When I open a binary(in this case it is C:\\Windows\\System32\\notepad.exe), different hex editors show different result each other, for the one same file. I tested it on starting point of section headers, so notice the starting address of 2E 74 65 78 74 00 00 00 (".text...").
- HxD :
— Starts at 00000200. - UltraEdit :
— Starts at 00000200. - PEview :
— Starts at 000001E8. - Frhed :
— Starts at 000001E8.
Answer
These are different files.
From When is System32 not System32? [emphasis mine]:
In 32-bit Windows there is just one
System32folder which contains many native binaries (or hard links), and there is no way to execute 64-bit code on 32-bit Windows.With 64-bit Windows, however, we have "Windows On Windows 64" (WOW64) which allows 32-bit processes to run through a wrapper, and there are some things to take into account in this scenario:
Only 32-bit DLLs can be loaded into 32-bit processes, and only 64-bit DLLs can be loaded into 64-bit processes.
[…]32-bit processes expect to work seamlessly on 64-bit Windows, so because of (1) we need to have both 32-bit and 64-bit versions of some binaries.
[…]In order to facilitate (2) but not break native (x64) processes' behaviour, 32-bit processes get certain I/O redirected without their knowledge.
[…][…]
For 32-bit processes running on x64 Windows:
-%systemroot%\System32is redirected to%systemroot%\SysWOW64
[…]
My guess is some hex editors are 32-bit and get redirected to SysWOW64, some are 64-bit and see the "real" System32. Different editors perceive different System32, hence different notepad.exe.
If you copy notepad.exe to a folder that is not affected and analyze the copy then all editors will show the same content. Which file will you see? This depends whether the copying tool is 32-bit or 64-bit.
No comments:
Post a Comment