drakvuf icon indicating copy to clipboard operation
drakvuf copied to clipboard

Published 20 hours ago verified publisher icon tklengyel

apimon for WoW64 turbo thunk

Open skvl opened this issue 4 years ago • 3 comments

With dll-hooks-list.txt like this:

SysWOW64\ntdll.dll,NtGetContextThread,log,handle,pcontext
SysWOW64\ntdll.dll,NtSetContextThread,log,handle,pcontext
SysWOW64\kernel32.dll,GetThreadContext,log,handle,pcontext
SysWOW64\kernel32.dll,SetThreadContext,log,handle,pcontext

, I get the trace like this:

apimon Time=1591272472.445971,PID=196,PPID=1252,TID=2652,ProcessName="\Device\HarddiskVolume2\Users\John\Desktop\share\myapp.exe",Method=GetThreadContext,CalledFrom=0x1391FF8,ReturnValue=0x1,Arg0=0x40,Arg1=0x2bf8a0
...
apimon Time=1591272472.447604,PID=196,PPID=1252,TID=2652,ProcessName="\Device\HarddiskVolume2\Users\John\Desktop\share\myapp.exe",Method=SetThreadContext,CalledFrom=0x139213B,ReturnValue=0x1,Arg0=0x40,Arg1=0x2bf8a0

In the article WoW64 Internals one could read:

Turbo thunks are an optimalization of WoW64 subsystem - specifically on Windows x64 -
that enables for particular system calls to never leave the wow64cpu.dll - the conversion
of parameters and return value, and the syscall instruction itself is fully performed there.
The set of functions that use these turbo thunks reveals, that they are usually very simple
in terms of parameter conversion - they receive numerical values or handles.

Late in examples:

* NtMapViewOfSection uses turbo thunk with index 0 (TurboDispatchJumpAddressEnd)
* NtWaitForSingleObject uses turbo thunk with index 13 (Thunk3ArgSpNSpNSpReloadState)
* NtDeviceIoControlFile uses turbo thunk with index 27 (DeviceIoctlFile)

So apimon fails to catch such functions.

@tklengyel @icedevml what you think?

skvl avatar Jul 14 '20 13:07 skvl

Theoretically it is possible to disable turbo thunks.

E.g. one could catch SysWOW64\ntdll.dll!NtWow64CallFunction64 and zero bits with turbo thunk index. Or it is possible to inject something like this:

#define WOW64_TURBO_THUNK_DISABLE 0
#define WOW64_TURBO_THUNK_ENABLE  1   // STATUS_NOT_SUPPORTED :(

    ThunkInput = WOW64_TURBO_THUNK_DISABLE;
    Status = NtWow64CallFunction64(Wow64FunctionTurboThunkControl,
                                   0,
                                   sizeof(ThunkInput),
                                   &ThunkInput,
                                   0,
                                   NULL,
                                   NULL);

skvl avatar Jul 14 '20 13:07 skvl

tbh I was completely not aware of that, I will try to investigate within next few days

icedevml avatar Jul 19 '20 23:07 icedevml

@icedevml thank you very much!

skvl avatar Jul 20 '20 12:07 skvl