[PATCH 3/3] ntoskrnl: Facilitate kernel object field offset fetchers.
Derek Lesho
dlesho at codeweavers.com
Fri Jun 19 12:35:09 CDT 2020
EasyAntiCheat.sys reads IoThreadToProcess and PsGetThreadProcessId to find out the offset of the
KPROCESS and PID fields in the KTHREAD structure. They rely on the mov instruction using a 32-bit
displacement to get the offset, so we have to make sure the fields are deep enough into the structure.
Signed-off-by: Derek Lesho <dlesho at codeweavers.com>
---
dlls/ntoskrnl.exe/ntoskrnl.c | 1 -
dlls/ntoskrnl.exe/ntoskrnl_private.h | 4 ++++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
index 818ff56d25..51603ec3d7 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl.c
+++ b/dlls/ntoskrnl.exe/ntoskrnl.c
@@ -2394,7 +2394,6 @@ HANDLE WINAPI PsGetThreadId(PETHREAD thread)
*/
HANDLE WINAPI PsGetThreadProcessId( PETHREAD thread )
{
- TRACE( "%p -> %p\n", thread, thread->kthread.id.UniqueProcess );
return thread->kthread.id.UniqueProcess;
}
diff --git a/dlls/ntoskrnl.exe/ntoskrnl_private.h b/dlls/ntoskrnl.exe/ntoskrnl_private.h
index a1e1b892e8..9d56b236a5 100644
--- a/dlls/ntoskrnl.exe/ntoskrnl_private.h
+++ b/dlls/ntoskrnl.exe/ntoskrnl_private.h
@@ -39,6 +39,8 @@ struct _OBJECT_TYPE
struct _EPROCESS
{
DISPATCHER_HEADER header;
+ /* padding to require a 32-bit displacement */
+ CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)];
PROCESS_BASIC_INFORMATION info;
BOOL wow64;
};
@@ -46,6 +48,8 @@ struct _EPROCESS
struct _KTHREAD
{
DISPATCHER_HEADER header;
+ /* padding to require a 32-bit displacement */
+ CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)];
PEPROCESS process;
CLIENT_ID id;
unsigned int critical_region;
--
2.26.2
More information about the wine-devel
mailing list