[Bug 44658] Multiple Win7+ APIset lookup/resolver tools need 'ApiSetMap' field in PEB (ApiSetView, Dependencies)

WineHQ Bugzilla wine-bugs at winehq.org
Mon May 4 17:56:03 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=44658

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download
                URL|                            |https://github.com/zodiacon
                   |                            |/ApiSetView/releases/downlo
                   |                            |ad/v0.8/ApiSetView.exe
            Summary|Custom Win7+ APIset         |Multiple Win7+ APIset
                   |lookup/resolver tool relies |lookup/resolver tools need
                   |on presence of 'ApiSetMap'  |'ApiSetMap' field in PEB
                   |field in PEB                |(ApiSetView, Dependencies)

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

revisiting. I've found a couple of projects on Github making use of 'ApiSetMap'
field in PEB.

https://github.com/lucasg/Dependencies ("Dependencies - An open-source modern
Dependency Walker") -> .NET 4.0

https://github.com/zodiacon/ApiSetView ("Api Set Viewer")

https://github.com/zodiacon/ApiSetView/releases/download/v0.8/ApiSetView.exe

--- snip ---
$ WINEDEBUG=+seh,+relay wine ./ApiSetView.exe >>log.txt 2>&1
...
00b4:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4031f1 ip=004031f1
tid=00b4
00b4:trace:seh:raise_exception  info[0]=00000000
00b4:trace:seh:raise_exception  info[1]=00000010
00b4:trace:seh:raise_exception  eax=00000000 ebx=7e840e68 ecx=0031fafc
edx=0031fafc esi=0031fb10 edi=00000000
00b4:trace:seh:raise_exception  ebp=0031f9cc esp=0031f96c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
00b4:trace:seh:call_stack_handlers calling handler at 0x46a853 code=c0000005
flags=0 
...
wine: Unhandled page fault on read access to 00000010 at address 004031F1
(thread 00b4), starting debugger... 
--- snip ---

Disassembly of crash site:

--- snip ---
004031B0 | push ebp                        |
004031B1 | mov ebp,esp                     |
004031B3 | push FFFFFFFF                   |
004031B5 | push apisetview.46A853          |
004031BA | mov eax,dword ptr fs:[0]        |
004031C0 | push eax                        |
004031C1 | sub esp,44                      |
004031C4 | push ebx                        |
004031C5 | push esi                        |
004031C6 | push edi                        |
004031C7 | mov eax,dword ptr ds:[47B320]   |
004031CC | xor eax,ebp                     |
004031CE | push eax                        |
004031CF | lea eax,dword ptr ss:[ebp-C]    |
004031D2 | mov dword ptr fs:[0],eax        |
004031D8 | mov edx,ecx                     |
004031DA | mov dword ptr ss:[ebp-28],edx   |
004031DD | mov eax,dword ptr fs:[18]       |
004031E3 | mov eax,dword ptr ds:[eax+30]   | PEB
004031E6 | mov edi,dword ptr ds:[eax+38]   | PEB->ApiSetMap
004031E9 | mov eax,dword ptr ds:[edx+8]    |
004031EC | sub eax,dword ptr ds:[edx]      |
004031EE | sar eax,5                       |
004031F1 | mov ebx,dword ptr ds:[edi+10]   | *boom*
...
--- snip ---

Corresponding source code:

https://github.com/zodiacon/ApiSetView/blob/master/ApiSetView/ApiSets.cpp#L59

--- snip ---
void ApiSets::Build() {
    auto peb = NtCurrentTeb()->ProcessEnvironmentBlock;
    auto apiSetMap = static_cast<PAPI_SET_NAMESPACE>(peb->Reserved9[0]);
    auto apiSetMapAsNumber = reinterpret_cast<ULONG_PTR>(apiSetMap);

    auto nsEntry =
reinterpret_cast<PAPI_SET_NAMESPACE_ENTRY>((apiSetMap->EntryOffset +
apiSetMapAsNumber));

    _entries.reserve(apiSetMap->Count);

    for (ULONG i = 0; i < apiSetMap->Count; i++) {
        ApiSetEntry entry;
        entry.Name = CString(reinterpret_cast<PWCHAR>(apiSetMapAsNumber +
nsEntry->NameOffset), static_cast<int>(nsEntry->NameLength / sizeof(WCHAR)));
        entry.Sealed = (nsEntry->Flags & API_SET_SCHEMA_ENTRY_FLAGS_SEALED) !=
0;

        auto valueEntry =
reinterpret_cast<PAPI_SET_VALUE_ENTRY>(apiSetMapAsNumber +
nsEntry->ValueOffset);
        for (ULONG j = 0; j < nsEntry->ValueCount; j++) {
            CString value(reinterpret_cast<PWCHAR>(apiSetMapAsNumber +
valueEntry->ValueOffset), valueEntry->ValueLength / sizeof(WCHAR));
            entry.Values.push_back(value);

            if (valueEntry->NameLength != 0) {
                CString alias(reinterpret_cast<PWCHAR>(apiSetMapAsNumber +
valueEntry->NameOffset), valueEntry->NameLength / sizeof(WCHAR));
                entry.Aliases.push_back(alias);
            }

            valueEntry++;
        }
        nsEntry++;
        _entries.push_back(entry);
    }
}
--- snip ---

$ sha1sum ApiSetView.exe 
9cc5f8d2c3008ee956fa1a2ea24f39eed8cc4b73  ApiSetView.exe

$ du -sh ApiSetView.exe 
620K    ApiSetView.exe

$ sha1sum Dependencies_x86_Release.zip 
b8ab5292100e11e009acf9289d27478c6b9413ac  Dependencies_x86_Release.zip

$ du -sh Dependencies_x86_Release.zip 
3.9M    Dependencies_x86_Release.zip

$ wine --version
wine-5.7-209-g4e2ad334b5

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list