x64 modules in a wow64 process?

Question

I have a small 32bit process I'm debugging on win7 x64 and I see that it loads "C:\windows\sysWow64\ntdll.dll" as expected, but also "C:\windows\system32\ntdll.dll" .
I know that x64 modules and x86 modules do not mix, but here they are... mixing...
How can it be?

Answer 1

This is a special 'feature' of WOW64, see this article on MSDN. the relevant part is:

The WOW64 emulator runs in user mode. It provides an interface between the 32-bit version of Ntdll.dll and the kernel of the processor, and it intercepts kernel calls. The WOW64 emulator consists of the following DLLs:

• Wow64.dll provides the core emulation infrastructure and the thunks for the Ntoskrnl.exe entry-point functions.

• Wow64Win.dll provides thunks for the Win32k.sys entry-point functions.

• Wow64Cpu.dll is an interface library that abstracts characteristics of the host processor. (Intel Itanium only)

• IA32Exec.bin contains the x86 software emulator. (Intel Itanium only)

• Wowia32x.dll provides the interface between IA32Exec.bin and WOW64.

These DLLs, along with the 64-bit version of Ntdll.dll, are the only 64-bit binaries that can be loaded into a 32-bit process.