Saturday, 30 November 2013

Detoruing x64 System Call Stub: X86SwitchTo64BitMode

Hi,

It's been a while since I posted anything, anyway now that I am here I am going to be giving a detour for: X86SwitchTo64BitMode.

X86SwthTo64BitMode is the deepest call before everything switches into 64 bit mode and other inaccessible DLL files. Additionally X86SwitchTo64BitMode can be detoured fairly easily unlike KiFastSystemCall, a usual JMP would do the job especially because we don't care if we overwrite instructions because we are not jumping back to the original instruction.

The Code is more or less pretty straightforward for any Windows savvy users.

Link: X86SwitchTo64BitMode.cpp

As said before, this code can be easily incorporated into a Global detour, additionally you may find this suitable to incorporate into your projects with credits to - Code Empire.

Regards,

3 comments:

  1. Good one. But is this code will work in 64-bit Operating system and also windows 8.
    As we can not build asm code for 64 bit. We need native api to build the code.

    ReplyDelete
    Replies
    1. Hi Rajendra,

      You are correct, this will only work for 64-bit Windows OS, however this is designed to detour x86 Processes in x64 bit windows as x86 processes can be run in all x64 Windows PC.

      That is the only reason I used x86 processes detouring for x64 PC.

      Anyway, as for not being able to build ASM code for x64 you could uses opcodes and store it into an array then do it, besides x64 is pretty diffrent method of hooking. I am writing an article for x64 based hooking.

      Thanks!

      Delete