wow64ext finally compatible with Windows 8

I’ve some good news for everyone who was complaining that wow64ext library doesn’t work on Windows 8. I’ve researched this topic a bit, and I’ve released fixed version of the library. Problem was very simple, but it couldn’t be fixed with just one line of code. On Windows 8/8.1 x64 version of NTDLL is loaded at address above 4GB, it wasn’t the case on previous versions of Windows, as x64 NTDLL was always loaded below 4GB. Also some of the system structures are mapped above 4GB (PEB_LDR_DATA64). To fix all the issues I had to introduce new memcpy-like function that can copy data from addresses above 4GB to addresses that are accessible by the standard x86 code. I’ve also fixed problem with case-sensitive GetModuleHandle64 that popped up recently. Below you can find direct link to the updated library:

Link to library hosted on google code: http://code.google.com/p/rewolf-wow64ext/
Direct link to zip package: http://rewolf-wow64ext.googlecode.com/files/rewolf.wow64ext.v1.0.0.3.zip

13 Comments

  1. Can you add NtCreateThreadEx\NtCreateThread please, it would be helpful. Anyway Just to say you are awesome at debugging.

    Reply

    1. I don’t plan to add those functions, as it would be to easy to abuse this library. Anyway, it is rather easy to use X64Call() for this purpose.

      Reply

  2. Hi,

    Quick Report of Bug, I have come across – I have successfully place hook however when I call a function, the entire program crashes with:
    “Unhandled exception at 0x00DF9C01 in wow64ext.exe: 0xC0000005: Access violation writing location 0x00270FF8.


    #include
    #include "internal.h"
    #include "wow64ext.h"
    #include "CMemPtr.h"
    #include
    using namespace std;
    __declspec(naked) void Callback()
    {
    X64_End();
    __asm mov eax, 0
    //whNtCreateFile
    X64_Start();
    }
    int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevhInstance, LPSTR lpCmdLine, int CmdShow)
    {
    DWORD64 s = GetProcAddress64(GetModuleHandle64(L"wow64.dll"),"Wow64SystemServiceEx");
    cout<<s;
    LPVOID sz = (LPVOID) s;
    LPVOID cake = Callback;
    HANDLE Handle = OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessId());
    DWORD dwOldProtect = {0};
    VirtualProtectEx(Handle,(PVOID*)s,5,PAGE_EXECUTE_READWRITE,&dwOldProtect);
    *(BYTE*)(s) = 0xE9;
    *(DWORD*)(s+1) = ((DWORD)cake - ((DWORD)sz + 5));
    cin.get();
    }

    Reply

    1. I’ve checked this code and hook is set properly, and debugger breaks inside Callback(), so I have no idea why you’re getting errors (except the fact, that Callback() is just dummy test code, so it must fail after X64_Start()). Get WinDbg and check why it fails, if it is really problem with wow64ext then I’ll be more than happy to fix it ;)

      Reply

  3. In Addition I also discovered the GetProcAddress64 does not work properly on Windows 7 as this code: DWORD64 s = GetProcAddress64(GetModuleHandle64(L"wow64cpu.dll"),"TurboDispatchJumpAddressStart");

    Gives us NULL, which it should not be.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *