Does wine perform exact same memory allocations than Windows?
Stefan Dösinger
stefandoesinger at gmail.com
Wed May 27 05:40:16 CDT 2020
> Am 27.05.2020 um 09:00 schrieb Emanuele Oriani <emaentra at ngi.it>:
>
> When porting this program I have been able to resolve and navigate some structures, but some others I can't. I can find some complex patterns (such as "48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 83 A0 ?? ?? ?? ?? ?? C6 43" or "48 8B 0D ?? ?? ?? ?? B2 01 E8 ?? ?? ?? ?? C6 83 ?? ?? ?? ?? ?? 48 8B 0D"), but when I start "navigating" those and dereference some alleged pointers I end up outside of the process memory spaces.
> Furthermore I seem to have found that for some types (namely utf8 strings) seems like wine allocates 1 more byte than Windows, hence somehow deviating from expected memory layout.
What you are doing here is very fragile, even going from Windows to Windows. I realize it is a common thing to do for game mods though if the game does not provide an API for such modifications.
How reliably memory patterns are replicated between Wine and Windows and even two different Windows versions depends on how the allocations are made. If you are looking up pointers into the game's code in its DLLs and EXE files they are very similar because the PE file is mmap'ed into the processes' address space. You have good chances of the absolute addresses to be identical.
If the game allocates a big blob of Heap memory in one go and fills it with data you should also be lucky. If there are multiple independent heap allocations done by the game the patterns will start to look differently. Wine will not allocate smaller memory blobs than requested, but a heap allocation may be slightly larger, placed in different areas of the address space, etc. The exact details not only depend on Wine, but also on the Linux kernel, linux libs etc.
Things will get even more spotty if the actual memory allocations are done by some Windows API functions. I don't know the string APIs in detail, so the following example is just a hypothetical one: If the game loads data from an XML file we pass the heavy lifting to the Linux libxml2 library. Its internal workings are different from microsoft's msxml.dll so the layout of the loaded file will not look alike at all.
You can try to look into some observable allocation properties with functions like HeapSize and VirtualQuery. One thing worth exploring is finding memory allocations not by searching for magic patterns in memory but hooking functions that the game uses to load the data. It may or may not work better.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20200527/e2907683/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20200527/e2907683/attachment.sig>
More information about the wine-devel
mailing list