wow64

1. #include<Windows.h>
2. #pragma comment(linker,"/SECTION:.magic,ERW")
3. #pragma code_seg(".magic")
4. void __declspec(naked) EnterSystemCall() {
5.     __asm {
6.         __emit(0xCC);
7.         __emit(0xCC);
8.         __emit(0xCC);
9.         __emit(0xCC);
10.         __emit(0xCC);
11.         __emit(0xCC);
12.         __emit(0xCC);
13.     }
14. }
15. #pragma code_seg()
16. // you can understand which api is called by checking eax value here
17. void __declspec(naked) HookSystemCall() {
18.     __asm {
19.         nop
20.         nop
21.         nop
22.         nop
23.         nop
24.         nop
25.         nop
26.         jmp EnterSystemCall
27.     }
28. }
29.  
30. bool Install() {
31.     ULONG_PTR uFsC0 = __readfsdword(0xC0);
32.     // copy original x86 to x64 switch code
33.     memcpy_s((void *)EnterSystemCall, 0x07, (void *)uFsC0, 0x07);
34.     DWORD old;
35.     if (!VirtualProtect((void *)uFsC0, 0x07, PAGE_EXECUTE_READWRITE, &old)) {
36.         return false;
37.     }
38.  
39.     // lock
40.     *(WORD *)uFsC0 = 0xFEEB;
41.     // write hook jmp
42.     *(BYTE *)(uFsC0 + 0x02) = 0xE9;
43.     *(DWORD *)(uFsC0 + 0x03) = (ULONG_PTR)HookSystemCall - (uFsC0 + 0x02) - 0x05;
44.     // unlock
45.     *(WORD *)uFsC0 = 0x00EB;
46.  
47.     if (!VirtualProtect((void *)uFsC0, 0x07, old, &old)) {
48.         return false;
49.     }
50.  
51.     return true;
52. }
53.  
54. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
55.     if (fdwReason == DLL_PROCESS_ATTACH) {
56.         DisableThreadLibraryCalls(hinstDLL);
57.         Install();
58.     }
59.     return TRUE;
60. }