Discovering a new relocation entry of ARM64X in recent Windows 10 on Arm¶

submited by
Style Pass
2021-07-13 19:30:04

Last December, Microsoft announced the x64 emulation for Windows 10 on Arm. This is excellent news for Windows 10 on Arm users because some applications are distributed as 64-bit-only x64 binaries. Now, they can use x64 apps with this x64 emulation feature.

This news is exciting for me because I'm curious about the emulation technologies of Windows. Last year, at Black Hat EU 2020, I presented a new code injection technique in Windows 10 on Arm. During this research, I analyzed various binaries for x86 emulation (xtajit.dll and xtac.exe) and investigated how emulation works and some techniques used for speeding up x86 emulation (binary translation cache files and CHPE *). So, it was natural for me to examine the internals of the x64 emulation.

Digging into the x64 emulation, I discovered a new type of CHPE called CHPEV2 ARM64X. This CHPE has an intriguing property that it can be used by both x64 emulation processes and Arm64 native processes. Typically, the machine type in a DLL must match the architecture of the process loading it. If there is a mismatch, the DLL will not be loaded correctly. However, in CHPEV2 ARM64X, it can be loaded from both x64 emulation processes and Arm64 native processes! What makes it possible?

Leave a Comment