Beruflich Dokumente
Kultur Dokumente
WOWEFFECT
30.11.2011
Author:ChristianWojner(wojner@cert.at)
Summary
The 64bit version of Microsoft1 Windows includes filesystem virtualization features to run 32bit
programs.Fileaccessistransparentlyredirectedtootherdirectoriesincertaincases.
Thisfeaturecaneasilyfoolananalystlookingatarunningsystemandcanhaveamassiveimpacton
infectiondrivenforensics,malwareanalysisandcomparableinvestigations.
Intheworstcasethiscanleadtoanentirelywronginterpretationofacase/situation.
Whilethisissueisnotentirelynew,itisnecessarytoraisetheITSecuritycommunitysawareness,as
some of the common tools and procedures in use need to be adapted in the presence of the files
systemredirector.
Content
Summary.................................................................................................................................................1
Background..............................................................................................................................................2
TheWOW64FileSystemRedirectorandSystem32...............................................................................2
ImpactTheWOWEffect...................................................................................................................2
Practicalexamples...................................................................................................................................3
Checkingfilehashes............................................................................................................................3
UploadingamaliciousfiletoVirusTotal..............................................................................................3
Iterating...............................................................................................................................................4
Conclusions..............................................................................................................................................5
IsAntiVirussoftwarealsoaffected?...................................................................................................5
Whataboutmytoolset?.....................................................................................................................5
Whataboutthepast?..........................................................................................................................5
WhatNow?..........................................................................................................................................5
SuggestionsforITSecurityanalysts........................................................................................................5
Finalremarks...........................................................................................................................................5
Links.........................................................................................................................................................6
IworkedwithMicrosoftonthefollowinganalysisandtheyareawareofmyresearch.
Page1
Background
64bit versions of Windows provide backward compatibility for 32bit executables. The WOW64
(Windows32bitonWindows64bit) subsystem provides a 32bit environment for 32bit
processes including 32bit versions of various 64bit executables (PEFiles like .EXE, .DLL, ). Both
accessestotheregistryaswellastothefilesystemaretransparentlyinterceptedandredirected.
The goal was to give a 32bit process the impression of running under a native 32bit Windows
operatingsysteminsteadoftherealitya64bitWindowsoperatingsystem.
In the following, I will focus on how WOW64 modifies access to %windir%\System32 (typically
C:\Windows\System32,shortenedto System32intherestofthisdocument,justasSysWOW64
for%windir%\SysWOW64).
2
3
http://msdn.microsoft.com/enus/library/aa384187%28VS.85%29.aspx
IassumeMicrosofthadtheirreasons.
Page2
The impact is that if you are using a 32bit program (or tool) to deal with
specificfilesinSystem32youwillaccessdifferentones.Thisalsoappliesto
iteratingthroughthedirectorySystem32withFindFirstFile/FindNextFile.
Practical examples
Checking file hashes
Letsassumeyouareanalyzingmaliciousbehaviorona64bitMicrosoftWindowsmachineandthe
maliciousactivityseemstooriginatefromanexecutableunderSystem32.Thenextstepmightbeto
run your md5sum tool (which is probably a native 32bit executable) on it to check it against the
hashesofknowngoodfiles.Chancesarehighthatnothingsuspiciouscanbefoundthatwaybecause
oftheWOW64redirectioncausedthewrongfiletobehashed.
Lets try this on my laptop running Microsoft Windows 7 Professional 64 Bit (SP1). Assume the
malicious file is the 64bit DLL file ieapfltr.dll under System32. At the time of writing the
correctMD5hashesofthe32and64bitversionsofthisfileare:
File
Type
MD5Hash
C:\Windows\system32\ieapfltr.dll
C:\Windows\SysWOW64\ieapfltr.dll
64-bit
32-bit
8eada158d964e3fd1999ad96c9c507ff
ee9d715af1b928982f417238b9914484
Runninga32bitmd5sumtoolonC:\Windows\system32\ieapfltr.dllshows
ThisiswhatIcallaWOWEffect!
We are not dealing with a bug or vulnerability. It is a feature that can have a massive impact on
(typical)ITSecurityrelevantinvestigations.
Page3
TakealookatthefollowingscreenshotandcomparetheshownMD5hashwiththeonesinourinitial
md5sumexample:
Bythetimeofwritingthiswastruefor(atleast)thecurrentversionsofFirefox,OperaandInternet
Explorer.IfareyouwonderingaboutInternetExplorer:Windows7includesbotha32anda64bit
version,thedefaultseemstobethe32bitexecutable.Youcancheckwhichversionyouarerunning
byopeningthetaskmanager.32bitexecutablesareflaggedwitha*32there.
Iterating
Sometimes researchers write short programs to analyze all files on a computer. This could be a
signature scan for malware, just looking for encrypted files, diffing tools, or anything else that
iteratesoverthewholefilesystem.
AstheFindFirstFilecallfor System32willberedirectedto SysWOW64,thefilesintherealSystem32
willnotbeseen.Inotherwords,ifa64bitmalwareisdroppedasauniqueexecutableinSystem32it
iswellhiddenfromany32bittool.
Note:YoucannotcircumventtheWOWEffectbychangingdirectlyintoSystem32byrunningyour
toolfromthere,evenifyoucopiedyourtoolrightintoSystem32.
Page4
Conclusions
RegardingtheWOWEffectthemostimportantquestionforyouiswhetheryourtoolsarestill32bit
onlyorinclude64bitversions.Thisissomethingthatmightnothavebeenofinterestinthepast.
Note: Its widely known that nearly all binaries of a clean Windows install have already been
uploaded to VirusTotal in the past. Thus I find it interesting that most of the real 64bit versions I
tried were not known at VirusTotal. This indicates that people have not been uploading the right
files.
What Now?
There are much more situations and scenarios where the WOWEffect can have an impact on
investigations.Ibetyoucaninstantlycomeupwithalotmoreofpotentialscenarios.
Use 64bit tools on 64bit Windows operating systems where you can and you should not
experienceanyunexpectedsideaffects.
Ifyouneedtowriteyourowntools,e.g.ascannerforacertaintypeofinfection,youneedto
considertheWOWEffect.
Final remarks
The 64bit DLLs are now in System32, the 32bit versions in SysWOW64. Wouldnt it have
beensmartertoinventanewSystem64forthefirst64bitversionofWindows?
Weareallwonderinghowthiswillworkoutforanyupcoming128bitversionofWindows:
System32has128bit,SysWOW12864bit,andSysWOW64containsthe32bitversions?
4
5
http://www.aavar.org/avar2008/abstract/WOW64_Woes_for_AntiVirus_Products.htm
http://msdn.microsoft.com/enus/library/aa365743%28v=VS.85%29.aspx
Page5
Links
http://msdn.microsoft.com/dede/library/aa384274.aspx
http://msdn.microsoft.com/enus/library/aa384187%28VS.85%29.aspx
http://en.wikipedia.org/wiki/WoW64
http://blogs.sepago.de/helge/2008/04/20/windowsx64allthesameyetverydifferent
part7/
http://blogs.sepago.de/nicholas/2009/08/26/whatdoeswow64meanforapplication
management/
http://www.samlogic.net/articles/3264bitwindowsfolderx86syswow64.htm
https://www.techsupportalert.com/content/howwindows7vista64support32bit
applications.htm
http://www.aavar.org/avar2008/abstract/WOW64_Woes_for_AntiVirus_Products.htm
Page6