• WoW64 = Windows 32-bit on Windows 64-bit
  • Purpose: Process of 32-bit in 64 bit-environment.
  • 3 main DLLs:
    • wow64.dll
    • wow64cpu.dll
    • wow64win.dll
  • Wow64.dll
    • The core interface to the Windows NT kernel
      • Translates (thunks) between 32-bit and 64-bit calls
      • Including pointer and call stack manipulations
  • Wow64win.dll
    • Provides the appropriate entry-points for 32-bit applications
  • Wow64cpu.dll
    • Switching the processor from 32-bit to 64-bit mode.
    • Used in x86-64 implementations of Windows only.

WOW64 architecture

WOW64-sandboxed processes (x86 processes running in x64 environment)

  • Introduced new APIs: IsWow64Process
    • Used by malware to identify if it’s running as a 32-bit process in an x64 environment, or in an x86 environment.