Skip to content

PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

License

Notifications You must be signed in to change notification settings

aaaddress1/wowInjector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 

Repository files navigation

wowInjector

Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious attacks and bypass Antivirus agents at the same time, e.g. Injection, Hollowing, Dropper, etc.

It's a proof-of-concept of the talk of HITB 2021. There are more details about reversing the whole WOW64 layer by Microsoft and abuse, see Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland.

Demo

About

PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published