcessMachineTypeInfo as GetProcessInformation says Windows 8 on MSDN.

If you put that on my Q&A question I can give you the answer points (if you are on there and care about such things)

[jeremyd2019]

It's apparently very new, 20H2 and 21H1 return FALSE from that GetProcessInformation call on x86_64, i686, and aarch64.

[Biswa96]

You could check the return value to get if that process info class supported. I don't know about the supported Win versions.

About the MS Q&A, I don't have MS account.

[jeremyd2019]

All I had to use was the MS account I had to create to get insider previews. I gave you props there anyway: https://docs.microsoft.com/answers/answers/452530/view.html

[jeremyd2019]

So it looks like the way to go is, if IsWow64Process2 exists and returns IMAGE_FILE_MACHINE_UNKNOWN for *pProcessMachine, try calling GetProcessInformation with that class, and if that returns TRUE use the ProcessMachine it gave, otherwise use *pNativeMachine.

[Biswa96]

Do those 20H2 and 21H1 support x86_64 on arm64?

[jeremyd2019]

no, which is why the logic I proposed should work

[Biswa96]

Wait! There is a thing can be done with NtQuerySystemInformationEx, if it is allowed in cygwin.

[jeremyd2019]

If it's 0xb5, it lies 😛

[Biswa96]

No, it does not 😎

[Biswa96]

There is another way to detect with NtQuerySystemInformationEx(SystemSupportedProcessorArchitectures, ...) but that code will be overwhelming for this little goal. It returns an array of SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION structure. The first one is native and rest is the supported architecture. I will contribute the code to ProcessHacker and let you know the details.

[jeremyd2019]

I couldn't get it to return x86_64. Will be curious to see, but GetProcessInformation seems to work fine for this

[Biswa96]

Here is the structure winsiderss/systeminformer#922

[Biswa96]

Is it possible to use autoload in cygwin to get those APIs instead of GetProcAddress? Just asking.

[jeremyd2019]

From msys2/msys2-runtime#47:

While cygwin already 'knows' how to autoload IsWow64Process2, and will make it return FALSE/ERROR_PROC_NOT_FOUND if it isn't present, this magic does not seem to be present in kill.exe so go back to manual GetModuleHandle/GetProcAddress. ☹️

Specifically, this code is in a header, that is included by both exceptions.cc inside cygwin DLL (where autoload would work), but also from winsup/utils/kill.cc (which didn't seem to have the autoload stuff when I tried with IsWow64Process2)