A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #14888  by dash
 Fri Jul 27, 2012 7:28 pm
Hi.
I am working on an x86 dll injector and i want to inject x86 code into a x64 process thread and execute it. First I was failing with calling CreateRemoteThread on x64 process which lead to error code 5. Then I've found this trick https://dev.metasploit.com/redmine/proj ... e_inject.c and I was able to create remote thread with it. But when I try to ResumeThread and execute that x86 code inside x64 process, whole process crash.

Injecting x86 to x86 works well, problem is only with x86 to x64.

So, my question is -- is it somehow possible to emulate and run x86 code copied inside x64 process? I know one way to do this would be to have two versions of the same code and choose one depending on the architecture of the remote process, but I don't find this as the best way to do this.

Thanks.
 #14894  by Brock
 Fri Jul 27, 2012 11:20 pm
Under WOW64 a 32-bit process can run both 32-bit and 64-bit code, in order to run 64-bit code you must perform a far jmp to segment selector 0x33 which asks wow64cpu.dll to make the native 64-bit instruction transition. The proper way would be to create a 64-bit injector which will allow CreateRemoteThread to succeed on 64-bit and 32-bit processes instead of messing with such callgate hacks