[PATCH 3/3] ntoskrnl: Facilitate kernel object field offset fetchers.

Zebediah Figura zfigura at codeweavers.com
Fri Jun 19 13:43:54 CDT 2020 

This subject line seems very confusingly worded. I'd suggest trying to
describe what the patch does instead of why, e.g. 'force the "info"
field of "_EPROCESS" to have an offset of at least 256.'

On 6/19/20 12:35 PM, Derek Lesho wrote:
> EasyAntiCheat.sys reads IoThreadToProcess and PsGetThreadProcessId to find out the offset of the
> KPROCESS and PID fields in the KTHREAD structure.  They rely on the mov instruction using a 32-bit
> displacement to get the offset, so we have to make sure the fields are deep enough into the structure.
> 
> Signed-off-by: Derek Lesho <dlesho at codeweavers.com>
> ---
>  dlls/ntoskrnl.exe/ntoskrnl.c         | 1 -
>  dlls/ntoskrnl.exe/ntoskrnl_private.h | 4 ++++
>  2 files changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
> index 818ff56d25..51603ec3d7 100644
> --- a/dlls/ntoskrnl.exe/ntoskrnl.c
> +++ b/dlls/ntoskrnl.exe/ntoskrnl.c
> @@ -2394,7 +2394,6 @@ HANDLE WINAPI PsGetThreadId(PETHREAD thread)
>   */
>  HANDLE WINAPI PsGetThreadProcessId( PETHREAD thread )
>  {
> -    TRACE( "%p -> %p\n", thread, thread->kthread.id.UniqueProcess );

Why remove this trace?

>      return thread->kthread.id.UniqueProcess;

While this may reliably work in practice, there's no guarantee of it. It
may be a better idea to reimplement the functions in assembly for the
architectures that need it.

>  }
>  
> diff --git a/dlls/ntoskrnl.exe/ntoskrnl_private.h b/dlls/ntoskrnl.exe/ntoskrnl_private.h
> index a1e1b892e8..9d56b236a5 100644
> --- a/dlls/ntoskrnl.exe/ntoskrnl_private.h
> +++ b/dlls/ntoskrnl.exe/ntoskrnl_private.h
> @@ -39,6 +39,8 @@ struct _OBJECT_TYPE
>  struct _EPROCESS
>  {
>      DISPATCHER_HEADER header;
> +    /* padding to require a 32-bit displacement */

I don't think this comment is nearly specific enough. "32-bit
displacement" is meaningless unless you mention the architecture,
instruction, and where that instruction is used. Essentially, everything
that's in the patch summary should probably be here instead.

> +    CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)];

Presumably this doesn't have to be at offset exactly 0x100; i.e. the "-
sizeof(DISPATCHER_HEADER)" is unnecessary.

>      PROCESS_BASIC_INFORMATION info;
>      BOOL wow64;
>  };
> @@ -46,6 +48,8 @@ struct _EPROCESS
>  struct _KTHREAD
>  {
>      DISPATCHER_HEADER header;
> +    /* padding to require a 32-bit displacement */
> +    CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)];

See above.

>      PEPROCESS process;
>      CLIENT_ID id;
>      unsigned int critical_region;
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20200619/b840acec/attachment.sig>

More information about the wine-devel mailing list