[Bug 40969] New: Wine: DLL Injection on suspended process provides NULL arg for static library' s DLLMain's lpvReserved value

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jul 17 02:41:26 CDT 2016 

https://bugs.winehq.org/show_bug.cgi?id=40969

            Bug ID: 40969
           Summary: Wine: DLL Injection on suspended process provides NULL
                    arg for static library's DLLMain's lpvReserved value
           Product: Wine
           Version: 1.9.14
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: aheinerm at gmail.com
      Distribution: ---

WINE does not respect the behaviour of the lpvReserved argument in DLLMain.

>From the documentation of DllMain
(https://msdn.microsoft.com/en-us/library/windows/desktop/ms682583(v=vs.85).aspx)
~~~
lpvReserved [in]
    If fdwReason is DLL_PROCESS_ATTACH, lpvReserved is NULL for dynamic loads
and non-NULL for static loads.

    If fdwReason is DLL_PROCESS_DETACH, lpvReserved is NULL if FreeLibrary has
been called or the DLL load failed and non-NULL if the process is terminating.
~~~~

WINE does NOT respect this behaviour.

# EXAMPLE
Given the following:
A.exe, B.dll, C.dll

C.dll is statically linked from both A.exe and B.dll.
A.exe's process is started and suspended.
B.dll is injected into the A.exe process.

At some point the DllMain of C.dll is called. In WINE, the lpvReserved argument
is NULL, even though C.dll is statically loaded. In Windows 7, 8, and 10, the
lpvReserved argument is non-null.


# REAL WORLD IMPACT
https://github.com/bwapi/bwapi/issues/598
https://bugs.winehq.org/show_bug.cgi?id=40259

Blizzard Entertainment's Storm.dll library uses the lpvReserved to invoke a
different behaviour in its DllMain (why, I have no idea). Their video game
Starcraft: Broodwar is statically linked to this library. The third-party hack
DLL called BWAPI.dll is also statically linked to Storm.dll. The Hack launcher
called ChaosLauncher starts and suspends the Starcraft process and injects
various hacks (one being BWAPI). The error in the tracking issue above is
surfaced.

The issue surfaced because Storm performs some alternative initialization logic
that corrupts its ability to function correctly later. In order to temporarily
work around the issue I have forcefully undone the logic made in the other DLL
to cause it to malfunction.

In this case the executable and statically linked library are owned by a
company and their source codes are not available. It should be possible to
reproduce the issue in a more trivial example.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list