The WOW-Effect

2011/11/30

A paper about how Microsoft's WOW64 technology unintentionally fools IT-Security analysts.

---

Publication Date

November, 30th 2011

Author

Christian Wojner

Language

English

History

You can download the full document in pdf format here.

---

Content

The 64-bit version of Microsoft Windows includes file-system virtualization features to run 32-bit programs. File access is transparently redirected to other directories in certain cases.

This feature can easily fool an analyst looking at a running system and can have a massive impact on infection-driven forensics, malware analysis and comparable investigations.

In the worst case this can lead to an entirely wrong interpretation of a case/situation.

While this issue is not entirely new, it is necessary to raise the IT-Security community's awareness, as some of the common tools and procedures in use need to be adapted in the presence of the files system redirector.