3

When I run notepad.exe with x64dbg it runs as WOW64 process. But when I run it with x32dbg it runs as x64 process with x64 instructions. I am running it from the same directory C:\Windows\System32\notepad.exe, but in process explorer I see different executable location for WOW64 process -C:\Windows\SysWOW64\notepad.exe

However, when I open both executables in WOW64 and System32 directories in PE-Bear, both have the same OptionalHeader.Magic = NT32 and both have the same 32-bit instructions enter image description here

Why is this happening and where can I find the x64 executable?

SSSSSXXXXX
  • 31
  • 2
  • You could try specify the file as C:\Windows\Sysnative\notepad.exe (can't be browsed, but should be possible to give as path) and should always get the same file. The rest is explained by WOW64 file system redirection as outlined in the answer and the comment on the answer. – 0xC0000022L Jan 15 '23 at 20:37

1 Answers1

2

It looks like you are running on 64 bit windows. For legacy compatibility, system32 contains 64-bit programs and wow64 contains 32-bit programs. When something is requested by a 32-bit program from system32, it is redirected to syswow64.

A full explanation is here Windows Club

WOW stands for Windows on Windows and syswow64 is a compatibility layer for 32 bit programs running on 64-bit Windows.

A fuller explanation is here Wikipedia

My guess is that file explorer (and/or PE bear) is getting redirected and you are actually looking at the same file.

They are two different files with different headers as seen in the image

Comparison

Rohit Gupta
  • 257
  • 2
  • 3
  • 12