Monthly Archives: November 2006

Vista’s WoW Path Redirection

Windows Vista x64, is my first 64bits Operating System before it I never had been interested about 32-64bits compabilities. It started when I used the Daniel Pistelli’s tool called “Explorer Suite”,which is available at the following link :, I noticed that Windows Live Messenger, which is a x86 binary, is just linked by four dlls :


You know, I’m a very curious person that’s why I decided to disassemble these dlls. But when I opened the C:\Windows\System32\ I didn’t see any wow*.dll files except a wow32.dll which is a PE32 file format. I didn’t get what was going on, then I asked a friend about this problem. He kindly redirected me toward a Mark Russinovich’s post about a Windows 64bits article where is saying :
However, I raninto a mechanism called folder redirection: when a 32-bit image accesses the \Windows\System32 directory theWow64 subsystem redirects it to \Windows\Syswow64 (think about that for a second: 64-bit binaries are in System32while 32-bit binaries are in Syswow64).
Ohh ! Merci Mark ! My issue was solved but I wanted to know from where the hell this redirection is from. So I disassembled all wow*.dll then I found out the following functions in the wow64.dll :

Wow64LdrpInitialize (where are referenced “%s\\syswow64\\ntdll.dll”)

For people who are unfamiliar with x64 assembly please check that link :
Plus, we can see a debugging dll called wow64log.dll and very interesting references for system path and registry path :

.text:0000000078C320D8 dq offset aSystem32_0 ; “\\system32″
.text:0000000078C320E8 dq offset aSyswow64 ; “\\SysWOW64″
.text:0000000078C320F8 dq offset aLastgoodSystem ; “\\lastgood\\system32″
.text:0000000078C32108 dq offset aLastgoodSyswow ; “\\lastgood\\SysWOW64″
.text:0000000078C32118 dq offset aRegedit_exe ; “\\regedit.exe”
.text:0000000078C32128 dq offset aSyswow64Regedi ; “\\SysWOW64\\regedit.exe”
.text:0000000078C32138 dq offset aKnowndlls ; “\\KnownDlls”
.text:0000000078C32148 dq offset aKnowndlls32 ; “\\KnownDlls32″
.text:0000000078C32158 dq offset aSysnative ; “\\sysnative”

We also have a kind of user-land SSDT, where the NtQueryDirectoryFile function is present.

.data:0000000078C66340 sdwhnt32JumpTable dq offset whNtMapUserPhysicalPagesScatter
.data:0000000078C66340 ; DATA XREF: .data:sdwhnt32
.data:0000000078C66348 dq offset whNtWaitForSingleObject
.data:0000000078C66350 dq offset whNtCallbackReturn
.data:0000000078C66358 dq offset whNtReadFile
.data:0000000078C664D0 dq offset whNtQueryDirectoryFile

I don’t really did a full analysing of the DLL. As you see it was more an on the fly analyse, just to get a possible idea about the way uses by WoW to identify the redirection scheme.

I found Waldo !

There is a funny programmer @ Redmond who put a “Waldo” into the Windows Vista Boot Loader code :)

.text:00000000004330D8 lea rdx, aHiThere
.text:00000000004330DF lea r8d, [rax+8]
.text:00000000004330E3 rep stosb
.text:00000000004330E5 lea rcx, [rsp+198h+var_128]
.text:00000000004330EA call SHA256Update
.text:00000000004330EF lea rdx, [rsp+198h+var_B8]

.data:00000000004605F8 aHiThere db ‘H’ ;
.data:00000000004605F9 db ‘i’
.data:00000000004605FA db ‘ ‘
.data:00000000004605FB db ‘T’
.data:00000000004605FC db ‘h’
.data:00000000004605FD db ‘e’
.data:00000000004605FE db ‘r’
.data:00000000004605FF db ‘e’

What had I won? :)

Blog is open up !

I finally decide to set up my blog to keep my information updated to global visitors.

This blog will contain miscelleanous datas where I’m more or less concerned like technical or general articles, public presentations slides, and some other stuff that only time is able to know. And even fresh news from the TinyKRNL Project Team where I’ve been enrolled as Kernel Developer.

I will also provide a biographical introduction and résumé for people who would to know more about myself.