Analysis of WOW64 Exploitation Techniques

Recently, hackers have drawn the attention of many security researchers by using an “old” technology from over a decade ago – “Heaven’s Gate” – to evade detection. In response, FireEye published an article titled “WoW64 Subsystem Internals and Hooking Techniques” [1] (hereinafter referred to as “FireEye article”), which provides a detailed introduction to “Heaven’s Gate” and other WOW64 exploitation techniques. Related public accounts in China have also translated and reposted this article [2]. Since WOW64 is a system-level emulator, understanding and mastering WOW64 exploitation techniques requires a lot of knowledge about the system’s underlying architecture. Here, we will provide a basic analysis of “Heaven’s Gate” and another WOW64 exploitation technique – the wow64log.dll hijacking technique, to help everyone understand the related technologies. 1 Background

WOW64 is a set of 32-bit system emulators introduced by Microsoft to maintain backward compatibility on 64-bit Windows systems, making it possible for 32-bit applications to run on 64-bit systems.

Since the release of WOW64, research into its security has been ongoing, uncovering several exploitation techniques, among which the most representative are “Heaven’s Gate” and the wow64log.dll hijacking.

“Heaven’s Gate” is the most famous WOW64 exploitation technique. As early as 2006, this technique appeared on a hacker technology exchange website in Ukraine called VxHeaven (Vx stands for Virus eXechange) (Note: This website was shut down by the Ukrainian police in 2012, and the original material cannot be found). As its name suggests, the exploitation point of “Heaven’s Gate” occurs at the boundary between 32-bit and 64-bit modes – at the call gate. To this day, “Heaven’s Gate” is still considered an effective technique for evading security defenses, utilized by many hacker organizations, and it occasionally comes into the view of security researchers.

The wow64log.dll hijacking is another WOW64 exploitation technique discovered in recent years. It is achieved by writing and hijacking wow64log.dll to inject into WOW64 processes.

2 WoW64 Subsystem

2.1 Operating System in Protected Mode

We know that after the CPU developed to the 80386, the concept of protected mode was introduced. In protected mode, the execution states of program code can have four privilege levels from ring0 to ring3. Accordingly, the Windows system also divides the execution states of program code into two privilege levels: ring0 and ring3. The operating system kernel operates in ring0 (kernel mode); user programs and other parts of the operating system operate in ring3 (user mode). A typical Windows system has the following structure:

Analysis of WOW64 Exploitation Techniques

In the division of privilege levels, user programs can only call kernel mode code through the operating system’s interface (ntdll.dll), using syscall or int 2e via the gate (call gate or interrupt gate), thus achieving protection of the operating system kernel.

For example, the code for a 64-bit process on a 64-bit system to enter kernel mode is as follows:

Analysis of WOW64 Exploitation Techniques

However, due to the differences between 32-bit and 64-bit code, a 32-bit program and the corresponding 32-bit Ntdll.dll cannot directly call 64-bit kernel mode code using syscall or int 2e. To allow 32-bit programs to run normally under a 64-bit kernel, the WOW64 subsystem was created.

2.2 WOW64

The WOW64 subsystem, officially referred to as the WOW64 emulator, is described by Microsoft on its official website [3] as: “The WOW64 emulator runs in user mode, providing an interface between the 32-bit version of Ntdll.dll and the processor kernel, and intercepting kernel calls.”

WOW64 supports both X64 and ARM64 architectures, mainly including the following modules:

  • Wow64.dll provides core emulation architecture and thunks for the Ntoskrnl.exe entry function
  • Wow64win.dll provides thunks for the win32k.sys entry function
  • (X64 only) Wow64cpu.dll provides support for running X86 programs on X64
  • (Itanium only) IA32Exec.bin contains the X86 software emulator
  • (Itanium only) Wowia32x.dll provides an interface between IA32Exec.bin and WOW64
  • (ARM64 only) xtajit.dll contains the X86 software emulator
  • (ARM64 only) Wowarmw.dll provides support for running ARM32 programs on ARM64

With the addition of WOW64, the architecture of a 64-bit Windows system becomes as follows:

Analysis of WOW64 Exploitation Techniques

From this diagram, it can be seen that for a 32-bit process to transition to 64-bit kernel mode, it must first be converted from the 32-bit Ntdll.dll API calls to 64-bit Ntdll.dll API calls by the WOW64 subsystem, and then the 64-bit Ntdll.dll API calls will enter kernel mode using syscall or int 2e.

Regarding the implementation details of WOW64, Microsoft’s description is brief and obscure:

  • “At startup, Wow64.dll loads the X86 version of Ntdll.dll and runs its initialization code, which will load all necessary 32-bit dlls”
  • “The 32-bit code executing system calls does not use the X86 system service call sequence but is modified to use a specific call sequence. This call sequence will be intercepted by WOW64 and converted to a 64-bit call by WOW64CPU.”
  • “Thunks extract parameters from the 32-bit stack, extend the parameters to 64 bits, and then execute the 64-bit system call.”

3 WOW64 Exploitation Techniques The existing WOW64 exploitation techniques mainly revolve around Microsoft’s above description.

3.1 “Heaven’s Gate”

The main issue surrounding “Heaven’s Gate” is: what exactly is the specific call sequence when 32-bit code calls system services, and how is the transition to 64-bit systems achieved.

This is detailed in the FireEye article and other articles; simply put (using NtResumeThread as an example), it is:

  • (Specific call sequence) NtResumeThread calls Wow64SystemService

Analysis of WOW64 Exploitation Techniques

  • (Function to convert to 64-bit mode Thunk) Wow64SystemService calls Wow64Transition

Analysis of WOW64 Exploitation Techniques

  • (Transition from 32-bit mode to 64-bit mode) Wow64Transition points to wow64cpu!KiFastSystemCall, which achieves the transition from X86 to X64 through a far jump.

Analysis of WOW64 Exploitation Techniques

From this, it can be seen that the key to achieving the X86 to X64 conversion is the far jump, which is a jump of the form jmp cs:eip. Here, CS is the segment selector:

  • When cs=0x33, it corresponds to 64-bit mode
  • When cs=0x23, it corresponds to 32-bit mode

“Heaven’s Gate” exploits the far jump, or equivalent constructs like Call and retf, to directly call 64-bit system services without going through the 32-bit ntdll.dll. Due to the implementation technology, many protective software monitor program behavior by injecting the 32-bit ntdll.dll; since “Heaven’s Gate” does not call the API functions in the 32-bit ntdll.dll, it achieves the goal of evading monitoring.

The following is a PoC from (ReWolf) [4] A PoC heaven’s gate implementation:

#define EM(a) __asm __emit (a)
#define X64_Start_with_CS(_cs) {   EM(0x6A) EM(_cs)                      /*  push   _cs                   */   EM(0xE8) EM(0) EM(0) EM(0) EM(0)       /*  call   $+5                   */   EM(0x83) EM(4) EM(0x24) EM(5)          /*  add    dword [esp], 5        */   EM(0xCB)                              /*  retf                         */ }
#define X64_End_with_CS(_cs) { 
 EM(0xE8) EM(0) EM(0) EM(0) EM(0)       /*  call   $+5                   */   EM(0xC7) EM(0x44) EM(0x24) EM(4)       /*                               */   EM(_cs) EM(0) EM(0) EM(0)              /*  mov    dword [rsp + 4], _cs  */   EM(0x83) EM(4) EM(0x24) EM(0xD)       /*  add    dword [rsp], 0xD      */   EM(0xCB)                               /*  retf                         */ }
#define X64_Start() X64_Start_with_CS(0x33)
#define X64_End() X64_End_with_CS(0x23)

3.2 WOW64log.dll Hijacking

Wow64log.dll centers around another issue: what operations are performed during the initialization process of WOW64, and are there any exploitable points during that time.

The most detailed answer to this question can be found in another link provided by FireEye (wbenny) [5]: An extremely detailed view of WOW64 internals on ARM.

Through Wbenny’s article, it can be understood that during the WOW64 initialization process, wow64log.dll will be loaded, and this dll will be loaded by every WOW64 process. However, in the released Windows systems, this dll does not exist (suspected to be used during development).

Thus, by writing this dll and placing it in the appropriate location, it is possible to achieve injection into all WOW64 processes.

4 References

[1]https://www.fireeye.com/blog/threat-research/2020/11/wow64-subsystem-internals-and-hooking-techniques.html

[2]https://www.anquanke.com/post/id/222243

[3]https://docs.microsoft.com/en-us/windows/win32/winprog64/wow64-implementation-details

[4]http://blog.rewolf.pl/blog/?p=102

[5]https://wbenny.github.io/2018/11/04/wow64-internals.htmlAnalysis of WOW64 Exploitation TechniquesAnalysis of WOW64 Exploitation Techniques

Analysis of WOW64 Exploitation Techniques

Leave a Comment