Sie sind auf Seite 1von 6

THE

WOWEFFECT
30.11.2011
Author:ChristianWojner(wojner@cert.at)

Summary
The 64bit version of Microsoft1 Windows includes filesystem virtualization features to run 32bit
programs.Fileaccessistransparentlyredirectedtootherdirectoriesincertaincases.
Thisfeaturecaneasilyfoolananalystlookingatarunningsystemandcanhaveamassiveimpacton
infectiondrivenforensics,malwareanalysisandcomparableinvestigations.
Intheworstcasethiscanleadtoanentirelywronginterpretationofacase/situation.
Whilethisissueisnotentirelynew,itisnecessarytoraisetheITSecuritycommunitysawareness,as
some of the common tools and procedures in use need to be adapted in the presence of the files
systemredirector.

Content
Summary.................................................................................................................................................1
Background..............................................................................................................................................2
TheWOW64FileSystemRedirectorandSystem32...............................................................................2
ImpactTheWOWEffect...................................................................................................................2
Practicalexamples...................................................................................................................................3
Checkingfilehashes............................................................................................................................3
UploadingamaliciousfiletoVirusTotal..............................................................................................3
Iterating...............................................................................................................................................4
Conclusions..............................................................................................................................................5
IsAntiVirussoftwarealsoaffected?...................................................................................................5
Whataboutmytoolset?.....................................................................................................................5
Whataboutthepast?..........................................................................................................................5
WhatNow?..........................................................................................................................................5
SuggestionsforITSecurityanalysts........................................................................................................5
Finalremarks...........................................................................................................................................5
Links.........................................................................................................................................................6

IworkedwithMicrosoftonthefollowinganalysisandtheyareawareofmyresearch.

Page1

Background
64bit versions of Windows provide backward compatibility for 32bit executables. The WOW64
(Windows32bitonWindows64bit) subsystem provides a 32bit environment for 32bit
processes including 32bit versions of various 64bit executables (PEFiles like .EXE, .DLL, ). Both
accessestotheregistryaswellastothefilesystemaretransparentlyinterceptedandredirected.
The goal was to give a 32bit process the impression of running under a native 32bit Windows
operatingsysteminsteadoftherealitya64bitWindowsoperatingsystem.
In the following, I will focus on how WOW64 modifies access to %windir%\System32 (typically
C:\Windows\System32,shortenedto System32intherestofthisdocument,justasSysWOW64
for%windir%\SysWOW64).

The WOW64 File System Redirector and System32


MicrosoftdescribesthisaspectofWOW64inthesewords2:
The %windir%\System32 directory is reserved for 64bit applications. Most DLL file names
were not changed when 64bit versions of the DLLs were created, so 32bit versions of the
DLLs are stored in a different directory. WOW64 hides this difference using a file system
redirector.
In most cases, whenever a 32bit application attempts to access %windir%\System32, the
access is redirected to %windir%\SysWOW64. Access to %windir%\lastgood\system32 is
redirected to %windir%\lastgood\SysWOW64. Access to %windir%\regedit.exe is redirected
to%windir%\SysWOW64\regedit.exe.
Inotherwords,a32bitapplicationwillneverseeanyfilestoredin System32,itwillalwaysaccess
SysWOW64instead.Ifyou need moredetailsonWOW64feelfreetovisitthelinksprovidedatthe
endofthisreport.

Impact The WOWEffect


While this redirection solution might be optimal for typical customer it is a massive pitfall for IT
Security.Theproblemisnottheredirectionitself.Itsthewayitsdone.Insteadofbeingrestrictive
to specific situations where i.e. an OpenLibrary or CreateProcess happens or anything else that
definitely tries to functionally use flavored (32/64bit) code, this redirection is done on a much
lower level than it might have been necessary3. In fact even if the 32bit executable just wants to
readthecontentofPEFileinSystem32onpurposeitwillberedirectedtoSysWOW64dealingwith
athereforedifferentfile.
Unfortunatelyallthisredirectionfunctionalityhappenswithoutanyindication.

2
3

http://msdn.microsoft.com/enus/library/aa384187%28VS.85%29.aspx
IassumeMicrosofthadtheirreasons.

Page2

The impact is that if you are using a 32bit program (or tool) to deal with
specificfilesinSystem32youwillaccessdifferentones.Thisalsoappliesto
iteratingthroughthedirectorySystem32withFindFirstFile/FindNextFile.

Practical examples
Checking file hashes
Letsassumeyouareanalyzingmaliciousbehaviorona64bitMicrosoftWindowsmachineandthe
maliciousactivityseemstooriginatefromanexecutableunderSystem32.Thenextstepmightbeto
run your md5sum tool (which is probably a native 32bit executable) on it to check it against the
hashesofknowngoodfiles.Chancesarehighthatnothingsuspiciouscanbefoundthatwaybecause
oftheWOW64redirectioncausedthewrongfiletobehashed.
Lets try this on my laptop running Microsoft Windows 7 Professional 64 Bit (SP1). Assume the
malicious file is the 64bit DLL file ieapfltr.dll under System32. At the time of writing the
correctMD5hashesofthe32and64bitversionsofthisfileare:
File

Type

MD5Hash

C:\Windows\system32\ieapfltr.dll
C:\Windows\SysWOW64\ieapfltr.dll

64-bit
32-bit

8eada158d964e3fd1999ad96c9c507ff
ee9d715af1b928982f417238b9914484

Runninga32bitmd5sumtoolonC:\Windows\system32\ieapfltr.dllshows

ThisiswhatIcallaWOWEffect!
We are not dealing with a bug or vulnerability. It is a feature that can have a massive impact on
(typical)ITSecurityrelevantinvestigations.

Uploading a malicious file to VirusTotal


Acommonapproachtosuspiciousfilesistouploadthemtoawebservicewhichcheckssubmitted
filesagainstabatteryofAVsoftware.Thisisusuallydonewiththedefaultbrowser,forthisexample
weuseVirusTotal.com:

Page3

TakealookatthefollowingscreenshotandcomparetheshownMD5hashwiththeonesinourinitial
md5sumexample:

Bythetimeofwritingthiswastruefor(atleast)thecurrentversionsofFirefox,OperaandInternet
Explorer.IfareyouwonderingaboutInternetExplorer:Windows7includesbotha32anda64bit
version,thedefaultseemstobethe32bitexecutable.Youcancheckwhichversionyouarerunning
byopeningthetaskmanager.32bitexecutablesareflaggedwitha*32there.

Iterating
Sometimes researchers write short programs to analyze all files on a computer. This could be a
signature scan for malware, just looking for encrypted files, diffing tools, or anything else that
iteratesoverthewholefilesystem.
AstheFindFirstFilecallfor System32willberedirectedto SysWOW64,thefilesintherealSystem32
willnotbeseen.Inotherwords,ifa64bitmalwareisdroppedasauniqueexecutableinSystem32it
iswellhiddenfromany32bittool.

Note:YoucannotcircumventtheWOWEffectbychangingdirectlyintoSystem32byrunningyour
toolfromthere,evenifyoucopiedyourtoolrightintoSystem32.

Page4

Conclusions
RegardingtheWOWEffectthemostimportantquestionforyouiswhetheryourtoolsarestill32bit
onlyorinclude64bitversions.Thisissomethingthatmightnothavebeenofinterestinthepast.
Note: Its widely known that nearly all binaries of a clean Windows install have already been
uploaded to VirusTotal in the past. Thus I find it interesting that most of the real 64bit versions I
tried were not known at VirusTotal. This indicates that people have not been uploading the right
files.

Is AntiVirus software also affected?


TheimpactofWOW64onAVsoftwareisnottrivialtohandle4.AsAVneedstorunatverylowlevel
includingkernelmodulesitneedstobeofthesameflavorastheunderlyingoperatingsystem.In
thecaseof64bitWindowsithastocopebothwith32and64bitprocesses.
Malwarehasbeenpredominantly32bitsofar,howAVsoftwarehandlesthetransitionto64bitwill
beworthwatching.

What about my tool set?


DoIhaveallthetoolsin64bitversions?Alternatively,arethe32bitversionsdealingwiththeissue
correctly,i.e.aretheyturningofftheWOW64translationsbeforeopeningfiles5?

What about the past?


HaveyoudoneanyinvestigationsonaMicrosoftWindows64bitoperatingsysteminthepastand
couldnotfindanythingevilthoughtherewerestrangesymptomsinitially?

What Now?
There are much more situations and scenarios where the WOWEffect can have an impact on
investigations.Ibetyoucaninstantlycomeupwithalotmoreofpotentialscenarios.

Suggestions for ITSecurity analysts

Use 64bit tools on 64bit Windows operating systems where you can and you should not
experienceanyunexpectedsideaffects.
Ifyouneedtowriteyourowntools,e.g.ascannerforacertaintypeofinfection,youneedto
considertheWOWEffect.

Final remarks

The 64bit DLLs are now in System32, the 32bit versions in SysWOW64. Wouldnt it have
beensmartertoinventanewSystem64forthefirst64bitversionofWindows?
Weareallwonderinghowthiswillworkoutforanyupcoming128bitversionofWindows:
System32has128bit,SysWOW12864bit,andSysWOW64containsthe32bitversions?

4
5

http://www.aavar.org/avar2008/abstract/WOW64_Woes_for_AntiVirus_Products.htm
http://msdn.microsoft.com/enus/library/aa365743%28v=VS.85%29.aspx

Page5

Links

http://msdn.microsoft.com/dede/library/aa384274.aspx
http://msdn.microsoft.com/enus/library/aa384187%28VS.85%29.aspx
http://en.wikipedia.org/wiki/WoW64
http://blogs.sepago.de/helge/2008/04/20/windowsx64allthesameyetverydifferent
part7/
http://blogs.sepago.de/nicholas/2009/08/26/whatdoeswow64meanforapplication
management/
http://www.samlogic.net/articles/3264bitwindowsfolderx86syswow64.htm
https://www.techsupportalert.com/content/howwindows7vista64support32bit
applications.htm
http://www.aavar.org/avar2008/abstract/WOW64_Woes_for_AntiVirus_Products.htm

Page6

Das könnte Ihnen auch gefallen