WoW64 internals …re-discovering Heaven’s Gate on ARM

( Original text by PetrBenes )

WoW64 — aka Windows (32-bit) on Windows (64-bit) — is a subsystem that enables 32-bit Windows applications to run on 64-bit Windows. Most people today are familiar with WoW64 on Windows x64, where they can run x86 applications. WoW64 has been with us since Windows XP, and x64 wasn’t the only architecture where WoW64 has been available — it was available on IA-64architecture as well, where WoW64 has been responsible for emulating x86. Newly, WoW64 is also available on ARM64, enabling emulation of both x86 and ARM32 appllications.

MSDN offers brief article on WoW64 implementation details. We can find that WoW64 consists of (ignoring IA-64):

• Translation support DLLs:
  • wow64.dll

    : translation of 

    Nt*

     system calls (

    ntoskrnl.exe

     / 

    ntdll.dll

    )

  • wow64win.dll

    : translation of 

    NtGdi*

    , 

    NtUser*

     and other GUI-related system calls (

    win32k.sys

     / 

    win32u.dll

    )

• Emulation support DLLs:
  • wow64cpu.dll

    : support for running x86 programs on x64

  • wowarmhw.dll

    : support for running ARM32 programs on ARM64

  • xtajit.dll

    : support for running x86 programs on ARM64

Besides 

 system call translation, the 

 provides the core emulation infrastructure.

If you have previous experience with reversing WoW64 on x64, you can notice that it shares plenty of common code with WoW64 subsystem on ARM64. Especially if you peeked into WoW64 of recent x64 Windows, you may have noticed that it actually contains strings such as 

 and that some functions check against 

 machine type:

WoW on x64 systems cannot emulate ARM32 though — it just apparently shares common code. But 

 and 

 sound particularly interesting!

Those similarities can help anyone who is fluent in x86/x64, but not that much in ARM. Also, HexRays decompiler produce much better output for x86/x64 than for ARM32/ARM64.

Initially, my purpose with this blogpost was to get you familiar with how WoW64 works for ARM32 programs on ARM64. But because WoW64 itself changed a lot with Windows 10, and because WoW64 shares some similarities between x64 and ARM64, I decided to briefly get you through how WoW64 works in general.

Everything presented in this article is based on Windows 10 — insider preview, build 18247.

Terms

Througout this article I’ll be using some terms I’d like to explain beforehand:

• ntdll

   or 

  ntdll.dll

   — these will be always refering to the native 

  ntdll.dll

   (x64 on Windows x64, ARM64 on Windows ARM64, …), until said otherwise or until the context wouldn’t indicate otherwise.

• ntdll32

   or 

  ntdll32.dll

   — to make an easy distinction between native and WoW64 

  ntdll.dll

  , any WoW64 

  ntdll.dll

   will be refered with the 

  *32

   suffix.

• emu

   or 

  emu.dll

   — these will represent any of the emulation support DLLs (one of 

  wow64cpu.dll

  ,

  wowarmhw.dll

  , 

  xtajit.dll

  )

• module!FunctionName

   — refers to a symbol 

  FunctionName

   within the 

  module

  . If you’re familiar with WinDbg, you’re already familiar with this notation.

• CHPE

   — “compiled-hybrid-PE”, a new type of PE file, which looks as if it was x86 PE file, but has ARM64 code within them. 

  CHPE

   will be tackled in more detail in the x86 on ARM64 section.

• The terms emulation and binary-translation refer to the WoW64 workings and they may be used interchangeably.

Kernel

This section shows some points of interest in the 

 regarding to the WoW64 initialization. If you’re interested only in the user-mode part of the WoW64, you can skip this part to the Initialization of the WoW64 process.

Kernel (initialization)

Initalization of WoW64 begins with the initialization of the kernel:

• nt!KiSystemStartup
• nt!KiInitializeKernel
• nt!InitBootProcessor
• nt!PspInitPhase0
• nt!Phase1Initialization
  • nt!IoInitSystem
    • nt!IoInitSystemPreDrivers
    • nt!PsLocateSystemDlls

 routine takes a pointer named 

, and then calls 

 in a loop. Let’s figure out what’s going on here:

 appears to be array of pointers to some structure, which holds some NTDLL-related data. The order of these NTDLLs corresponds with this 

 (included in the PDB):

Remember this 

, we’ll be needing it again in a while.

Now, let’s look how such structure looks like:

The 

 function intializes fields of this structure. The layout of this structure isn’t unfortunatelly in the PDB, but you can find a reconstructed version in the appendix.

Now let’s get back to the 

 — there’s more:

• ...
• nt!Phase1Initialization
  • nt!Phase1InitializationIoReady
    • nt!PspInitPhase2
    • nt!PspInitializeSystemDlls

 routine takes a pointer named 

. Let’s look at it:

It looks like it’s some sort of array, again, ordered by the 

 mentioned earlier. Let’s examine 

:

Nothing unexpected — just tuples of function name and function pointer. Did you notice the difference in the number after the 

 field? On x64 there is 19 meanwhile on ARM64 there is 14. This number represents number of items in 

 — and indeed, there is slightly different set of them:

x64	ARM64
(0)  LdrInitializeThunk	(0)  LdrInitializeThunk
(1)  RtlUserThreadStart	(1)  RtlUserThreadStart
(2)  KiUserExceptionDispatcher	(2)  KiUserExceptionDispatcher
(3)  KiUserApcDispatcher	(3)  KiUserApcDispatcher
(4)  KiUserCallbackDispatcher	(4)  KiUserCallbackDispatcher
—	(5)  KiUserCallbackDispatcherReturn
(5)  KiRaiseUserExceptionDispatcher	(6)  KiRaiseUserExceptionDispatcher
(6)  RtlpExecuteUmsThread	—
(7)  RtlpUmsThreadYield	—
(8)  RtlpUmsExecuteYieldThreadEnd	—
(9)  ExpInterlockedPopEntrySListEnd	(7)  ExpInterlockedPopEntrySListEnd
(10)  ExpInterlockedPopEntrySListFault	(8)  ExpInterlockedPopEntrySListFault
(11)  ExpInterlockedPopEntrySListResume	(9)  ExpInterlockedPopEntrySListResume
(12)  LdrSystemDllInitBlock	(10)  LdrSystemDllInitBlock
(13)  RtlpFreezeTimeBias	(11)  RtlpFreezeTimeBias
(14)  KiUserInvertedFunctionTable	(12)  KiUserInvertedFunctionTable
(15)  WerReportExceptionWorker	(13)  WerReportExceptionWorker
(16)  RtlCallEnclaveReturn	—
(17)  RtlEnclaveCallDispatch	—
(18)  RtlEnclaveCallDispatchReturn	—

We can see that ARM64 is missing 

 (User-Mode Scheduling) and 

Enclave

 functions. Also, we can see that ARM64 has one extra function: 

.

On the other hand, all 

 contain the same set of function names:

Notice names of second fields of these “structures”: 

,

, … If we look at the address of those fields, we can see that they’re part of another array:

Those addresses are actually targets of the pointers in the 

 structure. Also, those functions combined with 

 might give you hint that they’re related to this 

 (included in the PDB):

Notice how the order of the 

 corellates with the empty field in the previous screenshot (highlighted). The set of WoW64 NTDLL functions is same on both x64 and ARM64.

(The C representation of this data can be found in the appendix.)

Now we can tell what the 

 function does — it gets image base of each NTDLL (

), resolves all 

 for them (

). Also, only for all WoW64 NTDLLs (

) it assigns the image base to the 

 field of the 

 array (

).

Kernel (create process)

Let’s talk briefly about process creation. As you probably already know, the native 

 is mapped as a first DLL into each created process. This applies for all architectures — x86, x64 and also for ARM64. The WoW64 processes aren’t exception to this rule — the WoW64 processes share the same initialization code path as native processes.

• nt!NtCreateUserProcess
• nt!PspAllocateProcess
  • nt!PspSetupUserProcessAddressSpace
    • nt!PspPrepareSystemDllInitBlock
    • nt!PspWow64SetupUserProcessAddressSpace
• nt!PspAllocateThread
  • nt!PspWow64InitThread
  • nt!KeInitThread // Entry-point: nt!PspUserThreadStartup
• nt!PspUserThreadStartup
• nt!PspInitializeThunkContext
  • nt!KiDispatchException

If you ever wondered how is the first user-mode instruction of the newly created process executed, now you know the answer — a “synthetic” user-mode exception is dispatched, with 

, where 

points to the 

. This is the first function that is executed in every process — including WoW64 processes.

Initialization of the WoW64 process

The fun part begins!

NOTE: Initialization of the 

wow64.dll

 is same on both x64 and ARM64. Eventual differences will be mentioned.

• ntdll!LdrInitializeThunk
• ntdll!LdrpInitialize
• ntdll!_LdrpInitialize
• ntdll!LdrpInitializeProcess
• ntdll!LdrpLoadWow64

The 

 function is called when the 

 global variable is 

, which is set when 

.

It constructs the full path to the 

, loads it, and then resolves following functions:

• Wow64LdrpInitialize
• Wow64PrepareForException
• Wow64ApcRoutine
• Wow64PrepareForDebuggerAttach
• Wow64SuspendLocalThread

NOTE: The resolution of these pointers is wrapped between pair of 

ntdll!LdrProtectMrdata

 calls, responsible for protecting (1) and unprotecting (0) the 

.mrdata

 section — in which these pointers reside. 

MRDATA

 (Mutable Read Only Data) are part of the CFG (Control-Flow Guard) functionality. You can look at Alex’s slides for more information.

When these functions are successfully located, the 

 finally transfers control to the 

 by calling 

. Let’s go through the sequence of calls that eventually bring us to the entry-point of the “emulated” application.

• wow64!Wow64LdrpInitialize
  • wow64!Wow64InfoPtr = (NtCurrentPeb32() + 1)
  • NtCurrentTeb()->TlsSlots[/* 10 */ WOW64_TLS_WOW64INFO] = wow64!Wow64InfoPtr
  • ntdll!RtlWow64GetCpuAreaInfo
  • wow64!ProcessInit
  • wow64!CpuNotifyMapViewOfSection // Process image
  • wow64!Wow64DetectMachineTypeInternal
  • wow64!Wow64SelectSystem32PathInternal
  • wow64!CpuNotifyMapViewOfSection // 32-bit NTDLL image
  • wow64!ThreadInit
  • wow64!ThunkStartupContext64TO32
  • wow64!Wow64SetupInitialCall
  • wow64!RunCpuSimulation
    • emu!BTCpuSimulate

 is the first initialized variable in the 

. It contains data shared between 32-bit and 64-bit execution mode and its structure is not documented, although you can find this structure partialy restored in the appendix.

 is an internal 

 function which is called a lot during emulation. It is mainly used for fetching the machine type and architecture-specific CPU context (the 

structure) of the emulated process. This information is fetched into an undocumented structure, which we’ll be calling 

. Pointer to this structure is then given to the 

 function.

 determines the machine type of the executed process and returns it. 

 selects the “emulated” 

 directory based on that machine type, e.g. 

 for x86 processes or 

 for ARM32 processes.

You can also notice calls to 

 function. As the name suggests, it is also called on each “emulated” call of 

. This function:

• Checks if the mapped image is executable
• Checks if following conditions are true:
  • NtHeaders->OptionalHeader.MajorSubsystemVersion == USER_SHARED_DATA.NtMajorVersion
  • NtHeaders->OptionalHeader.MinorSubsystemVersion == USER_SHARED_DATA.NtMinorVersion

If these checks pass, 

 function is called. This function checks if the mapped image exports the 

 symbol and if so, it assigns there a 32-bit pointer value returned by 

.

The 

 is mostly known to be exported by 

, but there are actually multiple of Windows’ WoW DLLs which exports this symbol (will be mentioned later). You might be already familiar with the term “Heaven’s Gate” — this is where the 

 will point to on Windows x64 — a simple far jump instruction which switches into long-mode (64-bit) enabled code segment. On ARM64, the 

 points to a “nop” function.

NOTE: Because there are no checks on the 

ImageName

, the 

Wow64Transition

 symbol is resolved for all executable images that passes the checks mentioned earlier. If you’re wondering whether 

Wow64Transition

 would be resolved for your custom executable or DLL — it indeed would!

The initialization then continues with thread-specific initialization by calling 

. This is followed by pair of calls 

 and 

 — these functions perform the necessary setup of the architecture-specific WoW64 

 structure to prepare start of the execution in the emulated environment. This is done in the exact same way as if 

 would actually executed the emulated application — i.e.:

• setting the instruction pointer to the address of 
  ntdll32!LdrInitializeThunk
• setting the stack pointer below the WoW64 
  CONTEXT

   structure

• setting the 1st parameter to point to that 
  CONTEXT

   structure

• setting the 2nd parameter to point to the base address of the 
  ntdll32

Finally, the 

 function is called. This function just calls 

 from the binary-translator DLL, which contains the actual emulation loop that never returns.

wow64!ProcessInit

• wow64!Wow64ProtectMrdata // 0
• wow64!Wow64pLoadLogDll
  • ntdll!LdrLoadDll // "%SystemRoot%\system32\wow64log.dll"

 has also it’s own 

 section and 

 begins with unprotecting it. It then tries to load the 

 from the constructed system directory. Note that this DLL is never present in any released Windows installation (it’s probably used internally by Microsoft for debugging of the WoW64 subsystem). Therefore, load of this DLL will normally fail. This isn’t problem, though, because no critical functionality of the WoW64 subsystem depends on it. If the load would actually succeed, the 

 would try to find following exported functions there:

• Wow64LogInitialize
• Wow64LogSystemService
• Wow64LogMessageArgList
• Wow64LogTerminate

If any of these functions wouldn’t be exported, the DLL would be immediately unloaded.

If we’d drop custom 

 (which would export functions mentioned above) into the 

 directory, it would actually get loaded into every WoW64 process. This way we could drop a custom logging DLL, or even inject every WoW64 process with native DLL!

For more details, you can check my injdrv project which implements injection of native DLLs into WoW64 processes, or check this post by Walied Assar.

Then, certain important values are fetched from the 

 array. These contains base address of the 

, pointer to functions like 

, 

, …, control flow guard information and others.

Finally, the 

 is called, which — as the name suggests — initializes WoW64 path redirection. The path redirection is completely implemented in the 

 and the mechanism is basically based on string replacement. The path redirection can be disabled and enabled by calling 

 & 

 function pairs. Both of these functions internally call 

, which directly operates on 

 field.

wow64!ServiceTables

Next, a 

 array is initialized. You might be already familiar with the 

 from the 

, which contains — among other things — a pointer to an array of system functions callable from the user-mode. 

 contains 2 of these tables: one for 

 itself and one for the 

, aka the Windows (GUI) subsystem. 

 has 4 of them!

The 

 has the exact same structure as the 

, except that it is extended:

(More detailed definition of this structure is in the appendix.)

 array is populated as follows:

• ServiceTables[/* 0 */ WOW64_NTDLL_SERVICE_INDEX] = sdwhnt32
• ServiceTables[/* 1 */ WOW64_WIN32U_SERVICE_INDEX] = wow64win!sdwhwin32
• ServiceTables[/* 2 */ WOW64_KERNEL32_SERVICE_INDEX = wow64win!sdwhcon
• ServiceTables[/* 3 */ WOW64_USER32_SERVICE_INDEX] = sdwhbase

NOTE: 

wow64.dll

 directly depends (by import table) on two DLLs: the native 

ntdll.dll

 and 

wow64win.dll

. This means that 

wow64win.dll

 is loaded even into “non-Windows-subsystem” processes, that wouldn’t normally load 

user32.dll

.

These two symbols mentioned above are the only symbols that 

wow64.dll

 requires 

wow64win.dll

 to export.

Let’s have a look at 

 service table:

There is nothing surprising for those who already dealt with service tables in 

.

 contains array of the system call functions, which are traditionaly prefixed. WoW64 “system calls” are prefixed with 

, which honestly I don’t have any idea what it stands for — although it might be the case as with 

 prefix — it stands for nothing and is simply used as an unique distinguisher.

The job of these 

 functions is to correctly convert any arguments and return values from the 32-bit version to the native, 64-bit version. Keep in mind that that it not only includes conversion of integers and pointers, but also content of the structures. Interesting note might be that each of the 

 functions has only one argument, which is pointer to an array of 32-bit values. This array contains the parameters passed to the 32-bit system call.

As you could notice, in those 4 service tables there are “system calls” that are not present in the 

. Also, I mentioned earlier that the 

 is resolved in multiple DLLs. Currently, these DLLs export this symbol:

• ntdll.dll
• win32u.dll
• kernel32.dll

   and 

  kernelbase.dll
• user32.dll

The 

 and 

 are obvious and they represent the same thing as their native counterparts. The service tables used by 

 and 

 contain functions for transformation of particular 

 calls into their 64-bit version.

It’s also worth noting that at the end of the 

 system table, there are several functions with 

 calls, such as 

, 

 and others. These are special functions which are provided only to WoW64 processes.

One of these special functions is also 

. It has it’s own small dispatch table and callers can select which function should be called based on its index:

NOTE: I’ll be talking about one of these functions — namely 

Wow64CallFunctionTurboThunkControl

 — later in the Disabling Turbo thunks section.

wow64!Wow64SystemServiceEx

This function is similar to the kernel’s 

 — it does the dispatching of the system call. This function is exported by the 

 and imported by the emulation DLLs. 

 accepts 2 arguments:

• The system call number
• Pointer to an array of 32-bit arguments passed to the system call (as mentioned earlier)

The system call number isn’t just an index, but also contains index of a system table which needs to be selected (this is also true for 

):

This function then selects 

 and calls the appropriate 

function based on the 

.

NOTE: In case the 

wow64log.dll

 has been successfully loaded, the 

Wow64SystemServiceEx

 function calls 

Wow64LogSystemServiceWrapper

 (wrapper around 

wow64log!Wow64LogSystemService

 function): once before the actual system call and one immediately after. This can be used for instrumentation of each WoW64 system call! The structure passed to 

Wow64LogSystemService

 contains every important information about the system call — it’s table index, system call number, the argument list and on the second call, even the resulting 

NTSTATUS

! You can find layout of this structure in the appendix(

WOW64_LOG_SERVICE

).

Finally, as have been mentioned, the 

 structure differs from 

 in that it contains 

 table. The code mentioned above is actually wrapped in a SEH 

/

 block. If 

 raise an exception, the 

block calls 

 function. The function looks if the corresponding service table which raised the exception has non-

 

 and if it does, it selects the appropriate 

 for the system call. If the 

 is 

, the values from 

 are used. The 

 of the exception is then transformed according to an algorithm which can be found in the appendix.

wow64!ProcessInit

 (cont.)

• ...
• wow64!CpuLoadBinaryTranslator // MachineType
  • wow64!CpuGetBinaryTranslatorPath // MachineType
    • ntdll!NtOpenKey // "\Registry\Machine\Software\Microsoft\Wow64"
    • ntdll!NtQueryValueKey // "arm" / "x86"
    • ntdll!RtlGetNtSystemRoot // "arm" / "x86"
    • ntdll!RtlUnicodeStringPrintf // "%ws\system32\%ws"

As you’ve probably guessed, this function constructs path to the binary-translator DLL, which is — on x64 — known as 

. This DLL will be responsible for the actual low-level emulation.

We can see that there is no 

 on ARM64. Instead, there is 

 used for x86 emulation and 

 used for ARM32 emulation.

NOTE: The 

CpuGetBinaryTranslatorPath

 function is same on both x64 and ARM64 except for one peculiar difference: on Windows x64, if the 

\Registry\Machine\Software\Microsoft\Wow64\x86

 key cannot be opened (is missing/was deleted), the function contains a fallback to load 

wow64cpu.dll

. On Windows ARM64, though, it doesn’t have such fallback and if the registry key is missing, the function fails and the WoW64 process is terminated.

 then loads one of the selected DLL and tries to find there following exported functions:

BTCpuProcessInit  (!)	BTCpuProcessTerm
BTCpuThreadInit	BTCpuThreadTerm
BTCpuSimulate  (!)	BTCpuResetFloatingPoint
BTCpuResetToConsistentState	BTCpuNotifyDllLoad
BTCpuNotifyDllUnload	BTCpuPrepareForDebuggerAttach
BTCpuNotifyBeforeFork	BTCpuNotifyAfterFork
BTCpuNotifyAffinityChange	BTCpuSuspendLocalThread
BTCpuIsProcessorFeaturePresent	BTCpuGetBopCode  (!)
BTCpuGetContext	BTCpuSetContext
BTCpuTurboThunkControl	BTCpuNotifyMemoryAlloc
BTCpuNotifyMemoryFree	BTCpuNotifyMemoryProtect
BTCpuFlushInstructionCache2	BTCpuNotifyMapViewOfSection
BTCpuNotifyUnmapViewOfSection	BTCpuUpdateProcessorInformation
BTCpuNotifyReadFile	BTCpuCfgDispatchControl
BTCpuUseChpeFile	BTCpuOptimizeChpeImportThunks
BTCpuNotifyProcessExecuteFlagsChange	BTCpuProcessDebugEvent
BTCpuFlushInstructionCacheHeavy

Interestingly, not all functions need to be found — only those marked with the “(!)”, the rest is optional. As a next step, the resolved 

 function is called, which performs binary-translator-specific process initialization. We’ll cover that in later section.

At the end of the 

 function, 

 is called, making 

non-writable again.

wow64!ThreadInit

• wow64!ThreadInit
  • wow64!CpuThreadInit
    • NtCurrentTeb32()->WOW32Reserved = BTCpuGetBopCode()
    • emu!BTCpuThreadInit

 does some little thread-specific initialization, such as:

• Copying 
  CurrentLocale

   and 

  IdealProcessor

   values from 64-bit 

  TEB

   into 32-bit 

  TEB

  .

• For non-
  WOW64_CPUFLAGS_SOFTWARE

   emulators, it calls 

  CpuThreadInit

  , which:

  • Performs 
    NtCurrentTeb32()->WOW32Reserved = BTCpuGetBopCode()

    .

  • Calls 
    emu!BTCpuThreadInit()

    .

• For 
  WOW64_CPUFLAGS_SOFTWARE

   emulators, it creates an event, which added into

  AlertByThreadIdEventHashTable

   and set to 

  NtCurrentTeb()->TlsSlots[18]

  . This event is used for special emulation of 

  NtAlertThreadByThreadId

   and 

  NtWaitForAlertByThreadId

  .

NOTE: The 

WOW64_CPUFLAGS_MSFT64 (1)

 or the 

WOW64_CPUFLAGS_SOFTWARE (2)

 flag is stored in the 

NtCurrentTeb()->TlsSlots[/* 10 */ WOW64_TLS_WOW64INFO]

, in the 

WOW64INFO.CpuFlags

 field. One of these flags is always set in the emulator’s 

BTCpuProcessInit

 function (mentioned in the section above):

• wow64cpu.dll

   sets 

  WOW64_CPUFLAGS_MSFT64 (1)
• wowarmhw.dll

   sets 

  WOW64_CPUFLAGS_MSFT64 (1)
• xtajit.dll

   sets 

  WOW64_CPUFLAGS_SOFTWARE (2)

x86 on x64

Entering 32-bit mode

• ...
• wow64!RunCpuSimulation
  • wow64cpu!BTCpuSimulate
    • wow64cpu!RunSimulatedCode

 runs in a loop and performs transitions into 32-bit mode either via:

• jmp fword ptr[reg]

   — a “far jump” that not only changes instruction pointer (

  RIP

  ), but also the code segment register (

  CS

  ). This segment usually being set to 

  0x23

  , while 64-bit code segment is 

  0x33
• synthetic “machine frame” and 
  iret

   — called on every “state reset”

NOTE: Explanation of segmentation and “why does it work just by changing a segment register” is beyond scope of this article. If you’d like to know more about “long mode” and segmentation, you can start here.

Far jump is used most of the time for the transition, mainly because it’s faster. 

 on the other hand is more powerful, as it can change 

, 

, 

, 

 and 

 all at once. The “state reset” occurs when 

 has 

 bit set. This happens during exception (see 

 and 

). Also, this flag is cleared on every emulation loop (using 

 — bit-test-and-reset).

You can see the simplest form of switching into the 32-bit mode. Also, at the beginning you can see that 

 address is moved into the 

 register. This register stays untouched during the whole 

 function. Turbo thunks will be explained in more detail later.

Leaving 32-bit mode

The switch back to the 64-bit mode is very similar — it also uses far jumps. The usual situation when code wants to switch back to the 64-bit mode is upon system call:

The 

 is just a simple jump to the 

:

If you remember, the 

 value is resolved by the 

function:

It selects either 

 or 

 based on the 

 value.

The 

 looks like this (used when 

):

• [x86] jmp 33h:$+9

   (jumps to the instruction below)

• [x64] jmp qword ptr [r15+offset]

   (which points to 

  CpupReturnFromSimulatedCode

  )

The 

 looks like this (used when 

):

• [x86] push 0x33
• [x86] push eax
• [x86] call $+5
• [x86] pop eax
• [x86] add eax, 12
• [x86] xchg eax, dword ptr [esp]
• [x86] jmp fword ptr [esp]

   (jumps to the instruction below)

• [x64] add rsp, 8
• [x64] jmp wow64cpu!CpupReturnFromSimulatedCode

Clearly, the 

 is faster, so why it’s not used used every time?

It turns out, 

 is set to 1 in the 

 function if the process is not executed with the 

ProhibitDynamicCode

 mitigation policy and if 

 succeeds.

This is because 

 is in a non-executable read-only section (

) while

 is in read-executable section (

).

But the actual reason why is 

 in non-executable section by default and needs to be set as executable manually is, honestly, unknown to me. My guess would be that it has something to do with relocations, because the address in the 

 instruction must be somehow resolved by the loader. But maybe I’m wrong. Let me know if you know the answer!

Turbo thunks

I hope you didn’t forget about the 

 address hanging in the 

 register. This value is used as a jump-table:

There are 32 items in the jump-table.

 is the first code that is always executed in the 64-bit mode when 32-bit to 64-bit transition occurs. Let’s recapitulate the code:

• Stack is swapped,
• Non-volatile registers are saved
• eax

   — which contains the encoded service table index and system call number — is moved into the 

  ecx
• it’s high-word is acquired via 
  ecx >> 16

  .

• the result is used as an index into the 
  TurboThunkDispatch

   jump-table

You might be confused now, because few sections above we’ve defined the service number like this:

…therefore, after right-shifting this value by 16 bits we should get always 0, right?

It turns out, on x64, the 

 might be defined like this:

Let’s examine few WoW64 system calls:

Based on our new definition of 

, we can conclude that:

• NtMapViewOfSection

   uses turbo thunk with index 0 (

  TurboDispatchJumpAddressEnd

  )

• NtWaitForSingleObject

   uses turbo thunk with index 13 (

  Thunk3ArgSpNSpNSpReloadState

  )

• NtDeviceIoControlFile

   uses turbo thunk with index 27 (

  DeviceIoctlFile

  )

Let’s finally explain “turbo thunks” in proper way.

Turbo thunks are an optimalization of WoW64 subsystem — specifically on Windows x64 — that enables for particular system calls to never leave the 

 — the conversion of parameters and return value, and the 

 instruction itself is fully performed there. The set of functions that use these turbo thunks reveals, that they are usually very simple in terms of parameter conversion — they receive numerical values or handles.

The notation of 

 labels is as follows:

• The number specifies how many arguments the function receives
• Sp

   converts parameter with sign-extension

• NSp

   converts parameter without sign-extension

• ReloadState

   will return to the 32-bit mode using 

  iret

   instead of far jump, if 

  WOW64_CPURESERVED_FLAG_RESET_STATE

   is set

• QuerySystemTime

  , 

  ReadWriteFile

  , 

  DeviceIoctlFile

  , … are special cases

Let’s take the 

 and its turbo thunk 

 as an example:

• it receives 3 parameters
• 1st parameter is sign-extended
• 2nd parameter isn’t sign-extended
• 3rd parameter isn’t sign-extended
• it can switch to 32-bit mode using 
  iret

   if 

  WOW64_CPURESERVED_FLAG_RESET_STATE

   is set

When we cross-check this information with its function prototype, it makes sense:

The sign-extension of 

 makes sense, because if we pass there an 

, which happens to be 

 on 32-bits, we don’t want to convert this value to 

, but 

.

On the other hand, if the 

 is 0, the call will end up in the

 which in turn calls 

. You can consider this case as the “slow path”.

Disabling Turbo thunks

On Windows x64, the Turbo thunk optimization can be actually disabled!

In one of the previous sections I’ve been talking about 

 and

 functions. As with any other 

 function, 

 is only available in the WoW64 

. This function can be called with an index to WoW64 function in the 

 table (you could see earlier).

The function prototype might look like this:

NOTE: This function prototype has been reconstructed with the help of the

wow64!Wow64CallFunction64Nop

 function code, which just logs the parameters.

We can see that 

 can be called with an index of 2. This function performs some sanity checks and then passes calls

.

 then checks the input parameter.

• If it’s 0, it patches every target of the jump table to point to 
  TurboDispatchJumpAddressEnd

  (remember, this is the target that is called when 

  WOW64_SYSTEM_SERVICE.TurboThunkNumber

   is 0).

• If it’s non-0, it returns 
  STATUS_NOT_SUPPORTED

  .

This means 2 things:

• Calling 
  wow64cpu!BTCpuTurboThunkControl(0)

   disables the Turbo thunks, and every system call ends up taking the “slow path”.

• It is not possible to enable them back.

With all this in mind, we can achieve disabling Turbo thunks by this call:

What it might be good for? I can think of 3 possible use-cases:

• If we deploy custom 
  wow64log.dll

   (explained earlier), disabling Turbo thunks guarantees that we will see every WoW64 system call in our 

  wow64log!Wow64LogSystemService

   callback. We wouldn’t see such calls if the Turbo thunks were enabled, because they would take the “fast path” inside of the 

  wow64cpu.dll

   where the 

  syscall

   would be executed.

• If we decide to hook 
  Nt*

   functions in the native 

  ntdll.dll

  , disabling Turbo thunks guarantees that for each 

  Nt*

   function called in the 

  ntdll32.dll

  , the correspondint 

  Nt*

   function will be called in the native 

  ntdll.dll

  . (This is basically the same point as the previous one.)

  NOTE: Keep in mind that this only applies on system calls, i.e. on 

  Nt*

   or 

  Zw*

   functions. Other functions are not called from the 32-bit 

  ntdll.dll

   to the 64-bit 

  ntdll.dll

  . For example, if we hooked 

  RtlDecompressBuffer

   in the native 

  ntdll.dll

   of the WoW64 process, it wouldn’t be called on 

  ntdll32!RtlDecompressBuffer

   call. This is because the full implementaion of the 

  Rtl*

  functions is already in the 

  ntdll32.dll

  .

• We can “harmlessly” patch high-word moved to the 
  eax

   in every WoW64 system call stub to 0. For example we could see in 

  NtWaitForSingleObject

   there is 

  mov eax, 0D0004h

  . If we patched appropriate 2 bytes in that instruction so that the instruction would become 

  mov eax, 4h

  , the system call would still work.This approach can be used as an anti-hooking technique — if there’s a jump at the start of the function, the patch will break it. If there’s not a jump, we just disable the Turbo thunk for this function.

x86 on ARM64

Emulation of x86 applications on ARM64 is handled by an actual binary translation. Instead of 

, the 

 (probably shortcut for “x86 to ARM64 JIT”) is used for its emulation. As with other emulation DLLs, this DLL is native (ARM64).

The x86 emulation on Windows ARM64 consists also of other “XTA” components:

• xtac.exe

   — XTA Compiler

• XtaCache.exe

   — XTA Cache Service

Execution of x86 programs on ARM64 appears to go way behind just emulation. It is also capable of caching already binary-translated code, so that next execution of the same application should be faster. This cache is located in the 

 directory which contains files in format 

. These files are then mapped to the user-mode address space of the application. If you’re asking whether you can find an actual ARM64 code in these files — indeed, you can.

The whole “XTA” and its internals are not in the focus of this article, but they would definitely deserve a separate article.

Unfortunatelly, Microsoft doesn’t provide symbols to any of these 

 DLLs or executables. But if you’re feeling adventurous, you can find some interesting artifacts, like this array of structures inside of the 

, which contains name of the function and its pointer. There are thousands of items in this array:

With a simple Python script, we can mass-rename all functions referenced in this array:

I’d like to thank Milan Boháček for providing me this script.

Windows\SyCHPE32

 & 

Windows\SysWOW64

One thing you can observe on ARM64 is that it contains two folders used for x86 emulation. The difference between them is that 

 contains small subset of DLLs that are frequently used by applications, while contents of the 

 folder is quite identical with the content of this folder on Windows x64.

The 

 DLLs are not pure-x86 DLLs and not even pure-ARM64 DLLs. They are “compiled-hybrid-PE”s. What does it mean? Let’s see:

After opening 

, IDA will first tell us — unsurprisingly — that it cannot download PDB for this DLL. After looking at randomly chosen 

 function, we can see that it doesn’t differ from what we would see in the 

. Let’s look at some non-

 function:

We can see it contains regular x86 function prologue, immediately followed by x86 function epilogue and then jump somewhere, where it looks like that there’s just garbage.

My guess is that the reason for this prologue is probably compatibility with applications that check whether some particular functions are hooked or not — by checking if the first bytes of the function contain real prologue.

NOTE: Again, if you’re feeling adventurous, you can patch 

FileHeader.Machine

 field in the PE header to 

IMAGE_FILE_MACHINE_ARM64 (0xAA64)

 and open this file in IDA. You will see a whole lot of correctly resolved ARM64 functions. Again, I’d like to thank to Milan Boháček for this tip.

If your question is “how are these images generated?”, I would answer that I don’t know, but my bet would be on some internal version of Microsoft’s C++ compiler toolchain. This idea appears to be supported by various occurences of the 

CHPE

 keyword in the ChakraCore codebase.

ARM32 on ARM64

The loop inside of the 

 is fairly simple compared to 

 loop:

 does nothing else than saving the whole 

, performing 

instruction and then restoring the 

.

nt!KiEnter32BitMode

 / 

SVC 0xFFFF

I won’t be explaining here how system call dispatching works in the 

 — Bruce Dang already did an excellent job doing it. This section is a follow up on his article, though.

 instruction is sort-of equivalent of 

 instruction on ARM64 — it basically enters the kernel mode. But there is a small difference between 

 and 

: while on Windows x64 the system call number is moved into the 

 register, on ARM64 the system call number can be encoded directly into the 

 instruction.

Let’s peek for a moment into the kernel to see how is this 

 instruction handled:

• nt!KiUserExceptionHandler
  • nt!KiEnter32BitMode

We can see that:

• MRS X30, ELR_EL1

   — current interrupt-return address (stored in 

  ELR_EL1

   system register) will be moved to the register 

  X30

   (link register — 

  LR

  ).

• MSR ELR_EL1, X15

   — the interrupt-return address will be replaced by value in the register 

  X15

  (which is aliased to the instruction pointer register — 

  PC

   — in the 32-bit mode).

• ORR X16, X16, #0b10000

   — bit [4] is being set in 

  X16

   which is later moved to the 

  SPSR_EL1

  register. Setting this bit switches the execution mode to 32-bits.

Simply said, in the 

 register, there is an address that will be executed once we leave the kernel-mode and enter the user-mode — which happens with the 

 instruction at the end.

nt!KiExit32BitMode

 / 

UND #0xF8

Alright, we’re in the 32-bit ARM mode now, how exactly do we leave? Windows solves this transition via 

 instruction — which is similar to the 

 instruction on the Intel CPUs. If you’re not familiar with it, you just need to know that it is instruction that basically guarantees that it’ll throw “invalid instruction” exception which can OS kernel handle. It is defined-“undefined instruction”. Again there is the same difference between the 

 and 

 instruction in that the ARM can have any 1-byte immediate value encoded directly in the instruction.

Let’s look at the 

 system call in the 

:

Let’s peek into the kernel again:

• nt!KiUser32ExceptionHandler
  • nt!KiFetchOpcodeAndEmulate
    • nt!KiExit32BitMode

Keep in mind that meanwhile the 32-bit code is running, it cannot modify the value of the previously stored 

 register — it is not visible in 32-bit mode. It stays there the whole time. Upon 

 execution, following happens:

• the 
  KiFetchOpcodeAndEmulate

   function moves value of 

  X30

   into 

  X24

   register (not shown on the screenshot).

• AND X19, X16, #0xFFFFFFFFFFFFFFC0

   — bit [4] (among others) is being cleared in the 

  X19

  register, which is later moved to the 

  SPSR_EL1

   register. Clearing this bit switches the execution mode back to 64-bits.

• KiExit32BitMode

   then moves the value of 

  X24

   register into the 

  ELR_EL1

   register. That means when this function finishes its execution, the 

  ERET

   brings us back to the 64bit code, right after the 

  SVC 0xFFFF

   instruction.

NOTE: It can be noticed that Windows uses 

UND

 instruction for several purposes. Common example might also be 

UND #0xFE

 which is used as a breakpoint instruction (equivalent of 

__debugbreak()

 / 

int3

)

As you could spot, 3 kernel transitions are required for emulation of the system call (

, system call itself, 

). This is because on ARM there doesn’t exist a way how to switch between 32-bit and 64-bit mode only in user-mode.

If you’re looking for “ARM Heaven’s Gate” — this is it. Put whatever function address you like into the 

 register and execute 

. Next instruction will be executed in the 32-bit ARM mode, starting with that address. When you feel you’d like to come back into 64-bit mode, simply execute 

 and your execution will continue with the next instruction after the 

.

Appendix

References

How does one retrieve the 32-bit context of a Wow64 program from a 64-bit process on Windows Server 2003 x64?
http://www.nynaeve.net/?p=191

Mixing x86 with x64 code
http://blog.rewolf.pl/blog/?p=102

Windows 10 on ARM
https://channel9.msdn.com/Events/Build/2017/P4171

Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching
http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/

Closing “Heaven’s Gate”
http://www.alex-ionescu.com/?p=300