Determines whether the specified process is running under WOW64. In other terms, it tells whether the process is running as a 32-bit process on a 64-bit system.
BOOL WINAPI IsWow64Process( _In_ HANDLE hProcess, _Out_ PBOOL Wow64Process );
- hProcess [in]
- A handle to the process. The handle must have the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access right.
- Windows Server 2003 and Windows XP: The handle must have the PROCESS_QUERY_INFORMATION access right.
- Wow64Process [out]
- A pointer to a value that is set to TRUE if the process is running under WOW64. If the process is running under 32-bit Windows, the value is set to FALSE. If the process is a 64-bit application running under 64-bit Windows, the value is also set to FALSE.
If the function succeeds, the return value is a nonzero value.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
Below is a malware extract using IsWow64Process to determine its environment: