{"id":3333,"date":"2015-10-26T14:30:09","date_gmt":"2015-10-26T14:30:09","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3333"},"modified":"2025-02-15T00:34:12","modified_gmt":"2025-02-15T00:34:12","slug":"heavens-gate-and-a-chameleon-code-x8664","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/10\/26\/heavens-gate-and-a-chameleon-code-x8664\/","title":{"rendered":"Heaven&#8217;s gate and a chameleon code (x86\/64)"},"content":{"rendered":"<p>A so-called <a href=\"http:\/\/changeprotocoltoh_t_t_p:\/\/spth.virii.lu\/v1\/articles\/HEAVEN.TXT\">heaven&#8217;s gate<\/a> is not only a built-in feature of a 64-bit Windows, but also a neat reversing trick. It can be used (and is) by malware authors to temporarily switch the code execution between 32- (WOW64) and 64-bit long mode. While operating in a 64-bit long mode it executes the 64-bit instructions and this can be used to execute some funny stuff before returning to 32-bit code (f.ex. can be used to detect a debugger).<\/p>\n<p>The trick is very old, many blogs describe how to mix 32- and 64-bit code execution pipelines while using it and that&#8217;s why it is a part of the topic I am going to talk about today.<\/p>\n<p>A few years back I was looking at a sample that used the heaven&#8217;s gate trick, but apart from this, it also contained another trick &#8211; a chameleon code &#8211; a stream of bytes that could be executed as both 32- and 64-bit code, depending on the context. I found it to be quite cool and took a mental note of that malware family.<\/p>\n<p>I recently came across a different sample from the same family malware and since its analysis reminded me about that supercool trick, I thought it would be nice to write a post about it.<\/p>\n<p>The sample hash is E4AB5596CB8FBE932670A6A5420E7AB9 (note it is old, from 2013).<\/p>\n<p style=\"padding-left: 30px;\">Note: Mind you that before it reaches the heaven&#8217;s gate\/chameleon code it will try to stop you by using a couple of known and lesser-known anti-reversing tricks (there is a number of them, and they are quite creative; I won&#8217;t describe it in detail not to spoil the fun in case you want to take a stab at the sample yourself).<\/p>\n<p>The 32-bit code right before jumping far to 64-bit code:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3334\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate1-300x185.png\" alt=\"heavensgate1\" width=\"300\" height=\"185\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate1-300x185.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate1-80x50.png 80w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate1.png 661w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>Immediately after the far jump we land in 64-bit code.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3335\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate2-300x208.png\" alt=\"heavensgate2\" width=\"300\" height=\"208\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate2-300x208.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate2.png 587w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>Note the offsets of instructions on both screenshots.<\/p>\n<p>Btw. while I am not the biggest fan of windbg for day to day work, its ability to reverse such chameleon code &#8216;on the fly&#8217; comes really handy.<\/p>\n<p>After some more jumps and calls the code eventually ends in these 2 places (left 32-bit, right 64-bit &#8211; 2 different VMs):<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3336\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate3-300x116.png\" alt=\"heavensgate3\" width=\"300\" height=\"116\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate3-300x116.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate3-1024x395.png 1024w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate3.png 1054w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>We can compare the opcodes and their meanings side by side:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3337\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate4-300x184.png\" alt=\"heavensgate4\" width=\"300\" height=\"184\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate4-300x184.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate4-1024x629.png 1024w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate4-80x50.png 80w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/10\/heavensgate4.png 1137w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>They both execute in their respective modes (32- and 64-).<\/p>\n<p>The inability to distinguish between code and data is a well known fact. Ability to code a program that is binary level-identical and executes flawlessly on two different architectures is a completely different animal.<\/p>\n<p>For what it&#8217;s worth &#8211; it was written in fasm.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A so-called heaven&#8217;s gate is not only a built-in feature of a 64-bit Windows, but also a neat reversing trick. It can be used (and is) by malware authors to temporarily switch the code execution between 32- (WOW64) and 64-bit &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/10\/26\/heavens-gate-and-a-chameleon-code-x8664\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,10,9,44],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3333"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3333"}],"version-history":[{"count":12,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3333\/revisions"}],"predecessor-version":[{"id":9869,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3333\/revisions\/9869"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}