Portable Executable (PE) File – WOW64 processes

• WoW64 = Windows 32-bit on Windows 64-bit
• Purpose: Process of 32-bit in 64 bit-environment.
• 3 main DLLs:
  • wow64.dll
  • wow64cpu.dll
  • wow64win.dll
• Wow64.dll
  • The core interface to the Windows NT kernel
    • Translates (thunks) between 32-bit and 64-bit calls
    • Including pointer and call stack manipulations
• Wow64win.dll
  • Provides the appropriate entry-points for 32-bit applications
• Wow64cpu.dll
  • Switching the processor from 32-bit to 64-bit mode.
  • Used in x86-64 implementations of Windows only.

WOW64 architecture

WOW64-sandboxed processes (x86 processes running in x64 environment)

• Introduced new APIs: IsWow64Process
  • Used by malware to identify if it’s running as a 32-bit process in an x64 environment, or in an x86 environment.