This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 91%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDX%3C/text%3E%3C/svg%3E)
Why is the kernel pre loading not only the system32\ntdll.dll but also the syswow64\ntdll.dll into x86 processes?
Why can't the native ntdll.dll just load the wow version on its own in LdrpInitializeProcess?
I am asking because I was looking into hooking of system functions on ARM64 when running as a x86 process, and have noticed that the CHPE versions of the system dll's unlike for x64 on arm do not seam to take the control flow through the x86 stubs when doing things internally.
So I can't for example hook NtCreateFile and expect that hook to be triggered when calling CreateFileW, this is a problem.
I have noticed that when I delete the SyChpe32 directory windows is loading the x86 version of the ntdll which can be hooked just fine.
But obviously this is a unpractical solution, so I was wondering if I could hook LdrpInitializeProcess of the native arm64 ntdll.dll and unload the SyChpe32\ntdll.dll in my target process and instead load the SysWOW64\ntdll.dll in its place, but given that the other ntdll is pre loaded by the kernel I wonder if this approach is even feasible or if there is something that will prevent it from working?
I don't believe that this approach is feasible. You could try the concepts and ideas in this article:
https://learn.microsoft.com/en-us/windows/win32/winprog64/wow64-implementation-details
--------------------
--If the reply is helpful, please Upvote and Accept as answer--
