Today we embark on a journey to answer one question: How is the 64-bit ntdll loaded into a 32-bit process under WoW64?
The journey will take us into uncharted territories inside the logic of the Windows kernel and we’ll discover how the Memory Address space of a 32-bit process is initialized.
What is WoW64?
| WOW64 is the x86 emulator that allows 32-bit Windows-based applications to run seamlessly on 64-bit Windows.
In other words, with the introduction of the 64-bit version of Windows, Microsoft needed to come up with a solution that allowed applications written during the 32-bit era of Windows to seamlessly interact with the new underlying components of a 64-bit Windows. Specifically, 64-bit memory addressing and components that spoke directly to the new kernel.
Two NT layers, One Kernel
In 32-bit Windows, applications that call into Windows APIs are routed through a series of Dynamic Link Libraries (DLLs). However, all system calls eventually route through to ntdll.dll, which is the highest layer in Usermode that passes execution of User Mode APIs to the Kernel.
An example of this is a call to CreateFileW. This API call originates from kernel32.dll in Usermode; it is then transferred to ntdll as NtCreateFile, and NtCreateFile then transfers control to the kernel via a System Call Dispatcher.
Under 32-bit Windows this is pretty straightforward – however, under WoW64 extra steps must be taken. The 32-bit ntdll cannot directly transfer control to the kernel because the kernel is now a 64-bit executable and only accepts types that follow the 64-bit ABI. Because of this a translation layer was added to 64-bit Windows in the form of several DLLs canonically named wow64.dll wow64cpu.dll and wow64win.dll. These DLLs are responsible for transitioning 32-bit originated calls to 64-bit calls.
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Blog. Read the original post at: https://threatmatrix.cylance.com/en_us/home/windows-maps-64-bit-ntdll-to-wow64-process.html