[PATCH 3/3] ntoskrnl: Facilitate kernel object field offset fetchers.
Derek Lesho
dlesho at codeweavers.com
Fri Jun 19 14:03:05 CDT 2020
On 6/19/20 1:43 PM, Zebediah Figura wrote:
> This subject line seems very confusingly worded. I'd suggest trying to
> describe what the patch does instead of why, e.g. 'force the "info"
> field of "_EPROCESS" to have an offset of at least 256.'
👌
>
> On 6/19/20 12:35 PM, Derek Lesho wrote:
>> EasyAntiCheat.sys reads IoThreadToProcess and PsGetThreadProcessId to find out the offset of the
>> KPROCESS and PID fields in the KTHREAD structure. They rely on the mov instruction using a 32-bit
>> displacement to get the offset, so we have to make sure the fields are deep enough into the structure.
>>
>> Signed-off-by: Derek Lesho <dlesho at codeweavers.com>
>> ---
>> dlls/ntoskrnl.exe/ntoskrnl.c | 1 -
>> dlls/ntoskrnl.exe/ntoskrnl_private.h | 4 ++++
>> 2 files changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c
>> index 818ff56d25..51603ec3d7 100644
>> --- a/dlls/ntoskrnl.exe/ntoskrnl.c
>> +++ b/dlls/ntoskrnl.exe/ntoskrnl.c
>> @@ -2394,7 +2394,6 @@ HANDLE WINAPI PsGetThreadId(PETHREAD thread)
>> */
>> HANDLE WINAPI PsGetThreadProcessId( PETHREAD thread )
>> {
>> - TRACE( "%p -> %p\n", thread, thread->kthread.id.UniqueProcess );
> Why remove this trace?
Because EasyAntiCheat reads the first instruction of the function, if we
used assembly to re-implement this function, we could avoid this.
>
>> return thread->kthread.id.UniqueProcess;
> While this may reliably work in practice, there's no guarantee of it. It
> may be a better idea to reimplement the functions in assembly for the
> architectures that need it.
Agreed, I'll just do that instead.
>
>> }
>>
>> diff --git a/dlls/ntoskrnl.exe/ntoskrnl_private.h b/dlls/ntoskrnl.exe/ntoskrnl_private.h
>> index a1e1b892e8..9d56b236a5 100644
>> --- a/dlls/ntoskrnl.exe/ntoskrnl_private.h
>> +++ b/dlls/ntoskrnl.exe/ntoskrnl_private.h
>> @@ -39,6 +39,8 @@ struct _OBJECT_TYPE
>> struct _EPROCESS
>> {
>> DISPATCHER_HEADER header;
>> + /* padding to require a 32-bit displacement */
> I don't think this comment is nearly specific enough. "32-bit
> displacement" is meaningless unless you mention the architecture,
> instruction, and where that instruction is used. Essentially, everything
> that's in the patch summary should probably be here instead.
Makes sense, what do you think about writing the x86_64 without an
assembler in order to ensure a 32-bit displacement value that is below
0x100? We could remove the padding this way.
>
>> + CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)];
> Presumably this doesn't have to be at offset exactly 0x100; i.e. the "-
> sizeof(DISPATCHER_HEADER)" is unnecessary.
It was just to save space I guess.
>
>> PROCESS_BASIC_INFORMATION info;
>> BOOL wow64;
>> };
>> @@ -46,6 +48,8 @@ struct _EPROCESS
>> struct _KTHREAD
>> {
>> DISPATCHER_HEADER header;
>> + /* padding to require a 32-bit displacement */
>> + CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)];
> See above.
>
>> PEPROCESS process;
>> CLIENT_ID id;
>> unsigned int critical_region;
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20200619/98ed4c8f/attachment-0001.htm>
More information about the wine-devel
mailing list