How is Win/Dos syscalls implemented in Wine?

Sylvain Petreolle spetreolle at
Sat Oct 26 15:31:23 CDT 2002

I disagree here.
one anti debug / hiding technique is :
1)set regs
1a) push 3) location on the stack.
2) jump to 80h
then the "iret" instruction in int 80h will jump to 3)

> malicious non trusted dll:
> 1) setup malicious regs (like erase file...)
> 2) jump at the address of the int 80h above
> 3) 
> (of course you won't be able to go back to 3), but this would still
> allow you to make a valid syscall
> looking at all trusted dlls you might even find some code where you
> get
> something like (in trusted dll)
> a) setup regs for syscall
> b) int 80h
> c) ret
> and in that case, jsr address of b from untrusted code would
> circumvent
> your scheme
> once again, since:
> - wine is just seen from the linux kernel as a standard process
> - wine core DLLs and the loaded code live in the same address space
> it would be extremely difficult to implement this type of protection
> on
> wine (as it is today)
> it might possible using some kind of code control tools. the new
> skins
> on valgrind would help here, but that would be done in a completly
> different manner
> A+

Do You Yahoo!? -- Une adresse gratuite et en français !
Yahoo! Mail :

More information about the wine-users mailing list