Injecting 64Bit Dll Into 32Bit Process

Jan 25th, 2013
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassr.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  4. Disassembling the "Wow64!ProcessInit" function, you can see that it is possible to inject a 64-bit DLL into a 32-bit process (Wow64 process).
  6. All you have to do is drop a DLL named Wow64Log.dll into the "System32" directoy. The library must export the following symbols/functions:
  7. 1) Wow64LogInitialize, called immediately by the "ProcessInit" function.
  8. 2) Wow64LogSystemService, called by the " Wow64SystemServiceEx" function i.e. upon
  9. every system call e.g. ZwQueryInformationProcess.
  10. 3) Wow64LogMessageArgList, called by the "Wow64LogPrint" function upon issuing various system calls.
  11. 4) Wow64LogTerminate, called by the "whNtTerminateProcess" function upon process termination
  13. Best Regards
  14. Waliedassar
RAW Paste Data