Home > x64 > The power of WOW64

The power of WOW64

This is my first post and I want to introduce you how to execute x64 code under WOW64 process so lets start. First of all lets say about WOW64 it’s technology from Microsoft that allows you to run 32 bits applications on 64 bits operating systems and my example will show you how to switch from 32bits mode to 64 and back. Here is source code how to switch from 32 bits to 64 and back under WOW64:
32to64.cpp

On this video you can see what’s actually going on.

Download video in original size: 32to64.wmv (18 MB)

WOW64 detection:
Here is comparison how CS register changes depending on Windows architecture:
64 bits (native) = 0x33
32 bits (wow64) = 0x23
32 bits (native) = 0x1B
So from this we can detect if our 32 bits process running under WOW64 or not:
iswow64

Anti-debugging:
Such mode switching can server as additional anti-debugging trick since normal 32 bits debuggers can’t trace 64 bits code you can try to debug 32to64.cpp in WinDbg(x86) or OllyDbg and you will find that debugger loosing control on application and program will continue execution until exit, or next debug event.

Advertisements
Categories: x64 Tags:
  1. Hello
    February 27, 2011 at 12:18

    BOOL IsWow64()
    {
    __asm
    {
    mov eax, cs
    shr eax, 5
    }
    }

    Are you sure of this code ?
    Because sometimes it’s TRUE and sometimes it’s FALSE 😀

    • Hello
      February 27, 2011 at 12:19

      * Windows XP Pro x64

  2. int0h
    February 27, 2011 at 12:27

    Yup, but it’s only valid for 32 bits process, also:
    32 bits (wow64) = 0×23 >> 5 = 1
    32 bits (native) = 0x1B >> 5 = 0
    I doubt that WinXP X64 has code segment other than 0x23

  3. Hello
    February 27, 2011 at 16:58

    It’s the solution :

    BOOL IsWow64()
    {
    __asm
    {
    xor eax, eax
    mov ax, cs
    shr eax, 5
    }
    }

    • int0h
      February 27, 2011 at 17:20

      Probably your compiler can’t compile mov eax, cs and compiled it as
      mov ax, cs in fact there is opcode to move CS to EAX and hi part of EAX will be nulled:
      8C C8 MOV EAX,CS

      As other solution it can be as:

      bool IsWow64()
      {
      __asm
      {
      mov ax, cs
      shr eax, 5
      }
      }

      Also if your compiler compiled mov eax, cs as mov ax, cs then you had to test result as:
      if( IsWow64() == TRUE ) // tests if EAX == 1
      and not
      if( IsWow64() ) // tests if AL != 0

  4. int0h
    February 27, 2011 at 20:45

    Heh, I’m actually gave good example in my post with bool and you wrote BOOL which is not same because bool = 1 byte BOOL = 4 bytes that’s why you had this problem.

  5. Hello
    February 27, 2011 at 20:49

    Yep, thx you for your code and your explication 🙂

  1. July 4, 2011 at 00:56

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: