Bypassing Heaven’s Gate Technique Using Black-Box Testing

Abstract

In recent years, the number and sophistication of malware attacks on computer systems have increased significantly. One technique employed by malware authors to evade detection and analysis, known as Heaven’s Gate, enables 64-bit code to run within a 32-bit process. Heaven’s Gate exploits a feature in the operating system that allows the transition from a 32-bit mode to a 64-bit mode during execution, enabling the malware to evade detection by security software designed to monitor only 32-bit processes. Heaven’s Gate poses significant challenges for existing security tools, including dynamic binary instrumentation (DBI) tools, widely used for program analysis, unpacking, and de-virtualization. In this paper, we provide a comprehensive analysis of the Heaven’s Gate technique. We also propose a novel approach to bypass the Heaven’s Gate technique using black-box testing. Our experimental results show that the proposed approach effectively bypasses and prevents the Heaven’s Gate technique and strengthens the capabilities of DBI tools in combating advanced malware threats.