wow64ext library update 2

There is available new update for wow64ext library, I’ve added two new functions:

  • SetThreadContext64()
  • GetThreadContext64()

There is also definition of _CONTEXT64 structure that is used by those functions. Sample usage:

1
2
3
4
5
6
7
8
9
        _CONTEXT64 ctx = { 0 };
        ctx.ContextFlags = CONTEXT64_ALL;
        GetThreadContext64(GetCurrentThread(), &ctx);
 
        printf("rsp: %016I64X\n", ctx.Rsp);
        printf("rip: %016I64X\n", ctx.Rip);
        printf("r8 : %016I64X\n", ctx.R8);
        printf("r9 : %016I64X\n", ctx.R9);
        printf("r12: %016I64X\n", ctx.R12);

Link to library hosted on google code: http://code.google.com/p/rewolf-wow64ext/
Direct link to zip package: https://rewolf-wow64ext.googlecode.com/files/rewolf.wow64ext.v1.0.2.zip

16 Comments

  1. I haven’t checked it against Win8 as my old laptop doesn’t have virtualization support, so I can’t run x64 Win8 in virtual machine. As the code is open, you can check for yourself why it is broken and fix it, because I can’t tell you when I’ll have resources to check&fix it.

    Reply

  2. Great job! But I found a bug in wow64ext.h

    struct _LDR_DATA_TABLE_ENTRY_T
    {
        _LIST_ENTRY_T InLoadOrderLinks;
        _LIST_ENTRY_T InMemoryOrderLinks;
        _LIST_ENTRY_T InInitializationOrderLinks;
        T DllBase;
        T EntryPoint;
        union
        {
            DWORD SizeOfImage;
            T dummy01;
        };
        _UNICODE_STRING_T FullDllName;
        _UNICODE_STRING_T BaseDllName;
        DWORD Flags;
        WORD LoadCount;
        WORD TlsIndex;
        union
        {
            _LIST_ENTRY_T HashLinks;
            struct 
            {
                T SectionPointer;
                T CheckSum;
            };
        };
        union
        {
            T LoadedImports;
            DWORD TimeDateStamp;
        };
        T EntryPointActivationContext;
        T PatchInformation;
        _LIST_ENTRY_T ForwarderLinks;
        _LIST_ENTRY_T ServiceTagLinks;
        _LIST_ENTRY_T StaticLinks;
        T ContextInformation;
        T OriginalBase;
        _LARGE_INTEGER LoadTime;
    };

    It is true, but only for Windows 7

    For Vista

    struct _LDR_DATA_TABLE_ENTRY
    {
        struct _LIST_ENTRY InLoadOrderLinks;
        struct _LIST_ENTRY InMemoryOrderLinks;
        struct _LIST_ENTRY InInitializationOrderLinks;
        void * DllBase;
        void * EntryPoint;
        unsigned long SizeOfImage;
        struct _UNICODE_STRING FullDllName;
        struct _UNICODE_STRING BaseDllName;
        unsigned long Flags;
        unsigned short LoadCount;
        unsigned short TlsIndex;
        union
        {
            struct _LIST_ENTRY HashLinks;
            struct
            {
                void * SectionPointer;
                unsigned long CheckSum;
            };
        };
        union
        {
            unsigned long TimeDateStamp;
            void * LoadedImports;
        };
        struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
        void * PatchInformation;
        struct _LIST_ENTRY ForwarderLinks;
        struct _LIST_ENTRY ServiceTagLinks;
        struct _LIST_ENTRY StaticLinks;
    };

    For Windows 8

    struct _LDR_DATA_TABLE_ENTRY
    {
        struct _LIST_ENTRY InLoadOrderLinks;
        struct _LIST_ENTRY InMemoryOrderLinks;
        union
        {
            struct _LIST_ENTRY InInitializationOrderLinks;
            struct _LIST_ENTRY InProgressLinks;
        };
        void * DllBase;
        void * EntryPoint;
        unsigned long SizeOfImage;
        struct _UNICODE_STRING FullDllName;
        struct _UNICODE_STRING BaseDllName;
        union
        {
            unsigned char FlagGroup[4];
            unsigned long Flags;
            struct
            {
                unsigned long PackagedBinary: 1;
                unsigned long MarkedForRemoval: 1;
                unsigned long ImageDll: 1;
                unsigned long LoadNotificationsSent: 1;
                unsigned long TelemetryEntryProcessed: 1;
                unsigned long ProcessStaticImport: 1;
                unsigned long InLegacyLists: 1;
                unsigned long InIndexes: 1;
                unsigned long ShimDll: 1;
                unsigned long InExceptionTable: 1;
                unsigned long ReservedFlags1: 2;
                unsigned long LoadInProgress: 1;
                unsigned long ReservedFlags2: 1;
                unsigned long EntryProcessed: 1;
                unsigned long ReservedFlags3: 3;
                unsigned long DontCallForThreads: 1;
                unsigned long ProcessAttachCalled: 1;
                unsigned long ProcessAttachFailed: 1;
                unsigned long CorDeferredValidate: 1;
                unsigned long CorImage: 1;
                unsigned long DontRelocate: 1;
                unsigned long CorILOnly: 1;
                unsigned long ReservedFlags5: 3;
                unsigned long Redirected: 1;
                unsigned long ReservedFlags6: 2;
                unsigned long CompatDatabaseProcessed: 1;
            };
        };
        unsigned short ObsoleteLoadCount;
        unsigned short TlsIndex;
        struct _LIST_ENTRY HashLinks;
        unsigned long TimeDateStamp;
        struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
        void * PatchInformation;
        struct _LDR_DDAG_NODE * DdagNode;
        struct _LIST_ENTRY NodeModuleLink;
        struct _LDRP_DLL_SNAP_CONTEXT * SnapContext;
        void * ParentDllBase;
        void * SwitchBackContext;
        struct _RTL_BALANCED_NODE BaseAddressIndexNode;
        struct _RTL_BALANCED_NODE MappingInfoIndexNode;
        unsigned long OriginalBase;
        union _LARGE_INTEGER LoadTime;
        unsigned long BaseNameHashValue;
        enum _LDR_DLL_LOAD_REASON LoadReason;
    };

    Reply

  3. Hi,

    ReWolf good job on this blog am a fan of this. Can you please add CreateRemoteThread() to your awesome library. it would be useful for Code Injection and API hooking. Thanks
    in advance.

    Reply

    1. Probably I could add it, but since I don’t have much time I can’t promise that it will be added anytime soon. You can add it on your own, it should be pretty simple, I believe that wrapper for x64 version of NtCreateThread/NtCreateThreadEx should do the trick. Just look how other functions inside wow64ext library are implemented and use X64Call() function to call mentioned functions.

      Reply

      1. @ReWolf
        Hi,

        Thanks! I will study your code properly and will implement my own vesion. I will post the code here as well.

        Also do after performing heavens gate do I need to only use ntdll native functions?

        Reply

        1. @Swaggy

          Also do after performing heavens gate do I need to only use ntdll native functions?

          Yes, because there is only x64 version of ntdll available in this mode.

          Reply

            1. XP x64 – I don’t know.
              Vista x64 – should work
              Win7 x64 – works perfectly.
              Win8 x64 – I had some reports that it doesn’t work, but haven’t checked it.

              Reply

  4. Would WoW64ext enable GetSystemFileCacheSize to return 64 bit pointer. Currently with WOW64 it only returns low 32 bits and returns error 534 if cache is over 32 bit limit.

    Reply

  5. Hi,

    I know others said, this but can you create a post of creating a code injection using this library into x64 processes, This would help a lot of us especially programmers and reverse engineers. Thanks

    Reply

    1. I’m not sure who will benefit from it most, but I’m not willing to write such post. Anyway, it should be really easy with this library, so I’m pretty sure that people that want to do it, will figure it.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *