问题
I have a small 32bit process I'm debugging on win7 x64 and I see that it loads "C:\windows\sysWow64\ntdll.dll" as expected, but also "C:\windows\system32\ntdll.dll"
.
I know that x64 modules and x86 modules do not mix, but here they are... mixing...
How can it be?
回答1:
This is a special 'feature' of WOW64, see this article on MSDN. the relevant part is:
The WOW64 emulator runs in user mode. It provides an interface between the 32-bit version of Ntdll.dll and the kernel of the processor, and it intercepts kernel calls. The WOW64 emulator consists of the following DLLs:
Wow64.dll provides the core emulation infrastructure and the thunks for the Ntoskrnl.exe entry-point functions.
Wow64Win.dll provides thunks for the Win32k.sys entry-point functions.
Wow64Cpu.dll is an interface library that abstracts characteristics of the host processor. (Intel Itanium only)
IA32Exec.bin contains the x86 software emulator. (Intel Itanium only)
Wowia32x.dll provides the interface between IA32Exec.bin and WOW64.
These DLLs, along with the 64-bit version of Ntdll.dll, are the only 64-bit binaries that can be loaded into a 32-bit process.
来源:https://stackoverflow.com/questions/10194371/x64-modules-in-a-wow64-process