Microsoft developed a subsystem called Windows 32-bit on Windows 64-bit (WOW64) in order to allow 32-bit applications to execute properly on a 64-bit machine. This subsystem has several features that can be used by malicious code.
WOW64 uses the 32-bit mode of x64 processors in order to execute instructions, but work-arounds are needed for the registry and filesystem. The Microsoft DLLs that form the core of the Win32 environment are in the SYSTEMROOT directory, usually in \Windows\System32. Many applications access this directory to search for Microsoft DLLs or to install their own DLLs. Therefore, there must be separate DLLs for both 32- and 64-bit processes to avoid conflicts.
For compatibility reasons, the 64-bit binaries are stored in the \System32 directory. For 32-bit applications, this directory is redirected to the \WOW64 directory; a counterintuitive choice because the 64-bit binaries are in the \System32 directory and the 32-bit binaries are in the \WOW64 directory. In analyzing 32-bit malware on a 64-bit system, if you find that it writes a file to C:\Windows\System32, you will need to go to C:\Windows\WOW64 to find that file.
Another redirection exists for 32-bit applications that access the HKEY_LOCAL_MACHINE\Software
registry key, which is mapped to HKEY_LOCAL_MACHINE\Software\Wow6432Node
. Any 32-bit applications accessing the software registry key will be redirected.
32-bit applications are normally unaware that they are running on WOW64, but a few mechanisms allow the applications to see outside the WOW64 environment. The first is the IsWow64Process
function, which can be used by 32-bit applications to determine if they are running in a WOW64 process. Applications can access the real \System32 directory by accessing C:\Windows\Sysnative, even when the \System32 is being redirected to WOW64.
The Wow64DisableWow64FsRedirection
function disables filesystem redirection entirely for a given thread. Registry functions such as RegCreateKeyEx
, Reg-DeleteKeyEx
, and RegOpenKeyEx
have a new flag that can be used to specify that an application wants to access the 32-bit or 64-bit view of the registry, regardless of the type of application. This flag can be used when 32-bit malware is making changes meant to affect 64-bit applications.