Let’s talk about spies today.

Most spies live a double life. By day, they work as a regular office employee (or maybe as some other professional), carefully monitored by security cameras and supervisors. They are restricted to using only their normal skills—typing reports, making phone calls, and attending meetings. However, what if they have a means through which they can use their full espionage abilities without leaving their desk.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

From the perspective of security, they never leave their desk; the cameras only see them perform their mundane office tasks. But in reality, they are slipping into the shadows, operating undetected, and leveraging their true capabilities without raising suspicion.

This is exactly how Heaven’s Gate technique works. A 32-bit process is like the spy at their desk, watched by security tools that only see its restricted activities. But by leveraging a hidden transition to 64-bit mode, it can execute powerful operations undetected—just like the spy carrying out secret missions while maintaining their disguise.

Modern Windows operating systems support both 32-bit and 64-bit applications. However, on 64-bit Windows, 32-bit processes run in a special emulation layer called WOW64 (Windows-on-Windows 64-bit). This layer allows 32-bit applications to function on a 64-bit OS. However, it introduces restrictions such as limited access to 64-bit system calls and security monitoring on WOW64. However, these solutions often overlook or struggle to track transitions into native 64-bit execution.

For red team operators, this means that security tools closely watch 32-bit processes running in WOW64 mode but may miss what happens when those processes secretly switch to executing 64-bit code. This is where Heaven’s Gate comes in.

The Heaven’s Gate technique allows a 32-bit process running under WOW64 to escape into the 64-bit execution environment, bypassing security monitoring. It works by manually switching the processor’s code execution mode from 32-bit to 64-bit. Here’s how:

1. Manipulating Segment Selectors - In x86 architecture, the CPU uses segment selectors to determine whether code runs in 32-bit or 64-bit mode. Heaven’s Gate leverages the CS (Code Segment) register, which controls the execution mode. By loading a 64-bit segment selector into CS, the process forces the CPU to switch to 64-bit execution.

2. Using Far Jumps or Calls - A far jump (jmp far) or far call (call far) instruction can change the execution mode by specifying a 64-bit code segment. This jump into a 64-bit section of memory, allows the process to execute 64-bit shellcode or system calls directly.

3. Executing 64-bit System Calls - Once in 64-bit mode, the process can issue system calls (syscall) directly instead of using WOW64’s translation layer. This allows stealthy interactions with the Windows kernel, as many security tools only monitor 32-bit system call transitions via Nt* API functions.

4. Returning to 32-bit Mode - After executing the desired 64-bit code, the process can return to 32-bit mode using another far jump. This helps blend back into normal execution, avoiding detection.

While the Heaven's Gate technique offers a way for 32-bit processes to covertly execute 64-bit code, several challenges arise during its implementation:

1. Stack Alignment for 64-bit Mode - Transitioning from 32-bit to 64-bit mode requires proper stack alignment to ensure the CPU processes instructions correctly. Misaligned stacks can lead to crashes or unpredictable behavior. This can be solved by adjusting the stack pointer to ensure it meets the alignment requirements of the 64-bit architecture.

2. Accessing 64-bit NTDLL Functions - In 64-bit mode, the process must interact with the 64-bit version of ntdll.dll to perform system calls. Identifying the correct addresses of these functions is crucial, as incorrect references can cause failures. This can be solved by utilizing the 64-bit version of ntdll.dll already loaded in the process's memory space. By parsing its headers and locating the export table, the process can dynamically resolve the addresses of necessary functions.

3. Loading 64-bit Libraries - Executing 64-bit code necessitates loading 64-bit libraries like kernel32.dll and user32.dll. However, the operating system imposes constraints and protections that can hinder this process, making it challenging to load and initialize these libraries within the 64-bit context of a WoW64 application. This can be solved by implementing a custom loader within the 64-bit execution context to manually map and initialize kernel32.dll and user32.dll.

If you want to dive deep into the details of how Heaven’s Gate technique works, read Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching by George Nicolaou. George has also published a PoC for this technique.

While this technique no longer works on latest Windows 10 systems due to Control Flow Guard (CFG), Red Canary has published an article describing how they were able to adapt this technique for Linux systems.

Red Team Notes
The Heaven’s Gate technique allows a 32-bit process running under WOW64 to execute 64-bit code by switching to x64 mode using a far jump or call. This bypasses WOW64 hooks and security monitoring that focus on 32-bit execution. Once in 64-bit mode, the process can directly invoke syscalls and interact with the system stealthily.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.