Injecting 64Bit Dll Into 32Bit Process
- Disassembling the "Wow64!ProcessInit" function, you can see that it is possible to inject a 64-bit DLL into a 32-bit process (Wow64 process).
- All you have to do is drop a DLL named Wow64Log.dll into the "System32" directoy. The library must export the following symbols/functions:
- 1) Wow64LogInitialize, called immediately by the "ProcessInit" function.
- 2) Wow64LogSystemService, called by the " Wow64SystemServiceEx" function i.e. upon
- every system call e.g. ZwQueryInformationProcess.
- 3) Wow64LogMessageArgList, called by the "Wow64LogPrint" function upon issuing various system calls.
- 4) Wow64LogTerminate, called by the "whNtTerminateProcess" function upon process termination
- Best Regards
RAW Paste Data