-1

Most people would say that 64bit under 32bit on windows is impossible. However as far as I'm aware Wow64 works by loading a 64bit ntdll, then a 32bit ntdll. Calling the 64bit dll to issue syscalls. enter image description here

As shown in the Wow64SystemServiceCall, which is a jump to the _Wow64Transition.

Shouldn't it be theoretically possible to therefore load a 64bit dll, and do some sort of similar transition call between the two layers?

Just asking here if this would be theoretically possible, or if i'm wasting my time here. Thank you in advance!

Zachary Washburn
  • 11
  • 2
  • After you have loaded the .dll, what is the goal? The process will be marked as wow64 so some APIs might break. The 64-bit TEB might not even be set up correctly. – Anders Jul 02 '22 at 22:35
  • @Anders the goal is equal parts curiosity, equal parts writing tools that may be useful someday. I rewrote the windows loader and a whole heavens gate implementation. Figured if this was possible some way, it might be useful. Especially for cyber-sec work. – Zachary Washburn Jul 03 '22 at 00:17
  • If you already have a heavens gate, what happens if you call the 64-bit nddll Ldr? – Anders Jul 03 '22 at 10:38
  • @Anders the whole program crashes, it seems to be related to Control Flow Guard – Zachary Washburn Jul 03 '22 at 18:20

1 Answers1

0

Yes and no. You can't "load" a 64-bit library into a 32-bit process. But the operating system can run interference for you: it can load the library into another process, and supply an IPC interface to utilize it.

I worked on a project like that in 1995. Visual Basic in those days was 16-bit, and Windows NT 3.51 was 32-bit. We ported the computation engine from VAX VMS, a 32-bit operating system, and re-created the GUI with VB. To move data across, Windows provided a "thunking layer". VB called an OS function, passing a function name and parameter description. NT called the 32-bit function on VB's behalf, and returned the data in VB's address space. Worked like a charm.

James K. Lowden
  • 7,574
  • 1
  • 16
  • 31