Injecting 64Bit Dll Into 32Bit Process

Jan 25th, 2013
  4. Disassembling the "Wow64!ProcessInit" function, you can see that it is possible to inject a 64-bit DLL into a 32-bit process (Wow64 process).
  6. All you have to do is drop a DLL named Wow64Log.dll into the "System32" directoy. The library must export the following symbols/functions:
  7. 1) Wow64LogInitialize, called immediately by the "ProcessInit" function.
  8. 2) Wow64LogSystemService, called by the " Wow64SystemServiceEx" function i.e. upon
  9. every system call e.g. ZwQueryInformationProcess.
  10. 3) Wow64LogMessageArgList, called by the "Wow64LogPrint" function upon issuing various system calls.
  11. 4) Wow64LogTerminate, called by the "whNtTerminateProcess" function upon process termination
