Jump to content

  • Log In with Google      Sign In   
  • Create Account


Wow64cpu module


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
8 replies to this topic

#1 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 09 December 2011 - 10:14 AM

Hi!
I have a process which debugs another 32bit process on windows7 (x64).
I paused the debugged process and watched it using ProcessMonitor.
In ProcessMonitor, on the top of the stack i see a method from wow64cpu.dll but my debugged process doesn't load this DLL!

I even wrote a litlle program in C# to show me what modules are loaded, and this DLL is not loaded.

How can the debbuged process use a method from that DLL>

what is going on??? :(

Sponsor:

#2 RobTheBloke   Crossbones+   -  Reputation: 2286

Like
0Likes
Like

Posted 09 December 2011 - 12:26 PM

WOW64 == Windows 32-bit on Windows 64-bit


Nothing is going on. Just ignore it! (It's the mechanism with which windows x64 emulates the 32bit DLL's required for the 32bit process).

#3 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 09 December 2011 - 12:49 PM

WOW64 == Windows 32-bit on Windows 64-bit


Nothing is going on. Just ignore it! (It's the mechanism with which windows x64 emulates the 32bit DLL's required for the 32bit process).



Ok, I want to ignore it. :)
But I need to identify it when it happens so I'll be able to associate addresses in the callstack with the module and ignore them.
Is it even possible getting the information about this module (base address and size) if it isn't really even loaded?

#4 iMalc   Crossbones+   -  Reputation: 2250

Like
0Likes
Like

Posted 09 December 2011 - 01:08 PM

But I need to identify it when it happens so I'll be able to associate addresses in the callstack with the module and ignore them.

No you don't, because there aren't any.

You're not understanding, think of the wow64cpu dll as the emulator that allows your code to run. A program can't see into it's emulator.
"In order to understand recursion, you must first understand recursion."
My website dedicated to sorting algorithms

#5 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 09 December 2011 - 01:16 PM


But I need to identify it when it happens so I'll be able to associate addresses in the callstack with the module and ignore them.

No you don't, because there aren't any.

You're not understanding, think of the wow64cpu dll as the emulator that allows your code to run. A program can't see into it's emulator.


what? wait...

Maybe there aren't any addresses from this module in the callstack (I suppose I really didn't see any in the callstack), but my EIP register of my debugged process' thread DOES point at an instruction in wow64cpu :)
Did you mean that I can't get the information about wow64cpu?

#6 ApochPiQ   Moderators   -  Reputation: 14102

Like
1Likes
Like

Posted 09 December 2011 - 01:26 PM

Think of it this way: if you took a digital logic analyzer and pointed it at the right spot on your CPU while executing a program, you could see the microcode instructions being shuffled around. Does this mean you can debug the microcode layer of the CPU circuit from your assembly language program?

#7 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 10 December 2011 - 04:14 AM

ok, so how can "ProcessHacker" or "ProcessExplorer" display stack frames from this wow64cpu?

#8 adeyblue   Members   -  Reputation: 517

Like
2Likes
Like

Posted 10 December 2011 - 10:29 AM

On 64-bit computers, Process Explorer is a 64-bit program so it exists outside the 'emulator' and can see into it.

To get the full user-mode call stack of a WoW64 thread, call GetThreadContext and StackWalk64(IMAGE_FILE_MACHINE_X64, ...) (for the 64-bit code), then call Wow64GetContextThread and StackWalk64(IMAGE_FILE_MACHINE_I386, ...) (for the 32-bit code)

To get the kernel side stacks that Process Explorer also displays requires a driver and peeking into documented-but-not-officially-so structures.

#9 Idov   Members   -  Reputation: 196

Like
0Likes
Like

Posted 10 December 2011 - 03:07 PM

ok, thanks :)




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS