Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
;-----------------------------------------------------------------------------;
2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
3
; Compatible: Windows 7, 2008, Vista, 2003, XP
4
; Architecture: wow64
5
; Version: 1.0 (Jan 2010)
6
; Size: 75 bytes
7
; Build: >build.py executex64
8
;-----------------------------------------------------------------------------;
9

10
; A simple function to execute native x64 code from a wow64 (x86) process. 
11
; Can be called from C using the following prototype:
12
;     typedef DWORD (WINAPI * EXECUTEX64)( X64FUNCTION pFunction, DWORD dwParameter );
13
; The native x64 function you specify must be in the following form (as well as being x64 code):
14
;     typedef BOOL (WINAPI * X64FUNCTION)( DWORD dwParameter );
15

16
; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
17
; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
18

19
[BITS 32]
20

21
WOW64_CODE_SEGMENT	EQU 0x23
22
X64_CODE_SEGMENT	EQU 0x33
23

24
start:
25
	push ebp 								; prologue, save EBP...
26
	mov ebp, esp							; and create a new stack frame
27
	push esi								; save the registers we shouldn't clobber
28
	push edi								;
29
	mov esi, [ebp+8]						; ESI = pFunction
30
	mov ecx, [ebp+12]						; ECX = dwParameter
31
	call delta								;
32
delta:
33
	pop eax									;
34
	add eax, (native_x64-delta)				; get the address of native_x64
35
	
36
	sub esp, 8								; alloc some space on stack for far jump
37
	mov edx, esp							; EDX will be pointer our far jump
38
	mov dword [edx+4], X64_CODE_SEGMENT		; set the native x64 code segment
39
	mov dword [edx], eax					; set the address we want to jump to (native_x64)
40
	
41
	call go_all_native						; perform the transition into native x64 and return here when done.
42
	
43
	mov ax, ds								; fixes an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
44
	mov ss, ax								; found and fixed by ReWolf, incorporated by RaMMicHaeL
45
	
46
	add esp, (8+4+8)						; remove the 8 bytes we allocated + the return address which was never popped off + the qword pushed from native_x64
47
	pop edi									; restore the clobbered registers
48
	pop esi									;
49
	pop ebp									; restore EBP
50
	retn (4*2)								; return to caller (cleaning up our two function params)
51
	
52
go_all_native:
53
	mov edi, [esp]							; EDI is the wow64 return address
54
	jmp dword far [edx]						; perform the far jump, which will return to the caller of go_all_native
55
	
56
native_x64:
57
[BITS 64]									; we are now executing native x64 code...
58
	xor rax, rax							; zero RAX
59
	push rdi								; save RDI (EDI being our wow64 return address)
60
	call rsi								; call our native x64 function (the param for our native x64 function is allready in RCX)
61
	pop rdi									; restore RDI (EDI being our wow64 return address)
62
	push rax								; simply push it to alloc some space
63
	mov dword [rsp+4], WOW64_CODE_SEGMENT	; set the wow64 code segment 
64
	mov dword [rsp], edi					; set the address we want to jump to (the return address from the go_all_native call)
65
	jmp dword far [rsp]						; perform the far jump back to the wow64 caller...
66

67