[Bug 12859] New: HideThreadFromDebugger in NtSetInformationThread
http://bugs.winehq.org/show_bug.cgi?id=12859 Summary: HideThreadFromDebugger in NtSetInformationThread Product: Wine Version: 0.9.60 Platform: Other OS/Version: other Status: UNCONFIRMED Severity: enhancement Priority: P2 Component: ntdll AssignedTo: wine-bugs(a)winehq.org ReportedBy: readams(a)readams.net Created an attachment (id=12555) --> (http://bugs.winehq.org/attachment.cgi?id=12555) Add HideThreadFromDebugger to winternl.h and to NtSetInformationThread This API exists in the windows NtSetInformationThread for some reason. The sensible thing to do in wine here seems to be to just ignore this call. Patch attached is against 0.9.60. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #1 from Lei Zhang <thestig(a)google.com> 2008-04-28 19:01:04 --- Do you have a real world app that needs it? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #2 from Rob Adams <readams(a)readams.net> 2008-04-28 19:29:22 --- Created an attachment (id=12558) --> (http://bugs.winehq.org/attachment.cgi?id=12558) example use of NTSetInformationThreat This allows programs which employ a common anti-debugging technique under windows to run under wine. I've attached a simple test program which shows how this would be used by such a program. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch, testcase -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #3 from Juan Lang <juan_lang(a)yahoo.com> 2008-04-29 13:30:36 --- Patches should be sent to wine-patches , they're not picked up here. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |focht(a)gmx.net --- Comment #4 from Anastasius Focht <focht(a)gmx.net> 2008-05-02 04:45:28 --- Hello, this blog entry gives a possible "use case": http://nsylvain.blogspot.com/2007/08/threadhidefromdebugger-but-why.html --- quote blog --- Alex_Ionescu said... It's actually used by RtlQueryProcessDebugInformation when you're querying remote information... the routine creates a remote thread and hides it from the debugger, supposedly to stop the deadlock that would otherwise happen once the debugger receives the thread start routine. --- quote blog --- Sounds plausible. --- quote --- This allows programs which employ a common anti-debugging technique under windows to run under wine. --- quote --- I'm curious ... do you have any example apps? I have yet to see the use of this information class in commercial protections because it's actually easy to "fix" = pretty useless. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #5 from Austin English <austinenglish(a)gmail.com> 2008-10-30 02:18:30 --- Is this still an issue in current (1.1.7 or newer) wine? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #6 from Anastasius Focht <focht(a)gmx.net> 2008-12-11 15:22:58 --- Hello, --- quote --- Is this still an issue in current (1.1.7 or newer) wine? --- quote --- Obviously yes. I just remembered a problem/bug where having such facility could be useful - but not as the bug reporter initially intended (common anti-debugging technique). In bug 14697, I described a situation where a debugger implicitly triggered an APC (by using VirtualQueryEx) which failed invocation on remote process because all of the debuggee's threads were suspended in non alertable state due to pending (dll load) debug event and the debugger got stuck in synchronous wait on that APC to complete in its debug event handling loop. A possible use case would be to create a special remote helper thread for carrying out certain APCs and hiding it from debugger, not relying on hijacking any debuggee threads to serve the APCs (like in comment #4 where I cited the blog entry) But for the original bug reporter the question still remains: is there a commercial app which relies on this "feature"? Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #7 from Anastasius Focht <focht(a)gmx.net> 2009-05-17 05:51:14 --- Hello, well I incidentally found an application which makes use of this (there are probably more). Newer versions of "Exeinfo PE" (Win32 PE identifier for packers, compressors, used compilers, exe protectors, obfuscators ..) have some anti-debugging tricks added. The application is coded in a way that Wine's STATUS_NOT_IMPLEMENTED return value is used for pointer parameter in next call, which queries for unimplemented "ProcessDebugObjectHandle" information class. I'll file a separate bug for "ProcessDebugObjectHandle". --- snip --- 0021:Call ntdll.NtSetInformationThread(fffffffe,00000011,00000000,00000000) ret=004da0d5 0021:fixme:thread:NtSetInformationThread info class 17 not supported yet 0021:Ret ntdll.NtSetInformationThread() retval=c0000002 ret=004da0d5 0021:Call ntdll.NtQueryInformationProcess(ffffffff,0000001e,c0000002,00000004,00000000) ret=004da0e4 ... --- snip --- Brain damaged app code or purpose (reconstruced and annotated after unpacking) ... decide. --- snip --- ... pushl $0x0 pushl $0x0 pushl $0x11 pushl $0xfe call _NtSetInformationThread_thunk pushl %eax pushl $0x0 pushl $0x4 pushl %eax pushl $0x1e pushl $0xff call _NtQueryInformationProcess_thunk popl %eax testl %eax,%eax jnz bad_guy_we_are_being_debugged ... --- snip --- Just faking "success" for ThreadHideFromDebugger is the way to go as there is no need for real implementation like Windows has (see comment #4). Also this is not an "enhancement" anymore as real apps depend on this. Send the patch to wine-patches for review/inclusion. If the initial bug reporter isn't active anymore, let someone other do it ;-) Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |18500 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Vitaliy Margolen <vitaliy(a)kievinfo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 Severity|enhancement |normal --- Comment #8 from Vitaliy Margolen <vitaliy(a)kievinfo.com> 2009-05-17 11:47:53 --- And confirming. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #9 from Anastasius Focht <focht(a)gmx.net> 2009-05-18 15:14:17 --- Hello, I should have looked more closely at the patch ... despite being very small and non-intrusive it contains a problem. Gcc might generate code where "status" return value isn't explicitly initialized which might result in garbage NTSTATUS returned. This is bad for next call which is coded in a way to take status as pointer parameter (bug 18500). I suggest you directly return STATUS_SUCCESS for ThreadHideFromDebugger case. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #12555|0 |1 is obsolete| | --- Comment #10 from Austin English <austinenglish(a)gmail.com> 2009-05-18 19:33:03 --- Created an attachment (id=21171) --> (http://bugs.winehq.org/attachment.cgi?id=21171) updated patch Okay for you Focht? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #11 from Anastasius Focht <focht(a)gmx.net> 2009-05-19 03:50:44 --- Hello, --- quote --- updated patch Okay for you Focht? --- quote --- yes ... though you might condense that comment to "to satisfy copy protections" because apps use this API solely for hacking evasion. The initial rationale for this API (see comment #4) is something that Wine doesn't need. It can be implemented by using Wine internal functionality. If people are curious about this info class they can always use g00gle to find the blog entry or archived bugzilla comments/discussion from this bug. With bug 12859 and bug 18500 fixed (include check for NULL ptr arg), the app works as expected. It might also help other copy protected apps/games which employ this kind of anti-debugging tricks. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Andrey Turkin <andrey.turkin(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrey.turkin(a)gmail.com --- Comment #12 from Andrey Turkin <andrey.turkin(a)gmail.com> 2009-10-06 10:51:43 --- This particular call sequence should be handled now; thread won't be detached from debugger of course. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 --- Comment #13 from Anastasius Focht <focht(a)gmx.net> 2009-10-06 13:12:09 --- Hello, --- quote --- This particular call sequence should be handled now; thread won't be detached from debugger of course. --- quote --- Yes, it's fixed by commit be910d973a432495a8372476f3c9a5547feb8602 (commit f2432a8bc2dddaa34cfca0abbaf8b0d1ac19b44b belongs to bug 18500). The app now works as expected. Thanks. I suggest to close this one. Regards -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Austin English <austinenglish(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #14 from Austin English <austinenglish(a)gmail.com> 2009-10-06 14:30:58 --- (In reply to comment #13)
Hello,
--- quote --- This particular call sequence should be handled now; thread won't be detached from debugger of course. --- quote ---
Yes, it's fixed by commit be910d973a432495a8372476f3c9a5547feb8602 (commit f2432a8bc2dddaa34cfca0abbaf8b0d1ac19b44b belongs to bug 18500). The app now works as expected. Thanks. I suggest to close this one.
Fixed. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Alexandre Julliard <julliard(a)winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #15 from Alexandre Julliard <julliard(a)winehq.org> 2009-10-09 11:13:40 --- Closing bugs fixed in 1.1.31. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |be910d973a432495a8372476f3c | |9a5547feb8602 -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=12859 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.asl-soft.hostoi. | |com/exeinfope.zip Hardware|Other |x86 OS|other |Linux -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=12859 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.asl-soft.hostoi. |https://web.archive.org/web |com/exeinfope.zip |/20140709065806/http://www. | |asl-soft.hostoi.com/exeinfo | |pe.zip -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (2)
-
wine-bugs@winehq.org -
WineHQ Bugzilla