Opening %SystemRoot%\system32\calc.exe from a 32-bit process redirects to another file. Which, why and how?_问答_开发者

Opening %SystemRoot%\system32\calc.exe from a 32-bit process redirects to another file. Which, why and how?

开发者 https://www.devze.com 2023-03-01 03:58 出处：网络

I\'m currently writing some test code in C++ that messes around with PE files to understand its file format structure. My project is set to compile to 64 bit. In my code I open %SystemRoot%\\system32\

I'm currently writing some test code in C++ that messes around with PE files to understand its file format structure. My project is set to compile to 64 bit. In my code I open %SystemRoot%\system32\calc.exe and read the IMAGE_DOS_HEADER and IMAGE_NT_HEADERS structures. At the same time I have the same calc.exe opened in Notepad++ with the hex editor plugin. I compared the values my code reads with Notepad++ and noticed they were different. I copied calc.exe from System32 to C:\Temp\calc.exe, and now the values match.

Notepad++ seems to be a 32 bit application (haven't checked the PE file, but since it's installed to Program Files (x86) by default, it seems to be a safe assumption to make).

Is this WinSxS at work? Or what else is causing this? And which file is actually fed to 32-bit applications opening %SystemRoot%\system32开发者_Python百科\calc.exe?

Just curious. Thanks in advance for any light shed on this.

Yes, this is the WOW redirector. You'll see that there is a calc.exe in C:\Windows\SysWOW64 as well. That's the file that is opened when you use the %SystemRoot%\System32\calc.exe path.

This can be temporarily disabled to access the 64-bit version of the file with Wow64DisableWow64FsRedirection

More details can be found at File System Redirector

If I remember well, when a 32bit apps tries to open system32 directory, it's automatically redirected to syswow64 dir.

Disabling WowFs redirection is unnecessary and sometimes is not even an option (for instance, when you are attempting to get Notepad++ to open files in the system32 directory). You can use the virtual directory %windir%\Sysnative instead of %windir%\System32 (you will not see it in explorer, but you can type it in the address bar)

WOW64 is implemented in three DLLs: wow64.dll, wow64cpu.dll, and wow64win.dll (and 32-bit NTDLL). Redirection (among other things) is implemented in wow64.dll, CPU emulation / helper routines in wow64cpu.dll, and wow64win.dll contains thunks to win32k.sys (the kernel mode driver responsible for the windows GUI).