0

I find Heaven's Gate very interesting. Though I can manually enter 64-bit mode by switching the value of CS to 0x33, it's hard to do any IO -- I can only do simple arithmatic operations.

I know I can access the 64-bit PEB structure by R12 and then obtain a pointer to the module of 64-bit ntdll.dll and thus invoke its functions, such as LdrGetProcedureAddress and LdrLoadDll. But my program crashes on loading the 64-bit kernel32.dll, and it creates an extra console.

Does that means, I can only do normal IO operations back in the WOW64 mode?

Harry马
  • 11
  • 2
  • 1
    What are you actually trying to do here? – David Heffernan Apr 25 '22 at 08:53
  • Actually, I want to integrate the 32-bit and 64-bit versions of the same application in one process, so that it can take full advantage of the cpu. Is it possible? – Harry马 Apr 25 '22 at 10:38
  • However, I can't call any win api other than those in *ntdll.dll* after entering 64-bit mode. – Harry马 Apr 25 '22 at 10:39
  • "Is it possible?" No. – David Heffernan Apr 25 '22 at 11:05
  • You are already in undocumented land, why not just use IO functions in ntdll? – Anders Apr 25 '22 at 17:45
  • Yeah, it may be the right way, but I'm unwilling to write my own CreateWindow, WriteFile... I mean, since the 64-bit dlls are always there, do we have any way to make use of them? Or must we write our own winapis (maybe just copying the source code of ReactOS), which seems to be a great waste? – Harry马 Apr 25 '22 at 23:28
  • 1
    Why don't you target a 64-bit platform if you wish to take advantage of the 64-bit platform? If all you really need is to deploy a single binary, then link your 64-bit executable as a binary resource into your 32-bit program, and have the startup code determine whether it should unpack and launch the 64-bit version instead. See [this Q&A](https://stackoverflow.com/q/38759982) for more information. – IInspectable Apr 26 '22 at 09:15
  • Yeah, this is a more feasible solution. Thank you all – Harry马 Apr 26 '22 at 10:31
  • Packing extra binaries into a 32 binary isn't ideal though. Antivirus software finds that suspicious. An install program would usually be better. – David Heffernan Apr 26 '22 at 13:16

0 Answers0