WoW Hell: Rebuilding Heavens Gate

Microsoft embeds a translation design named WoW64 (Windows 32 on Windows 64) used for running 32 bit PE (Portable Executable format) on 64 bit Windows. The design basically hosts every 32 bit PE file inside as a native standalone 64-bit process and translates every 32-bit system interrupt into a 64-bit syscall. In this talk, we’re going to talk about deep reversing engineering on WoW64 architecture how it does translations, and some uncovered issues about crossing-architecture could be abused in the wild. This talk will cover:

  • Direct Call to 64 bit NtDLL (Heaven’s Gate) on Lastest Win10
  • FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking by MDSec 2021
  • Abusing WoW64 Layer Hook Trap (by FireEye)
  • Rebuilding the Whole Translation Engine
  • wow64Jit – Call 32bit NtDLL API directly from WoW64 Layer
  • Inject WoW64 Thread Context to Bypass HIPS & EDR Rules

Location: Track 2 Date: May 27, 2021 Time: 1:00 pm - 1:30 pm ShengHao Ma