wow64进程中的x64模块? [英] x64 modules in a wow64 process?

问题描述

我在Win7 x64上调试时有一个小的32位进程，我看到它按预期加载了"C:\ windows \ sysWow64 \ ntdll.dll"，而且还加载了"C:\ windows \ system32 \ ntdll.dll" " .
我知道x64模块和x86模块不会混合，但是在这里，它们在混合...
怎么会呢?

I have a small 32bit process I'm debugging on win7 x64 and I see that it loads "C:\windows\sysWow64\ntdll.dll" as expected, but also "C:\windows\system32\ntdll.dll" .
I know that x64 modules and x86 modules do not mix, but here they are... mixing...
How can it be?

推荐答案

这是WOW64的特殊功能"，请参见

This is a special 'feature' of WOW64, see this article on MSDN. the relevant part is:

WOW64仿真器在用户模式下运行.它提供了之间的接口 Ntdll.dll和处理器内核的32位版本，以及 它拦截内核调用. WOW64仿真器包括 以下DLL:

The WOW64 emulator runs in user mode. It provides an interface between the 32-bit version of Ntdll.dll and the kernel of the processor, and it intercepts kernel calls. The WOW64 emulator consists of the following DLLs:

• Wow64.dll提供了核心仿真基础结构和thunk Ntoskrnl.exe入口点功能.

• Wow64.dll provides the core emulation infrastructure and the thunks for the Ntoskrnl.exe entry-point functions.

Wow64Win.dll提供 对Win32k.sys入口点功能进行了修改.

Wow64Win.dll provides thunks for the Win32k.sys entry-point functions.

Wow64Cpu.dll是一个 提取主机特征的接口库 处理器. (仅限Intel Itanium)

Wow64Cpu.dll is an interface library that abstracts characteristics of the host processor. (Intel Itanium only)

IA32Exec.bin包含x86软件 仿真器. (仅限Intel Itanium)

IA32Exec.bin contains the x86 software emulator. (Intel Itanium only)

Wowia32x.dll提供了接口 在IA32Exec.bin和WOW64之间.

Wowia32x.dll provides the interface between IA32Exec.bin and WOW64.

这些DLL以及64位 版本的Ntdll.dll，是唯一可以加载的64位二进制文​​件 进入32位进程.

These DLLs, along with the 64-bit version of Ntdll.dll, are the only 64-bit binaries that can be loaded into a 32-bit process.

这篇关于wow64进程中的x64模块?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！