wow64ext finally compatible with Windows 8

I’ve some good news for everyone who was complaining that wow64ext library doesn’t work on Windows 8. I’ve researched this topic a bit, and I’ve released fixed version of the library. Problem was very simple, but it couldn’t be fixed with just one line of code. On Windows 8/8.1 x64 version of NTDLL is loaded at address above 4GB, it wasn’t the case on previous versions of Windows, as x64 NTDLL was always loaded below 4GB. Also some of the system structures are mapped above 4GB (PEB_LDR_DATA64). To fix all the issues I had to introduce new memcpy-like function that can copy data from addresses above 4GB to addresses that are accessible by the standard x86 code. I’ve also fixed problem with case-sensitive GetModuleHandle64 that popped up recently. Below you can find direct link to the updated library:

Link to library hosted on google code: http://code.google.com/p/rewolf-wow64ext/
Direct link to zip package: http://rewolf-wow64ext.googlecode.com/files/rewolf.wow64ext.v1.0.0.3.zip

Comments (13)

  1. 22:08, October 19, 2013bw  / Reply

    Pig up for this :P

  2. 07:06, October 21, 2013kenny  / Reply

    Good Job!!

  3. 21:18, October 23, 2013Chris  / Reply

    Good news ;)

  4. 20:29, October 26, 2013Awk  / Reply

    WOW. Good Work

  5. 20:30, October 26, 2013Awk  / Reply

    Can you add NtCreateThreadEx\NtCreateThread please, it would be helpful. Anyway Just to say you are awesome at debugging.

    • 20:45, October 26, 2013ReWolf  / Reply

      I don’t plan to add those functions, as it would be to easy to abuse this library. Anyway, it is rather easy to use X64Call() for this purpose.

      • 21:22, October 26, 2013Awk  / Reply

        @ReWolf
        Fair Enough, anyway I am going to go that way then via X64Call.

  6. 19:09, November 4, 2013Awk  / Reply

    Hi,

    Quick Report of Bug, I have come across – I have successfully place hook however when I call a function, the entire program crashes with:
    “Unhandled exception at 0x00DF9C01 in wow64ext.exe: 0xC0000005: Access violation writing location 0x00270FF8.


    #include
    #include "internal.h"
    #include "wow64ext.h"
    #include "CMemPtr.h"
    #include
    using namespace std;
    __declspec(naked) void Callback()
    {
    X64_End();
    __asm mov eax, 0
    //whNtCreateFile
    X64_Start();
    }
    int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevhInstance, LPSTR lpCmdLine, int CmdShow)
    {
    DWORD64 s = GetProcAddress64(GetModuleHandle64(L"wow64.dll"),"Wow64SystemServiceEx");
    cout<<s;
    LPVOID sz = (LPVOID) s;
    LPVOID cake = Callback;
    HANDLE Handle = OpenProcess(PROCESS_ALL_ACCESS,false,GetCurrentProcessId());
    DWORD dwOldProtect = {0};
    VirtualProtectEx(Handle,(PVOID*)s,5,PAGE_EXECUTE_READWRITE,&dwOldProtect);
    *(BYTE*)(s) = 0xE9;
    *(DWORD*)(s+1) = ((DWORD)cake - ((DWORD)sz + 5));
    cin.get();
    }

    • 22:48, November 4, 2013ReWolf  / Reply

      I’ll check it later.

    • 18:36, November 5, 2013ReWolf  / Reply

      I’ve checked this code and hook is set properly, and debugger breaks inside Callback(), so I have no idea why you’re getting errors (except the fact, that Callback() is just dummy test code, so it must fail after X64_Start()). Get WinDbg and check why it fails, if it is really problem with wow64ext then I’ll be more than happy to fix it ;)

  7. 20:18, November 4, 2013Awk  / Reply

    In Addition I also discovered the GetProcAddress64 does not work properly on Windows 7 as this code: DWORD64 s = GetProcAddress64(GetModuleHandle64(L"wow64cpu.dll"),"TurboDispatchJumpAddressStart");

    Gives us NULL, which it should not be.

    • 22:47, November 4, 2013ReWolf  / Reply

      You’re right, there is (was :)) a bug, I’ve just fixed it in v1.0.0.4.

  8. 21:10, January 31, 2014Awk  / Reply

    Hi,

    I would suggest you to add VirtualProtectEx (x64) functions to the library.

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.