Skip navigation.

Application cannot be run in Win32 mode



I'm currently doing a bunch of tests for AV and AS stuff and I was in need of a rootkit..

So I went on the website and well downloaded a couple of rootkits and when I try to run the malware.exe it tells me "Application cannot be run in Win32 mode"

I'm trying to install them on Windows XP and I made sure that the "malwares" were for Win32.

Example :

MD5 --> 4a23e65f63f7475e8b286bfd676a0820

It says :
Magic File Type:
PE executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Kaspersky Rootkit.Win32.Agent.c

So I guess Windows can execute it... but I still get the message of can't run in win32 mode...

Taking a wild guess

Taking a wild guess here....

MS Windows (DLL)


Id say you would want to use some rundll32 commands or try registering the dll iteself and give it some time.

Did you have a particular need for a specific type rootkit?

If not, thread above is an interesting downloader, it will usually only install one vundo dll and the senka rootkit, would be very nice for testing if you allowed it a reboot and then did your testing, vundo can be easily removed leaving on the rootkit in place.

Rootkit needs

For DLL yeah I guess I have to register them, but the files were executable. I finally got an executable that seems to be working fine..

I'm quite new in the "rootkit" infection domain (Intern in computer security) but what I have to do is simply infect a test machine with a rootkit and, if possible, make our AV/AS detects it and do tests around it...

So no there is no specific thing for the rootkit, just one that can be detected once installed. From what I've read once a rootkit is installed it's mostly undectable...

fake error

Also some malware shows a fake error/warning while it is running in the background.

A lot of rootkits come in

A lot of rootkits come in the form of drivers which should be run using a service or something like that. Here is a sample of the Sony XCP rootkit (mirror) with an associated reg file to make a service for it, once you import the reg file you will have to change the path to the sys file, the password to the archive is: password

same error on all ZeroAccess samples

I am getting the same error message - "Application cannot be run in Win32 mode" - when attempting to run any of the ZeroAccess samples. I tried on 3 computers and get the same message. I too have made sure that the samples were for 32-bit. I am able to run other samples from this site but none of the ZeroAccess samples.