Heaven's Gate — Calling 64-bit Code from a 32-bit Process
Introduction to WOW64
┌──────────────────────────────────────────────────────────────────────┐
│ WOW64 Architecture — Internal View │
│ │
│ 32-bit process: │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ x86 code (32-bit) │ │
│ │ ntdll32.dll (32-bit) — 32-bit native API │ │
│ │ wow64.dll — call thunking and translation │ │
│ │ wow64win.dll — GUI call thunking │ │
│ │ wow64cpu.dll — transition to 64-bit mode │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │ │
│ wow64cpu!BTCpuSimulate │
│ │ │
│ ┌────────────────▼───────────────────┐ │
│ │ Far jump to CS:0x33 │ │
│ │ (switches CPU to 64-bit Long Mode)│ │
│ └────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────────────▼───────────────────────────────────┐ │
│ │ 64-bit kernel (NT Executive) │ │
│ │ ntoskrnl.exe executes the syscall in native 64-bit mode │ │
│ └─────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘Why This Is Useful for Evasion
The Mechanism: Far Jump with CS:0x33
x86 Assembly Implementation (32-bit)
C Implementation with Inline Assembly (MSVC)
Runtime-Generated Stub Approach
Practical Use Cases
Limitations
Detection
References
PreviousAPC Injection — Execution via Asynchronous Procedure Call QueuesNextSleep Obfuscation — Encrypting Beacons During Rest
Last updated