Page faults and instruction emulation

Alexandre Julliard julliard at
Thu Oct 18 20:02:17 CDT 2001

Ove Kaaven <ovehk at> writes:

> I know of two Wine architecture issues that must be resolved before the
> anti-debugger check can succeed in win95 mode.
> 1. it checks that teb->debug_context (TEB offset 0x20) is zero. In Wine,
> it isn't (the NT pid is stored there), so this check fails.
> Is it possible to change Wine's TEB structure to fix this?

It would probably break some of the NT native dlls.

> 2. it messes with the IDT. It uses the sidt instruction and tries to
> change the INT5 vector (BOUND exception vector), later to try to execute a
> BOUND and expect this vector to be branched to, all protected with
> exception handlers. Now, this would actually be possible for Wine to
> emulate, even though sidt is not a privileged instruction. The idea is
> that sidt returns an address to kernel space, where all access is
> prohibited, hence causing page faults. Wine could trap these, and then
> emulate the faulting instruction by operating on a fake IDT instead. And
> then the segfault caused by BOUND could then look up the fake IDT entry,
> and call the vector therein.
> But to emulate an instruction from Wine's pre-exception page fault handler
> (VIRTUAL_HandleFault()), the current context must be passed along to it,
> so VIRTUAL_HandleFault and all Wine handlers that can be registered with
> VIRTUAL_SetFaultHandler must get an extra parameter. Is this too
> objectionable to do?

The extra parameter is not that bad, but having to do full emulation
of all instructions accessing memory, plus the complete IDT handling,
is going to lead to major ugliness.

Wouldn't it be possible to somehow emulate the kernel driver to make
the NT version work?  That would be much cleaner.

Alexandre Julliard
julliard at

More information about the wine-devel mailing list