Programming

WoW64 (Windows 32-bit on Windows 64-bit) is a subsystem within Microsoft Windows that lets Windows run 32-bit programs on 64-bit hardware. One way to glean what processes are currently running in WoW64 mode is by querying NtQuerySystemInformation and checking whether IsWow64Process returns true or not. This returns a pointer to a value that is set to TRUE if the process is running under WOW64 on an Intel64, x64, or ARM64 processor. ...

Lately I’ve been poking around at Windows internals and writing low level code. This morning I thought I’d try to bypass Windows Defender and get a low score on Virus Total. One trick I’ve been playing with is writing shellcode to the Windows registry to keep things “fileless.” It’s not super fancy, but it’s kind of neat. I combined that with indirect syscalls and some cryptographic routines to get Windows Defender to chill out. ...