Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
May 27, 2021

Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland

Microsoft embeds a translation design named WoW64 (Windows 32 on Windows 64) used for running 32 bit PE (Portable Executable format) on 64 bit Windows. The design basically hosts every 32 bit PE file inside as a native standalone 64-bit process and translates every 32-bit system interrupt into a 64-bit syscall. In this talk, we’re going to talk about deep reversing engineering on WoW64 architecture how it does translations, and some uncovered issues about crossing-architecture could be abused in the wild.

https://conference.hitb.org/hitbsecconf2021ams/sessions/wow-hell-rebuilding-heavens-gate/

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

May 27, 2021
Tweet

Transcript

  1. 414141414141414141 AAAAAAAAAA Rebuild The Heaven's Gate: from 32-bit Hell back

    to 64-bit Wonderland aaaddress1@chroot.org
  2. • Intern at CyCraft • Core member of CHROOT Security

    Group • Spoke at S&P, BlackHat, DEFCON, HITCON • Instructor of Ministry Of National Defense, Ministry of Education, HITCON, and etc. • Publication Windows APT Warfare #Windows #Reversing #Pwn #Exploit Sheng-Hao Ma (aaaddress1) Threat Researcher at TXOne Networks
  3. aaaddress1@chroot.org • 32-bit Hell & Userland HIPS Design • Understanding

    WOW64 Design by Reversing Engineering 1. WOW64 Process Initiation 2. Path to The Heaven 3. The Paradise Translator • The 32-bit Hell v.s. 64-bit Heaven • wowGrail: Rebuild the Heaven's Gate • wowInjector: One Gadget to Take Over The Hell /?outline
  4. aaaddress1@chroot.org 〉〉〉What "The Hell" Host-based Intrusion Prevention System (HIPS)

  5. aaaddress1@chroot.org /?theHell [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

  6. aaaddress1@chroot.org /?theHell [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

  7. a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll

    x86 Modules x64 Modules Ring0 ntdll64!NtAPI#ZwOpenProcess KiFastCall Heaven's Gate A. switch to 64bit CPU mode by setting cs flag B. get PEB64 by (GS:0x30)->PEB C. enumerate loaded 64bit modules via PEB->Ldr D. locate imageBase of NtDll64 E. get expored API ntdll!LdrGetProcedureAddress F. BOOM! we got the key of Heaven's Gate! #theGate
  8. aaaddress1@chroot.org Reference • 2011 - Mixing x86 with x64 code

    by ReWolf • 2012 - Knockin’ on Heaven’s Gate by george_nicolaou • 2012 - KERNEL: Creation of Thread Environment Block (TEB) by waleedassar • 2015 - WoW64 and So Can You Bypassing EMET by Duo Labs • 2018 - WoW64 internals by wbenny • 2020 - WOW64 Subsystem Internals and Hooking Techniques by FireEye #theGate too difficult to use & not stable enough ಥ_ಥ • 2021 - wowGrail: Abusing the Translator to Simulate 32-bit Interrupts
  9. aaaddress1@chroot.org 〉〉〉The WOW64 layer Understanding WOW64 Design by Reversing Engineering

  10. aaaddress1@chroot.org 〉〉〉WoW64 Process Init 32-bit Program Managed in 64-bit Process

  11. aaaddress1@chroot.org #BTCpuSimulate wow64cpu!BtCpuSimulate

  12. aaaddress1@chroot.org #RunSimulatedCode wow64cpu!RunSimulatedCode r12 point to TEB64 struct r15 point

    to TurboThunk Table r13 point to WoW64 Thread Context
  13. aaaddress1@chroot.org #RunSimulatedCode wow64cpu!RunSimulatedCode r12 point to TEB64 struct r15 point

    to TurboThunk Table r13 point to WoW64 Thread Context
  14. aaaddress1@chroot.org 〉〉〉NtAPI Trampoline

  15. aaaddress1@chroot.org #Trampoline [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

    wow64cpu!CpupReturnFromSimulatedCode
  16. aaaddress1@chroot.org #Simulate [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

    wow64cpu!CpupReturnFromSimulatedCode 1. save current 32bit context status, stack, and caller retAddr 2. simulate 32bit behavior to 64bit KiFastCall by wow64SystemServiceEx 3. save NTSTATUS into WoW64 Thread CONTEXT.eax
  17. aaaddress1@chroot.org #Simulate [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

    wow64cpu!CpupReturnFromSimulatedCode
  18. aaaddress1@chroot.org 〉〉〉Heaven's Translator Convert x86 Calling Convention into x64 Mode

  19. aaaddress1@chroot.org #Translation [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

    wow64!Wow64SystemServiceEx
  20. aaaddress1@chroot.org #Translation [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

    wow64!Wow64SystemServiceEx
  21. aaaddress1@chroot.org #Translation [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

    wow64!Wow64SystemServiceEx
  22. aaaddress1@chroot.org 〉〉〉Overview

  23. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    a. NtAPI
  24. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture
  25. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status
  26. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function
  27. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI
  28. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI Ring0 f. syscall
  29. aaaddress1@chroot.org a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64

    wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI Ring0 f. syscall wow64cpu!restoreStatus g. back to caller
  30. aaaddress1@chroot.org #Recap • Switching the CS segment to 23h or

    33h makes it possible for the Intel chip to change the chosen instruction set with 32 bit or 64 bit. • Register r13 point to the 32-bit thread context used as snapshot status. It will be back up when the thread jumps from 32-bit to 64-bit, and reset from 64 bit back to 32-bit. • wow64!Wow64SystemServiceEx used as translator for us to simulate any 32-bit system interrupt to the 64-bit kernel.
  31. aaaddress1@chroot.org 〉〉〉A New Path to the Heaven's Gate

  32. a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll

    x86 Modules x64 Modules wow64cpu!X86SwitchTo64BitMode wow64cpu!CpupReturnFromSimulatedCode wow64!Wow64SystemServiceEx wow64!turbo_func Ring0 ntdll32!NtAPI#ZwOpenProcess ntdll64!NtAPI#ZwOpenProcess WoW64 Layer normal KiFastCall
  33. a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll

    x86 Modules x64 Modules wow64cpu!X86SwitchTo64BitMode wow64cpu!CpupReturnFromSimulatedCode wow64!Wow64SystemServiceEx wow64!turbo_func Ring0 ntdll32!NtAPI#ZwOpenProcess ntdll64!NtAPI#ZwOpenProcess WoW64 Layer normal KiFastCall Abusing The Heaven's Translator
  34. a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll

    x86 Modules x64 Modules Ring0 ntdll64!NtAPI#ZwOpenProcess KiFastCall wowGrail A. switch to 64bit CPU mode by setting cs flag B. get PEB64 by (GS:0x30)->PEB C. enumerate loaded 64bit modules via PEB->Ldr D. locate imageBase of WoW64.dll E. get expored API wow64!Wow64SystemServiceEx F. pass 32-bit va_start & executing it to simulate our 32-bit as 64-bit interrupt ;) #wowGrail wow64!Wow64SystemServiceEx
  35. aaaddress1@chroot.org DEMO: wowGrail New Path Back to The Heaven github.com/aaaddress1/wowGrail

    Process Hollowing & Bypass HIPS of AV
  36. aaaddress1@chroot.org 〉〉〉WOW64 Thread Snapshot One Gadget to Take Over the

    32-bit Hell
  37. Ring0 f. syscall wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e.

    translate x86 arguments & invoke ntdll64!NtAPI a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll wow64cpu!X86SwitchTo64BitMode b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64cpu!restoreStatus g. back to caller a. NtAPI
  38. Ring0 f. syscall wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e.

    translate x86 arguments &
  39. Ring0 f. syscall wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e.

    translate x86 arguments &
  40. aaaddress1@chroot.org Recap • Register r13 point to the 32-bit thread

    context used as snapshot status. It will be back up when the thread jumps from 32-bit to 64-bit, and reset from 64 bit back to 32-bit. • when $RIP jump into wow64cpu!X86SwitchTo64BitMode, current thread context status will be saved into the 32-bit thread context dereferenced from r13. • $RIP jump from 64-bit back to 32-bit, and the thread context will be restored from the 32-bit thread context. 
 → It can be used as one gadget to exploit the next 32-bit $RIP ;)
  41. • 0x2000 or 0x3000 (it's up to WoW64) • TEB64

    + TEB32 + PEB64 + PEB32 • fixup TEB64: .self, .peb, .stack etc • TEB64.ExceptionList always null • fixup TEB32 based on TEB64 • TEB32.ExceptionList[0] = ffffffff 0x3000 → Leak any one of the 4 blocks, and we can get the other 3 blocks. nt!MiCreatePebOrTeb
  42. aaaddress1@chroot.org DEMO: wowInjector One Gadget Injection to Take Over The

    32-bit Hell Process Inject & Bypass HIPS of another AV github.com/aaaddress1/wowInjector
  43. 41414141414141414141414141 Thanks! aaaddress1@chroot.org Slide Github @aaaddress1 Facebook AAAAAAAAAAAAAA AAAAAAA AAA