The WOW-Effect

2011/11/30
A paper about how Microsoft's WOW64 technology unintentionally fools IT-Security analysts.


Publication Date

November, 30th 2011

Author

Christian Wojner

Language

English

History

You can download the full document in pdf format here.

Presentation Slides

You can download the latest presentation slides (Deepsec 2012) in pdf format here.

Presentation Video

As soon as the recordings of our presentation at Deepsec 2012 (Thanks to the Deepsec folks!) are available you will find an according link here.


Content

The 64-bit version of Microsoft Windows includes file-system virtualization features to run 32-bit programs. File access is transparently redirected to other directories in certain cases.

This feature can easily fool an analyst looking at a running system and can have a massive impact on infection-driven forensics, malware analysis and comparable investigations.

In the worst case this can lead to an entirely wrong interpretation of a case/situation.

While this issue is not entirely new, it is necessary to raise the IT-Security community's awareness, as some of the common tools and procedures in use need to be adapted in the presence of the files system redirector.