Redirection for 32-bit programs running in 64-bit systems (as shown in the figure below)

0x00 Preface

I recently learned the [email protected] Article persistence architecture matters, which happened to solve a problem I encountered before and clarified the details that need attention in file and registry redirection.

We will inevitably encounter this in the course of learning, so let's share it here.

Links to persistence architecture matters:
Https://labs.mwrinfosecurity.com/blog/persistence-architecture-matters/

0x01 the registry key value that disappears

OS: win8x64
Development Environment: vs2008

1. Write a program into the registry

The Code is as follows:

123456789101112131415161718192021222324

#include <atlbase.h> int main(int argc, char *argv[]){     LPCTSTR lpSubKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";    HKEY hKey;    DWORD dwDisposition = REG_OPENED_EXISTING_KEY;    LONG lRet = ::RegCreateKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, NULL, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);    if (ERROR_SUCCESS != lRet)    {        return 0;    }    char szModuleName[MAX_PATH] = { 0 };    ::GetModuleFileNameA(NULL, szModuleName, MAX_PATH);      lRet = ::RegSetValueEx(hKey, "test", NULL, REG_SZ, (BYTE*)szModuleName, strlen(szModuleName) + 1);     if (ERROR_SUCCESS != lRet)        printf("RegSetValueEx error!\n");    else        printf("[+] RegSetValueEx Success!\n");    ::RegCloseKey(hKey);    return 0;}

The compilation platform is set to Win32.

After running as an administratorHKLM\Software\Microsoft\Windows\CurrentVersion\RunWrite key valuetest

2. Get the written key value

Write a batch file to obtain the Write result.

The batch processing content is as follows:

1	REG query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test" >>result.txt

Right-click locally and execute the batch file directly.

However, the write key value cannot be output after the batch processing is executed.

0x02 files that disappear 1. Write programs to write files

The Code is as follows:

123456789101112

#include <stdio.h>void main(){    char *temp="test";     FILE* fp;    fp=fopen("c:\\windows\\system32\\test.txt","a+");            if(fp==0)    return;    fwrite(temp,strlen(temp),1,fp);    printf("[+] Write Success!\n");    fclose(fp);}

The compilation platform is set to Win32.

After running as an administratorc:\windows\system32\Write filestest.txt

2. Get the written file

The batch processing content is as follows:

1	dir c:\windows\system32\test.txt >>result.txt

Right-click locally and execute the batch file directly.

Likewise, batch processing cannot output written file content

0x03 Cause Analysis 1. Redirection

Since the XP system, the 64-bit system has introduced new technologies:File redirection and registry redirection
This technique is used to split 32-bit programs and 64-bit programs in a 64-bit system.
A 32-bit program running simulator on a 64-bit platform is called wow64
Wow64 is called "Windows 32 on Windows 64"

2. Registry redirection

In x64 systems, some special registry keys are divided into two independent parts.

(1) The 32-bit program redirects some operations on the registry.

For example, access to HKLM/software will be redirected to HKLM/software/wow6432node by wow64

For details about the location of the redirected registry, refer to the following link:
Https://msdn.microsoft.com/en-us/library/windows/desktop/aa384253 (V = vs.85). aspx

(2) The 64-bit program does not redirect operations on the registry.

(3) Supplement

The Registry Information of the 32-bit program stored in HKLM/software/wow6432node

IfHKLM\Software\Wow6432Node\Microsoft\CurrentVersion\RunWhen the startup Item is used to run the dll, the system will execute a 32-bit rundll32.exe (Path: C: \ WINDOWS \ syswow64 \ rundll32.exe) to load the DLL. The loaded dll must be 32-bit (errors may occur if it is 64-bit)

Of course, ifHKLM\Software\Microsoft\Windows\CurrentVersion\RunWhen a 64-bit rundll32.exe file is loaded, the 64-bit DLL file is loaded.

3. File redirection

Similarly, the file system has two separate parts.

(1) 32-bit program pair%systemroot%/system32Operation has redirection

32-bit files will be redirected%systemroot%/SysWOW64

(2) The 64-bit program does not redirect the file operation.

(3) Supplement

% SystemRoot %/syswow64 contains 32-bit programs, including 32-bit CMD and Calc.

Based on the above analysis, we have sorted out the following methods for operating the registry key value and file system:

0x04 retrieve the registry key

Solution:

The 32-bit write operation to the registry will be redirectedHKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

By default, a 64-bit program will be called for local batch processing and will not be redirected. The query location isHKLM\Software\Microsoft\Windows\CurrentVersion\Run

Solution:

1. Modify the called API parameters and skip redirection so that the 32-bit program can access the 64-bit registry.

When you call the regcreatekeyex function to create a registry key, add the key_wow64_64key parameter to the sixth regsam samdesired parameter.

That isKEY_ALL_ACCESChangeKEY_ALL_ACCESS | KEY_WOW64_64KEY

In this way, the redirection will be skipped and the Final write location isHKLM\Software\Microsoft\Windows\CurrentVersion\Run

The modified code is as follows:

12345678910111213141516171819202122232425

#include "stdafx.h"#include <atlbase.h>int main(int argc, char *argv[]){     LPCTSTR lpSubKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";    HKEY hKey;    DWORD dwDisposition = REG_OPENED_EXISTING_KEY;    LONG lRet = ::RegCreateKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, NULL, NULL, REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS | KEY_WOW64_64KEY, NULL, &hKey, &dwDisposition);    if (ERROR_SUCCESS != lRet)    {        printf("RegCreateKeyEx error!\n");        return 0;    }    char szModuleName[MAX_PATH] = { 0 };    ::GetModuleFileNameA(NULL, szModuleName, MAX_PATH);      lRet = ::RegSetValueEx(hKey, "test", NULL, REG_SZ, (BYTE*)szModuleName, strlen(szModuleName) + 1);     if (ERROR_SUCCESS != lRet)        printf("RegSetValueEx error!\n");    else        printf("[+] RegSetValueEx Success!\n");    ::RegCloseKey(hKey);    return 0;}

Execute batch processing again

1	REG query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test" >>result.txt

Key value obtained successfully

Note:
It can also be used in combinationWow64DisableWow64FsRedirectionAndWow64RevertWow64FsRedirectionDisable and enable redirection to skip redirection and write to the 64-bit Registry

2. Modify the batch processing and query the registry key value after redirection (for verification conclusion)

If you do not modify the original program, write it by default.HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Modify the registry key value after the redirection of the batch file query. The code is:

1	REG query "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "test"

You can obtain the key value after right-clicking locally.

Note:
In the actual test process, you can rarely right-click locally to execute batch processing. Therefore, this method is only used for verification.
Usually, the 32-bit program also has the redirection problem when executing the batch processing file.

0x05 File Retrieval

Solution:

Similarly, 32-bit program writec:\windows\system32\Will be redirectedc:\windows\SysWOW64\

32-bit programsc:\windows\system32\, Accessiblec:\windows\Sysnative\

1. Modify Batch Processing

The actual file generated by the 32-bit program is c: \ windows \ syswow64 \ test.txt

Therefore, the content of batch processing is as follows:

1	dir C:\Windows\SysWOW64\test.txt >>result.txt

2. Supplement

(1) A problem encountered before:

This problem exists when testing the Security Support Provider:
Http://drops.wooyun.org/tips/12518

Use a 32-bit program to upload mimikatz. DLL to c: \ windows \ system32 \ of the domain controller (server2008x64)

Due to redirection, the actual upload location of mimikatz. dll is c: \ windows \ syswow64, leading to test failure.

Solution:

1. Change the file copy path to c: \ windows \ sysnative.
2. The replication function is implemented by using batch processing instead of redirection.

(2) A small method to test the differences between 32-bit and 64-bit programs:

32-bit cmd:

1	C:\Windows\SysWOW64\cmd.exe

64-bit cmd:

1	c:\windows\system32\cmd.exe

Write the registry and file respectively. The details of redirection are obvious.

Write the registry:

1	reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test"

Query the registry:

12	REG query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "test"REG query "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "test"

Write File:

1	copy test.txt c:\windows\system32\test.txt

Find Files:

123	dir c:\windows\system32\test.txtdir C:\Windows\SysWOW64\test.txtdir C:\Windows\Sysnative\test.txt

0x06 Summary

When a 32-bit program is executed in a 64-system, if you have operations on the registry and files, the redirection details must be considered.

Registry operation:

AccessHKLM\Software\The actual path isHKLM\Software\Wow6432Node\

File Operations:

Accessc:\windows\Sysnative\The actual path isc:\windows\system32\
Accessc:\windows\system32\The actual path isc:\windows\SysWOW64\

Referencing the two images in the [email protected] Article can help you better understand the details.

Thank you for sharing [email protected. Solved my problems and gave me a clearer understanding.

More learning materials:

• Https://msdn.microsoft.com/en-us/library/windows/desktop/aa384232 (V = vs.85). aspx
• Https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187 (V = vs.85). aspx

This article is original and first published on wooyun drops.

Http://drops.wooyun.org/tips/14831

Redirection for 32-bit programs running in 64-bit systems (as shown in the figure below)