How is Win/Dos syscalls implemented in Wine?

Sylvain Petreolle spetreolle at yahoo.fr
Sat Oct 26 15:31:23 CDT 2002


I disagree here.
one anti debug / hiding technique is :
1)set regs
1a) push 3) location on the stack.
2) jump to 80h
then the "iret" instruction in int 80h will jump to 3)

> malicious non trusted dll:
> 1) setup malicious regs (like erase file...)
> 2) jump at the address of the int 80h above
> 3) 
> (of course you won't be able to go back to 3), but this would still
> allow you to make a valid syscall
> looking at all trusted dlls you might even find some code where you
> get
> something like (in trusted dll)
> a) setup regs for syscall
> b) int 80h
> c) ret
> and in that case, jsr address of b from untrusted code would
> circumvent
> your scheme
> 
> once again, since:
> - wine is just seen from the linux kernel as a standard process
> - wine core DLLs and the loaded code live in the same address space
> it would be extremely difficult to implement this type of protection
> on
> wine (as it is today)
> it might possible using some kind of code control tools. the new
> skins
> on valgrind would help here, but that would be done in a completly
> different manner
> 
> A+
>  

___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com



More information about the wine-users mailing list