-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathPoshWow64ApiSet
142 lines (133 loc) · 6.73 KB
/
PoshWow64ApiSet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
$source = @"
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.ComponentModel;
public static class WinApi
{
public const ushort IMAGE_FILE_MACHINE_UNKNOWN = 0;
public const ushort IMAGE_FILE_MACHINE_TARGET_HOST = 0x0001; // Useful for indicating we want to interact with the host and not a WoW guest.
public const ushort IMAGE_FILE_MACHINE_I386 = 0x014c; // Intel 386.
public const ushort IMAGE_FILE_MACHINE_R3000 = 0x0162; // MIPS little-endian, = 0x160 big-endian
public const ushort IMAGE_FILE_MACHINE_R4000 = 0x0166; // MIPS little-endian
public const ushort IMAGE_FILE_MACHINE_R10000 = 0x0168; // MIPS little-endian
public const ushort IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x0169; // MIPS little-endian WCE v2
public const ushort IMAGE_FILE_MACHINE_ALPHA = 0x0184; // Alpha_AXP
public const ushort IMAGE_FILE_MACHINE_SH3 = 0x01a2; // SH3 little-endian
public const ushort IMAGE_FILE_MACHINE_SH3DSP = 0x01a3;
public const ushort IMAGE_FILE_MACHINE_SH3E = 0x01a4; // SH3E little-endian
public const ushort IMAGE_FILE_MACHINE_SH4 = 0x01a6; // SH4 little-endian
public const ushort IMAGE_FILE_MACHINE_SH5 = 0x01a8; // SH5
public const ushort IMAGE_FILE_MACHINE_ARM = 0x01c0; // ARM Little-Endian
public const ushort IMAGE_FILE_MACHINE_THUMB = 0x01c2; // ARM Thumb/Thumb-2 Little-Endian
public const ushort IMAGE_FILE_MACHINE_ARMNT = 0x01c4; // ARM Thumb-2 Little-Endian
public const ushort IMAGE_FILE_MACHINE_AM33 = 0x01d3;
public const ushort IMAGE_FILE_MACHINE_POWERPC = 0x01F0; // IBM PowerPC Little-Endian
public const ushort IMAGE_FILE_MACHINE_POWERPCFP = 0x01f1;
public const ushort IMAGE_FILE_MACHINE_IA64 = 0x0200; // Intel 64
public const ushort IMAGE_FILE_MACHINE_MIPS16 = 0x0266; // MIPS
public const ushort IMAGE_FILE_MACHINE_ALPHA64 = 0x0284; // ALPHA64
public const ushort IMAGE_FILE_MACHINE_MIPSFPU = 0x0366; // MIPS
public const ushort IMAGE_FILE_MACHINE_MIPSFPU16 = 0x0466; // MIPS
public const ushort IMAGE_FILE_MACHINE_AXP64 = IMAGE_FILE_MACHINE_ALPHA64;
public const ushort IMAGE_FILE_MACHINE_TRICORE = 0x0520; // Infineon
public const ushort IMAGE_FILE_MACHINE_CEF = 0x0CEF;
public const ushort IMAGE_FILE_MACHINE_EBC = 0x0EBC; // EFI Byte Code
public const ushort IMAGE_FILE_MACHINE_AMD64 = 0x8664; // AMD64 (K8)
public const ushort IMAGE_FILE_MACHINE_M32R = 0x9041; // M32R little-endian
public const ushort IMAGE_FILE_MACHINE_ARM64 = 0xAA64; // ARM64 Little-Endian
public const ushort IMAGE_FILE_MACHINE_CEE = 0xC0EE;
public const UInt32 S_OK = 0;
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern UInt32 IsWow64GuestMachineSupported(ushort WowGuestMachine, out bool MachineIsSupported);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern bool IsWow64Process2(IntPtr hProcess, out ushort pProcessMachine, out ushort pNativeMachine);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
public static extern IntPtr GetCurrentProcess();
public static string MachineTypeToStr(ushort MachineType)
{
switch (MachineType)
{
case IMAGE_FILE_MACHINE_UNKNOWN:
return "IMAGE_FILE_MACHINE_UNKNOWN";
case IMAGE_FILE_MACHINE_TARGET_HOST:
return "IMAGE_FILE_MACHINE_TARGET_HOST";
case IMAGE_FILE_MACHINE_I386:
return "IMAGE_FILE_MACHINE_I386";
case IMAGE_FILE_MACHINE_R3000:
return "IMAGE_FILE_MACHINE_R3000";
case IMAGE_FILE_MACHINE_R4000:
return "IMAGE_FILE_MACHINE_R4000";
case IMAGE_FILE_MACHINE_R10000:
return "IMAGE_FILE_MACHINE_R10000";
case IMAGE_FILE_MACHINE_WCEMIPSV2:
return "IMAGE_FILE_MACHINE_WCEMIPSV2";
case IMAGE_FILE_MACHINE_ALPHA:
return "IMAGE_FILE_MACHINE_ALPHA";
case IMAGE_FILE_MACHINE_SH3:
return "IMAGE_FILE_MACHINE_SH3";
case IMAGE_FILE_MACHINE_SH3DSP:
return "IMAGE_FILE_MACHINE_SH3DSP";
case IMAGE_FILE_MACHINE_SH3E:
return "IMAGE_FILE_MACHINE_SH3E";
case IMAGE_FILE_MACHINE_SH4:
return "IMAGE_FILE_MACHINE_SH4";
case IMAGE_FILE_MACHINE_SH5:
return "IMAGE_FILE_MACHINE_SH5";
case IMAGE_FILE_MACHINE_ARM:
return "IMAGE_FILE_MACHINE_ARM";
case IMAGE_FILE_MACHINE_THUMB:
return "IMAGE_FILE_MACHINE_THUMB";
case IMAGE_FILE_MACHINE_ARMNT:
return "IMAGE_FILE_MACHINE_ARMNT";
case IMAGE_FILE_MACHINE_AM33:
return "IMAGE_FILE_MACHINE_AM33";
case IMAGE_FILE_MACHINE_POWERPC:
return "IMAGE_FILE_MACHINE_POWERPC";
case IMAGE_FILE_MACHINE_POWERPCFP:
return "IMAGE_FILE_MACHINE_POWERPCFP";
case IMAGE_FILE_MACHINE_IA64:
return "IMAGE_FILE_MACHINE_IA64";
case IMAGE_FILE_MACHINE_MIPS16:
return "IMAGE_FILE_MACHINE_MIPS16";
case IMAGE_FILE_MACHINE_ALPHA64:
return "IMAGE_FILE_MACHINE_ALPHA64";
case IMAGE_FILE_MACHINE_MIPSFPU:
return "IMAGE_FILE_MACHINE_MIPSFPU";
case IMAGE_FILE_MACHINE_MIPSFPU16:
return "IMAGE_FILE_MACHINE_MIPSFPU16";
case IMAGE_FILE_MACHINE_TRICORE:
return "IMAGE_FILE_MACHINE_TRICORE";
case IMAGE_FILE_MACHINE_CEF:
return "IMAGE_FILE_MACHINE_CEF";
case IMAGE_FILE_MACHINE_EBC:
return "IMAGE_FILE_MACHINE_EBC";
case IMAGE_FILE_MACHINE_AMD64:
return "IMAGE_FILE_MACHINE_AMD64";
case IMAGE_FILE_MACHINE_M32R:
return "IMAGE_FILE_MACHINE_M32R";
case IMAGE_FILE_MACHINE_ARM64:
return "IMAGE_FILE_MACHINE_ARM64";
case IMAGE_FILE_MACHINE_CEE:
return "IMAGE_FILE_MACHINE_CEE";
default:
return "Unknown Machine Type";
}
}
}
"@
Add-Type $source
[bool]$MachineIsSupported = $false
$hr = [WinApi]::IsWow64GuestMachineSupported([WinApi]::IMAGE_FILE_MACHINE_I386, [ref]$MachineIsSupported)
if ($hr -eq [WinApi]::S_OK)
{
"IsWow64GuestMachineSupported IMAGE_FILE_MACHINE_I386: $MachineIsSupported"
}
[UInt16]$processMachine = 0;
[UInt16]$nativeMachine = 0;
$bResult = [WinApi]::IsWow64Process2([WinApi]::GetCurrentProcess(), [ref]$processMachine, [ref]$nativeMachine);
if ($bResult)
{
"ProcessMachine: $([WinApi]::MachineTypeToStr($processMachine))"
"NativeMachine: $([WinApi]::MachineTypeToStr($nativeMachine))"
}