WoW64 processes have a complete 32-bit subsystem inside of them, in charge of supplying the 32-bit application with everything it needs to execute on a 64-bit OS. But eventually, the communication with the 64-bit environment itself is done by the 64-bit portion of the process, often neglected by security products. Mostly, only monitoring the 32-bit subsystem is enough, but bypasses techniques such as the notorious “Heaven’s Gate” prove that this approach is far from perfect.
In this talk, we wish to present the possibility of injecting 64-bit DLLs into WoW64 processes and use these to hook 64-bit APIs. This task introduces some unique challenges, which we will discuss in detail. We will present several injection methods, including a couple of novel modifications for existing ones, that enable injecting a 64-bit DLL into a WoW64 process. We will then demonstrate the adjustments we made to an out-of-the-box hooking engine to make it able to hook 64-bit APIs in the process. Some changes in new Windows versions, such as the introducing of CFG and the changes to some API functions, made this task more challenging, and we will show how we researched these and solved these issues, making this hooking technique useful on all currently available Windows versions.
We have published a series of three blog posts about this research:
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-1/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-2/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-3/
