Analysing Windows Malware on Apple Mac M1/M2 ( Windows 11 ARM ) - Part II
Testing advanced x86-64 malware evasion techniques on Windows 11 ARM
In the previous post, we explored the internals of WOW64 on Windows 11 ARM version. x86/x64 emulation internals on Windows 11 ARM
However, there are many intricacies in malware; i.e., they exploit and manipulate the runtime environment in a way that sometimes normal execution would be hampered or an emulated system would not work correctly.
So, in this blog post, we will test some of the common techniques used by malware which might cause some emulation issues and see what would be the success rate of it.
The tests that we will perform are
- Invoking SYSCALL instead of system API’s
- API hooking
- Process Injection
- Heaven’s Gate transition
Invoking SYSCALL instead of system API’s
Most of the kernel32.dll
API exports eventually land in ntdll.dll
where a syscall is made (most of them happen to be the Zw*
versions...