Slide 1

Slide 1 text

414141414141414141 AAAAAAAAAA Rebuild The Heaven's Gate: from 32-bit Hell back to 64-bit Wonderland [email protected]

Slide 2

Slide 2 text

• Intern at CyCraft • Core member of CHROOT Security Group • Spoke at S&P, BlackHat, DEFCON, HITCON • Instructor of Ministry Of National Defense, Ministry of Education, HITCON, and etc. • Publication Windows APT Warfare #Windows #Reversing #Pwn #Exploit Sheng-Hao Ma (aaaddress1) Threat Researcher at TXOne Networks

Slide 3

Slide 3 text

[email protected] • 32-bit Hell & Userland HIPS Design • Understanding WOW64 Design by Reversing Engineering 1. WOW64 Process Initiation 2. Path to The Heaven 3. The Paradise Translator • The 32-bit Hell v.s. 64-bit Heaven • wowGrail: Rebuild the Heaven's Gate • wowInjector: One Gadget to Take Over The Hell /?outline

Slide 4

Slide 4 text

[email protected] 〉〉〉What "The Hell" Host-based Intrusion Prevention System (HIPS)

Slide 5

Slide 5 text

[email protected] /?theHell [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Slide 6

Slide 6 text

[email protected] /?theHell [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Slide 7

Slide 7 text

a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll x86 Modules x64 Modules Ring0 ntdll64!NtAPI#ZwOpenProcess KiFastCall Heaven's Gate A. switch to 64bit CPU mode by setting cs flag B. get PEB64 by (GS:0x30)->PEB C. enumerate loaded 64bit modules via PEB->Ldr D. locate imageBase of NtDll64 E. get expored API ntdll!LdrGetProcedureAddress F. BOOM! we got the key of Heaven's Gate! #theGate

Slide 8

Slide 8 text

[email protected] Reference • 2011 - Mixing x86 with x64 code by ReWolf • 2012 - Knockin’ on Heaven’s Gate by george_nicolaou • 2012 - KERNEL: Creation of Thread Environment Block (TEB) by waleedassar • 2015 - WoW64 and So Can You Bypassing EMET by Duo Labs • 2018 - WoW64 internals by wbenny • 2020 - WOW64 Subsystem Internals and Hooking Techniques by FireEye #theGate too difficult to use & not stable enough ಥ_ಥ • 2021 - wowGrail: Abusing the Translator to Simulate 32-bit Interrupts

Slide 9

Slide 9 text

[email protected] 〉〉〉The WOW64 layer Understanding WOW64 Design by Reversing Engineering

Slide 10

Slide 10 text

[email protected] 〉〉〉WoW64 Process Init 32-bit Program Managed in 64-bit Process

Slide 11

Slide 11 text

[email protected] #BTCpuSimulate wow64cpu!BtCpuSimulate

Slide 12

Slide 12 text

[email protected] #RunSimulatedCode wow64cpu!RunSimulatedCode r12 point to TEB64 struct r15 point to TurboThunk Table r13 point to WoW64 Thread Context

Slide 13

Slide 13 text

[email protected] #RunSimulatedCode wow64cpu!RunSimulatedCode r12 point to TEB64 struct r15 point to TurboThunk Table r13 point to WoW64 Thread Context

Slide 14

Slide 14 text

[email protected] 〉〉〉NtAPI Trampoline

Slide 15

Slide 15 text

[email protected] #Trampoline [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques wow64cpu!CpupReturnFromSimulatedCode

Slide 16

Slide 16 text

[email protected] #Simulate [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques wow64cpu!CpupReturnFromSimulatedCode 1. save current 32bit context status, stack, and caller retAddr 2. simulate 32bit behavior to 64bit KiFastCall by wow64SystemServiceEx 3. save NTSTATUS into WoW64 Thread CONTEXT.eax

Slide 17

Slide 17 text

[email protected] #Simulate [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques wow64cpu!CpupReturnFromSimulatedCode

Slide 18

Slide 18 text

[email protected] 〉〉〉Heaven's Translator Convert x86 Calling Convention into x64 Mode

Slide 19

Slide 19 text

[email protected] #Translation [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques wow64!Wow64SystemServiceEx

Slide 20

Slide 20 text

[email protected] #Translation [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques wow64!Wow64SystemServiceEx

Slide 21

Slide 21 text

[email protected] #Translation [FireEye] WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques wow64!Wow64SystemServiceEx

Slide 22

Slide 22 text

[email protected] 〉〉〉Overview

Slide 23

Slide 23 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 a. NtAPI

Slide 24

Slide 24 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture

Slide 25

Slide 25 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status

Slide 26

Slide 26 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function

Slide 27

Slide 27 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI

Slide 28

Slide 28 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI Ring0 f. syscall

Slide 29

Slide 29 text

[email protected] a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll #WoW64 wow64cpu!X86SwitchTo64BitMode a. NtAPI b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI Ring0 f. syscall wow64cpu!restoreStatus g. back to caller

Slide 30

Slide 30 text

[email protected] #Recap • Switching the CS segment to 23h or 33h makes it possible for the Intel chip to change the chosen instruction set with 32 bit or 64 bit. • Register r13 point to the 32-bit thread context used as snapshot status. It will be back up when the thread jumps from 32-bit to 64-bit, and reset from 64 bit back to 32-bit. • wow64!Wow64SystemServiceEx used as translator for us to simulate any 32-bit system interrupt to the 64-bit kernel.

Slide 31

Slide 31 text

[email protected] 〉〉〉A New Path to the Heaven's Gate

Slide 32

Slide 32 text

a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll x86 Modules x64 Modules wow64cpu!X86SwitchTo64BitMode wow64cpu!CpupReturnFromSimulatedCode wow64!Wow64SystemServiceEx wow64!turbo_func Ring0 ntdll32!NtAPI#ZwOpenProcess ntdll64!NtAPI#ZwOpenProcess WoW64 Layer normal KiFastCall

Slide 33

Slide 33 text

a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll x86 Modules x64 Modules wow64cpu!X86SwitchTo64BitMode wow64cpu!CpupReturnFromSimulatedCode wow64!Wow64SystemServiceEx wow64!turbo_func Ring0 ntdll32!NtAPI#ZwOpenProcess ntdll64!NtAPI#ZwOpenProcess WoW64 Layer normal KiFastCall Abusing The Heaven's Translator

Slide 34

Slide 34 text

a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll 4G ntdll.dll x86 Modules x64 Modules Ring0 ntdll64!NtAPI#ZwOpenProcess KiFastCall wowGrail A. switch to 64bit CPU mode by setting cs flag B. get PEB64 by (GS:0x30)->PEB C. enumerate loaded 64bit modules via PEB->Ldr D. locate imageBase of WoW64.dll E. get expored API wow64!Wow64SystemServiceEx F. pass 32-bit va_start & executing it to simulate our 32-bit as 64-bit interrupt ;) #wowGrail wow64!Wow64SystemServiceEx

Slide 35

Slide 35 text

[email protected] DEMO: wowGrail New Path Back to The Heaven github.com/aaaddress1/wowGrail Process Hollowing & Bypass HIPS of AV

Slide 36

Slide 36 text

[email protected] 〉〉〉WOW64 Thread Snapshot One Gadget to Take Over the 32-bit Hell

Slide 37

Slide 37 text

Ring0 f. syscall wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments & invoke ntdll64!NtAPI a.exe wow64 ntdll.dll kernel32.dll ... wow64.dll wow64cpu.dll wow64win.dll wow64cpu!X86SwitchTo64BitMode b. switch x86 → x64 architecture wow64cpu!CpupReturnFromSimulatedCode c. save context status wow64cpu!restoreStatus g. back to caller a. NtAPI

Slide 38

Slide 38 text

Ring0 f. syscall wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments &

Slide 39

Slide 39 text

Ring0 f. syscall wow64!Wow64SystemServiceEx d. lookup turbo function wow64!turbo_func e. translate x86 arguments &

Slide 40

Slide 40 text

[email protected] Recap • Register r13 point to the 32-bit thread context used as snapshot status. It will be back up when the thread jumps from 32-bit to 64-bit, and reset from 64 bit back to 32-bit. • when $RIP jump into wow64cpu!X86SwitchTo64BitMode, current thread context status will be saved into the 32-bit thread context dereferenced from r13. • $RIP jump from 64-bit back to 32-bit, and the thread context will be restored from the 32-bit thread context. 
 → It can be used as one gadget to exploit the next 32-bit $RIP ;)

Slide 41

Slide 41 text

• 0x2000 or 0x3000 (it's up to WoW64) • TEB64 + TEB32 + PEB64 + PEB32 • fixup TEB64: .self, .peb, .stack etc • TEB64.ExceptionList always null • fixup TEB32 based on TEB64 • TEB32.ExceptionList[0] = ffffffff 0x3000 → Leak any one of the 4 blocks, and we can get the other 3 blocks. nt!MiCreatePebOrTeb

Slide 42

Slide 42 text

[email protected] DEMO: wowInjector One Gadget Injection to Take Over The 32-bit Hell Process Inject & Bypass HIPS of another AV github.com/aaaddress1/wowInjector

Slide 43

Slide 43 text

41414141414141414141414141 Thanks! [email protected] Slide Github @aaaddress1 Facebook AAAAAAAAAAAAAA AAAAAAA AAA