/ProjectChameleon

Analyzing CHPEV2 ARM64EC and ARM64X

Primary LanguagePythonApache License 2.0Apache-2.0

Project Chameleon

About this project

CHPE stands for Compiled Hybrid PE, which contains both x86 (or x86_64) code and Arm64 code. The special PE files are distributed for reducing the amount of JIT binary translation by xtajit.dll (or xtajit64.dll). You can find the more detailed explanations at Cylance Research Team's Blog and "WoW64 internals ...re-discovering Heaven's Gate on ARM."

These PE files were previously located only at %SystemRoot%\SysChpe32. However, after the introduction of x64 emulation feature, much of the DLLs at %SystemRoot%\System32 have become a new type of CHPE called CHPEV2 ARM64EC and ARM64X.

This project collects reverse engineering results of CHPEV2.

Contents

Why "Chameleon" ?

This is because "VsDevCmd.bat" has the "-chameleon" compile flag for building CHPEV2 ARM64EC files.

chameleon compile flag in VsDevCmd.bat

Author

Koh M. Nakagawa. © FFRI Security, Inc. 2021

License

Apache version 2.0