[Bug 12859] HideThreadFromDebugger in NtSetInformationThread

wine-bugs at winehq.org wine-bugs at winehq.org
Sun May 17 05:51:15 CDT 2009 

http://bugs.winehq.org/show_bug.cgi?id=12859





--- Comment #7 from Anastasius Focht <focht at gmx.net>  2009-05-17 05:51:14 ---
Hello,

well I incidentally found an application which makes use of this (there are
probably more).
Newer versions of "Exeinfo PE" (Win32 PE identifier for packers, compressors,
used compilers, exe protectors, obfuscators ..) have some anti-debugging tricks
added.
The application is coded in a way that Wine's STATUS_NOT_IMPLEMENTED return
value is used for pointer parameter in next call, which queries for
unimplemented "ProcessDebugObjectHandle" information class.
I'll file a separate bug for "ProcessDebugObjectHandle".

--- snip ---
0021:Call ntdll.NtSetInformationThread(fffffffe,00000011,00000000,00000000)
ret=004da0d5
0021:fixme:thread:NtSetInformationThread info class 17 not supported yet
0021:Ret  ntdll.NtSetInformationThread() retval=c0000002 ret=004da0d5
0021:Call
ntdll.NtQueryInformationProcess(ffffffff,0000001e,c0000002,00000004,00000000)
ret=004da0e4
...
--- snip ---

Brain damaged app code or purpose (reconstruced and annotated after unpacking)
... decide.

--- snip ---
...
pushl    $0x0
pushl    $0x0
pushl    $0x11
pushl    $0xfe
call    _NtSetInformationThread_thunk
pushl    %eax
pushl    $0x0
pushl    $0x4
pushl    %eax
pushl    $0x1e
pushl    $0xff
call    _NtQueryInformationProcess_thunk
popl    %eax
testl    %eax,%eax
jnz    bad_guy_we_are_being_debugged
...
--- snip ---

Just faking "success" for ThreadHideFromDebugger is the way to go as there is
no need for real implementation like Windows has (see comment #4).
Also this is not an "enhancement" anymore as real apps depend on this.

Send the patch to wine-patches for review/inclusion.
If the initial bug reporter isn't active anymore, let someone other do it ;-)

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list