[06/23] ntdll: Map empty page if needed inside system mappings.

[Matteo Bruni]

2016-11-13 12:35 GMT-06:00 Andrew Wesie <awesie at gmail.com>:
> Some anti-debug protections will try to read all of the memory
> for a loaded system DLL. This patch will handle the page fault when
> it attempts to read the space between sections.
>
> Signed-off-by: Andrew Wesie <awesie at gmail.com>
> ---
>  dlls/ntdll/virtual.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
> index e826fa0..f70e9fc 100644
> --- a/dlls/ntdll/virtual.c
> +++ b/dlls/ntdll/virtual.c
> @@ -1512,6 +1512,11 @@ NTSTATUS virtual_handle_fault( LPCVOID addr, DWORD err, BOOL on_signal_stack )
>              /* ignore fault if page is writable now */
>              if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS;
>          }
> +        if (err == 0 && (view->protect & VPROT_SYSTEM))
> +        {
> +            wine_anon_mmap(page, page_size, PROT_READ, MAP_FIXED);
> +            ret = STATUS_SUCCESS;
> +        }
>          if (!on_signal_stack && (*vprot & VPROT_GUARD))
>          {
>              VIRTUAL_SetProt( view, page, page_size, *vprot & ~VPROT_GUARD );

This looks like a much nicer solution than my hack attached to the bug.
I don't have time right now to check for all the implications of this
patch, when / if I can get around to do a proper review I'll sign it
off, for what it might be worth.