Call Gates

**Hitokiri~** · 10-12-2014

Any of you ever attempted to "emulate" (Please note the quotes before you get your "nerd on". Oh look, another quote.) the WoW64 callgates?
In particular I'm talking about wow64cpu!x86SwitchTo64Bit.
I'm just wondering if it's worth wasting my time to emulate it on a 32 bit process.

Some points to state before you assume things:
- Yes, I know I'm doing it from userland and what restrictions I'll have.
- Yes, I know someone can simply intercept KiFastSystemCall() in ring0 via SSDT or what have you..
- Yes, one of the reasons I'm doing it is to make my own version of sysenter etc. but I need to pass through WoW64 gate first.
- No, this is only because I'm bored and a bit more curious about ring3 based communication with the kernel.

So, anyone of you ever tried or had the same idea?

**Hitokiri~** · 10-14-2014

Thanks MPGH...
I could always count on you when I'm in need.

**[MPGH]master131** · 10-15-2014

WoW64 processes transition from x86 mode to x64 mode with the help of a tiny stub containing a FAR jump which changes the CS segment from 0x23 to 0x33 (commonly referred to as heavens gate). The stub is wow64cpu!x86SwitchTo64Bit as you've already mentioned. You can find the tiny stub by identifying the Wow32Reserved field of the TEB (Thread Environment Block). From there it goes to wow64cpu!CpupReturnFromSimulatedCode and initialises the environment before calling sysenter.

Not exactly sure what you're referring to when you say you want to "emulate" it though. You *could* just copy the code from the wow64cpu.dll module but I don't see the point.

PS - If you wish to discuss Windows internals & undocumented stuff, your best option would be to actually go to a forum which specialises in it, I doubt many here actually do.

Some reading here:
https://rce.co/knockin-on-heavens-gat...ode-switching/

**Hitokiri~** · 10-18-2014

Originally Posted by master131

WoW64 processes transition from x86 mode to x64 mode with the help of a tiny stub containing a FAR jump which changes the CS segment from 0x23 to 0x33 (commonly referred to as heavens gate). The stub is wow64cpu!x86SwitchTo64Bit as you've already mentioned. You can find the tiny stub by identifying the Wow32Reserved field of the TEB (Thread Environment Block). From there it goes to wow64cpu!CpupReturnFromSimulatedCode and initialises the environment before calling sysenter.

Not exactly sure what you're referring to when you say you want to "emulate" it though. You *could* just copy the code from the wow64cpu.dll module but I don't see the point.

PS - If you wish to discuss Windows internals & undocumented stuff, your best option would be to actually go to a forum which specialises in it, I doubt many here actually do.

Some reading here:
https://rce.co/knockin-on-heavens-gat...ode-switching/

Just saw this and already knew all of it though thanks for the help. I was actually looking into CpupReturnFromSimulatedCode before I posted this.

Anyways the main reason I wanted to "emulate" all this is to prevent any ring3 applications from detecting my API calls and stopping them. At the lowest levels before I lose control of the system ( sysenter ), if I "emulate" it or by your normalized wording, C&P it I can essentially avoid even touching ntdll, kernel32 etc.
Well that was the theory anyways.

But I'll definitely check out that site. Looks promising. Thanks Tommy.

So ... this can be closed mods.

Thread: Call Gates

Thread Tools

Display

Call Gates

The Following 3 Users Say Thank You to master131 For This Useful Post:

Similar Threads

Call Of Duty Hack Question----

Call of combat I need cheats can any1 make it happen

Call of Duty2

They Call it "The Internet"

someone at warrock is calling everyone to this site