GUIDED BY SHRI ALOK GEHLOT ASSISTANT PROFESSOR

SUBMITTED BY GORAV SINGH AMERA(CSE) HARSH VARDHAN PUNDHIR(IT) KAPIL BHADADA(IT) VISHAL SINGH CHOUHAN(IT)

32/64-bit
What is WOW64? WOW64 Process Address Space Layout WOW64 Registry Management WOW64 File System Redirection 32-bit I/O on 64-bit Windows 32/64 Inter-op Issues WOW64 Platform-Specific Support Debugging a WoW64 Process Discussion

32/64-bit
32-bit versus 64-bit
As the number of bits increases there are two important benefits.

More bits means that data can be processed in larger chunks which also means more accurately. More bits means our system can point to or address a larger number of locations in physical memory. Why would we move 32bit applications to 64bit The Answer is Simple, Its the 4GB boundary that normal 32bit applications cannot cross. Even there may be more than 4GB of memory available in your server the applications wont make use of it, as they simply cannot access memory beyond the 32bit address space.

4
32-bit Windows emulation layer on 64-bit Windows Installed as part of 64-bit Windows Binary compatibility with 32-bit Windows applications is the prime goal 64-bit Windows system setup installs and registers 64-bit and 32-bit system files 32-bit system files are copied to %windir%\sysWoW64, likewise, 64-bit system files are installed to %windir%\system32 %SystemDrive%\Program Files (x86) is the place for 32-bit applications, likewise, %SystemDrive%\Program Files is the place for 64-bit applications

Environment variables are duplicated as well: ProgramFiles and ProgramFiles(x86) CommonProgramFiles and CommonProgramFiles(x86) Once 64-bit Windows is installed, you should be able to run 32-bit Windows applications! x86 binaries on 64-bit Windows are identical to their counterpart on a native 32-bit Windows x86 system
Compatibility

Feature

parity with the native 32-bit Windows Operating System (OS)

WoW64 intercepts system calls from the 32-bit application

Transitions to 64-bit mode Converts 32-bit data structure into 64-bit aligned structures Issues the native 64-bit system call Writes back any output data from the 64-bit system call Returns to 32-bit mode

WoW64 core consists of

WoW64.dll the core interface to kernel that translates between 32-bit including pointer and call stack manipulations

the Windows NT and 64-bit calls,

WoW64win.dll which provides the appropriate entry-points for 32-bit applications WoW64cpu.dll which takes care of switching the processor from 32-bit to 64-bit mode

7
NT Executive Win32k.sys
Kernel Mode User Mode

Reserved Address Space

0x00000000`7FFEFFFF or 0x00000000`FFFEFFFF

64-bit ntdll.dll

WoW64.dll

WoW64win.dll

WoW64cpu.dll

32-bit ntdll.dll

32-bit modules

Address space is limited to 2GB (or 4GB if the application is marked Large-Address-Aware in the header) WOW64 processes can NOT load 64-bit DLLs except for the core one!

Likewise, native 64-bit processes can NOT load 32-bit DLLs LoadLibrary() will fail

Once WOW64 is initialized, 32-bit code executes as if it is running on a native x86 processor

Two views of the registry exist on 64-bit Windows: Native and WOW64 By default, a native 64-bit Windows application sees the native registry view, and a WOW64 application sees the WOW64 view Why different WOW64 registry view?

Compatibility

Separates 32-bit application state from 64-bit state

For example: Not supported features stored in the registry

Provides a safe execution environment for both 32-bit and 64-bit applications
For example: a registry value hosting a DLL path

10

HKEY_LOCAL_MACHINE\Software\W ow6432Node is the 32-bit equivalent of HKEY_LOCAL_MACHINE\Software

A new key, WOW6432Node, is created at the splitted nodes When a WOW64 process opens/creates a key

WOW64 redirects the path of the key if it is one of the above by inserting WoW6432Node to the above path

Transparent for Win32 applications

11

When executing 32-bit applications, WoW64 transparently redirects 32-bit DLLs to %SystemRoot%\SysWoW64 32-bitapplications can Access %SystemRoot%\System32 through the pseudo directory %SystemRoot%\sysnative. 32-bit applications are generally not aware that they are running on a 64-bit operating system

12

Redirects file-level access from %windir%\system32 to %windir%\syswow64

32-bit Windows applications which try to open or create a file underneath %windir%\system32\... are automatically redirected to %windir%\syswow64\... file Helps side-by-side system files installation and compatibility

Some directories are exempted from redirection

13

Kernel is native on 64-bit Windows and so are all kernel drivers 32-bit kernel device drivers wont run on 64-bit Windows

Need to be ported

64-bit device drivers needs to support I/O requests from WOW64 applications

14

So if the 64-bit kernel device driver

Receives IOCTLs from user mode applications And it supports 32-bit and 64-bit applications And the I/O structures a specific alignment are pointer-dependent or require

Then the 64-bit support WoW64

kernel

device

driver

needs

to

What does a kernel device driver need to do to support WOW64?

In your IRP_MJ_DEVICE_CONTROL handler, detect if the I/O Request Packet (IRP) originated from a WOW64 application

Use IoIs32bitProcess() exported from ntoskrnl

Convert 32-bit structures into 64-bit

15

Pointer data type storage is 64-bit (8 bytes) on 64-bit Windows systems while it is 32-bits (4 bytes) on 32-bit Windows systems

Alignment is different as well

Example

Client/Server application set communicating using shared memory

Client is 32-bit running on 64-bit Windows and server is 64-bit or vice versa Shared structures are pointer-dependent 32-bit Client writes compatible 64-bit structures

Two solutions

64-bit Server doesnt need to be WOW64 aware

64-bit Server reads 32-bit and 64-bit structures

64-bit Server is WOW64 aware 32-bit Client may need to change if source request is not known to the 64-bit server

16

GetNativeSystemInfo() retreives information about the native system No 16-bit support on 64-bit Windows

Win32 APIs for 16-bit support are stubbed out to fail

32-bit kernel drivers wont run on 64-bit Windows

Needs to be ported and support WoW64

WOW64 emulates Win32 applications running on x86 hardware

Target 64-bit platform may not support specific features

Different levels of WoW64 support

17

GetThreadContext() and SetThreadContext() works if the target process of the same type Use user-mode 32-bit debugger to debug WOW64 applications

Debug as if you are running on a native 32-bit Windows OS

Visual C++ 6.0 User mode debuggers (e.g. ntsd.exe) Or any other 32-bit debugger package View only 32-bit loaded modules Can not be used to debug native 64-bit applications

Use user-mode 64-bit debugger to debug inside WOW64s 64-bit code

WOW64 debugger extensions comes with Microsoft debugging tools

Allows to switch between 32-bit and 64-bit modes using !wow64exts.sw command

View all loaded modules (32-bit and 64-bit) Can debug WoW64 as well as native 64-bit applications

Most 32 bit applications will run quite happily under Windows 64. The main exceptions are:

32-bit device drivers. Applications that cannot function without the 32-bit device drivers that they use. Prime examples are antivirus, antimalware and firewall applications.

Application extensions that rely on code injection into, for example, Explorer.

Some 32-bit applications may work with reduced functionality.

19

Links

http://msdn.microsoft.com

WOW64 implementation details

http://msdn.microsoft.com/library/enus/win64/win64/wow64_implementation_details.asp?frame=true

WOW64 debugging

http://msdn.microsoft.com/library/default.asp?url=/library/enus/win64/win64/debugging_wow64.asp
http://msdn.microsoft.com/library/default.asp?url=/library/enus/kmarch/hh/kmarch/other_53mv.asp http://www.microsoft.com/whdc/ddk/debugging/

Porting your driver to Win64

Debugging tools