Detect WOW64 stub modification

Coder666 · Coder666 · commit 0fdfe7ade94e · 2021-03-30T17:47:05.000+01:00
diff --git a/HookDump.cpp b/HookDump.cpp
@@ -596,7 +596,7 @@ namespace zp
                         //check for inter-segment branch
                         if (instruction.meta.branch_type != ZYDIS_BRANCH_TYPE_FAR)
                         {
-                            printf("\n[-] WOW64 system call stub [WOW]\n");
+                            printf("[-] WOW64 system call stub [WOW]\n");
                             DumpInstruction(instruction, (UINT_PTR)pTeb->WOW32Reserved);
                             return TRUE;
                         }
diff --git a/README.md b/README.md
@@ -23,6 +23,10 @@ Please refer to the Zeroperil blog post for more information [https://zeroperil.
 
 A jump instruction has been patched into the function to redirect execution flow
 
+### WOW
+
+Detection of the WOW64 syscall stub being hooked, which allows filtering of all system calls
+
 ### EAT 
 
 The address in the export address table does not match the address in the export address table in the copy on disc
@@ -34,3 +38,4 @@ GetProcAddress hook, an experimental feature, this is only output in verbose mod
 ## Verification
 
 The only way to truly verify the correct working of the program is to check in a debugger if hooks are present.  If you are getting a zero hooks result and are expecting to see something different, then first verify this in a debugger and please get in touch.
+

Original file line number	Diff line number	Diff line change
`@@ -596,7 +596,7 @@ namespace zp`
`596`	`596`	`//check for inter-segment branch`
`597`	`597`	`if (instruction.meta.branch_type != ZYDIS_BRANCH_TYPE_FAR)`
`598`	`598`	`{`
`599`		`- printf("\n[-] WOW64 system call stub [WOW]\n");`
	`599`	`+ printf("[-] WOW64 system call stub [WOW]\n");`
`600`	`600`	`DumpInstruction(instruction, (UINT_PTR)pTeb->WOW32Reserved);`
`601`	`601`	`return TRUE;`
`602`	`602`	`}`