Page faults and instruction emulation

Ove Kaaven ovehk at
Thu Oct 18 19:40:03 CDT 2001

As we all know, some (kinda worthless) "copy protection" software exist
out there that doesn't work under Wine. Some of these work under win9x and
winNT by using a different set of techniques for each OS. The winNT code
installs a kernel driver, so I'm mainly interested in the win95 code,
which only messes with Win95 internals to check that no debugger is
snooping, before proceeding.

I know of two Wine architecture issues that must be resolved before the
anti-debugger check can succeed in win95 mode.

1. it checks that teb->debug_context (TEB offset 0x20) is zero. In Wine,
it isn't (the NT pid is stored there), so this check fails.

Is it possible to change Wine's TEB structure to fix this?

2. it messes with the IDT. It uses the sidt instruction and tries to
change the INT5 vector (BOUND exception vector), later to try to execute a
BOUND and expect this vector to be branched to, all protected with
exception handlers. Now, this would actually be possible for Wine to
emulate, even though sidt is not a privileged instruction. The idea is
that sidt returns an address to kernel space, where all access is
prohibited, hence causing page faults. Wine could trap these, and then
emulate the faulting instruction by operating on a fake IDT instead. And
then the segfault caused by BOUND could then look up the fake IDT entry,
and call the vector therein.

But to emulate an instruction from Wine's pre-exception page fault handler
(VIRTUAL_HandleFault()), the current context must be passed along to it,
so VIRTUAL_HandleFault and all Wine handlers that can be registered with
VIRTUAL_SetFaultHandler must get an extra parameter. Is this too
objectionable to do?


More information about the wine-devel mailing list