Windows Vista x64, is my first 64bits Operating System before it I never had been interested about 32-64bits compabilities. It started when I used the Daniel Pistelli’s tool called “Explorer Suite”,which is available at the following link : http://ntcore.com/download.php, I noticed that Windows Live Messenger, which is a x86 binary, is just linked by four dlls :
You know, I’m a very curious person that’s why I decided to disassemble these dlls. But when I opened the C:\Windows\System32\ I didn’t see any wow*.dll files except a wow32.dll which is a PE32 file format. I didn’t get what was going on, then I asked a friend about this problem. He kindly redirected me toward a Mark Russinovich’s post about a Windows 64bits article where is saying :
However, I raninto a mechanism called folder redirection: when a 32-bit image accesses the \Windows\System32 directory theWow64 subsystem redirects it to \Windows\Syswow64 (think about that for a second: 64-bit binaries are in System32while 32-bit binaries are in Syswow64).
Ohh ! Merci Mark ! My issue was solved but I wanted to know from where the hell this redirection is from. So I disassembled all wow*.dll then I found out the following functions in the wow64.dll :
Wow64LdrpInitialize (where are referenced “%s\\syswow64\\ntdll.dll”)
For people who are unfamiliar with x64 assembly please check that link : http://sandpile.org/aa64/reg.htm.
Plus, we can see a debugging dll called wow64log.dll and very interesting references for system path and registry path :
.text:0000000078C320D8 dq offset aSystem32_0 ; “\\system32″
.text:0000000078C320E8 dq offset aSyswow64 ; “\\SysWOW64″
.text:0000000078C320F8 dq offset aLastgoodSystem ; “\\lastgood\\system32″
.text:0000000078C32108 dq offset aLastgoodSyswow ; “\\lastgood\\SysWOW64″
.text:0000000078C32118 dq offset aRegedit_exe ; “\\regedit.exe”
.text:0000000078C32128 dq offset aSyswow64Regedi ; “\\SysWOW64\\regedit.exe”
.text:0000000078C32138 dq offset aKnowndlls ; “\\KnownDlls”
.text:0000000078C32148 dq offset aKnowndlls32 ; “\\KnownDlls32″
.text:0000000078C32158 dq offset aSysnative ; “\\sysnative”
We also have a kind of user-land SSDT, where the NtQueryDirectoryFile function is present.
.data:0000000078C66340 sdwhnt32JumpTable dq offset whNtMapUserPhysicalPagesScatter
.data:0000000078C66340 ; DATA XREF: .data:sdwhnt32
.data:0000000078C66348 dq offset whNtWaitForSingleObject
.data:0000000078C66350 dq offset whNtCallbackReturn
.data:0000000078C66358 dq offset whNtReadFile
.data:0000000078C664D0 dq offset whNtQueryDirectoryFile
I don’t really did a full analysing of the DLL. As you see it was more an on the fly analyse, just to get a possible idea about the way uses by WoW to identify the redirection scheme.