问题描述

我在Win7 x64上调试时有一个小的32位进程，我看到它按预期加载了"C:\ windows \ sysWow64 \ ntdll.dll"，而且还加载了"C:\ windows \ system32 \ ntdll.dll" ".
我知道x64模块和x86模块不会混合，但是在这里，它们在混合...
怎么会呢?

I have a small 32bit process I'm debugging on win7 x64 and I see that it loads "C:\windows\sysWow64\ntdll.dll" as expected, but also "C:\windows\system32\ntdll.dll".
I know that x64 modules and x86 modules do not mix, but here they are... mixing...
How can it be?

推荐答案

这是WOW64的特殊功能"，请参见这篇文章.相关的部分是:

This is a special 'feature' of WOW64, see this article on MSDN. the relevant part is:

• Wow64.dll提供了核心仿真基础结构和thunk Ntoskrnl.exe入口点功能.

• Wow64.dll provides the core emulation infrastructure and the thunks for the Ntoskrnl.exe entry-point functions.

Wow64Win.dll提供 对Win32k.sys入口点功能进行了修改.

Wow64Win.dll provides thunks for the Win32k.sys entry-point functions.

Wow64Cpu.dll是一个 提取主机特征的接口库 处理器. (仅限Intel Itanium)

Wow64Cpu.dll is an interface library that abstracts characteristics of the host processor. (Intel Itanium only)

IA32Exec.bin包含x86软件 仿真器. (仅限Intel Itanium)

IA32Exec.bin contains the x86 software emulator. (Intel Itanium only)

Wowia32x.dll提供了接口 在IA32Exec.bin和WOW64之间.

Wowia32x.dll provides the interface between IA32Exec.bin and WOW64.

这些DLL以及64位 版本的Ntdll.dll，是唯一可以加载的64位二进制文​​件 进入32位进程.

These DLLs, along with the 64-bit version of Ntdll.dll, are the only 64-bit binaries that can be loaded into a 32-bit process.

这篇关于wow64进程中的x64模块?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！