https://bugs.winehq.org/show_bug.cgi?id=48235 Bug ID: 48235 Summary: Multiple applications need 'ntdll.NtWow64QueryInformationProcess64' (IP Camera Viewer 4.x) Product: Wine Version: 4.21 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, crash was reported in https://bugs.winehq.org/show_bug.cgi?id=44456#c7 Trace log: --- snip --- $ pwd /home/focht/.wine/drive_c/Program Files (x86)/Deskshare/IP Camera Viewer 4 $ WINEDEBUG=+seh,+relay wine ./IP\ Camera\ Viewer.exe >>log.txt 2>&1 ... 0041:Call KERNEL32.IsWow64Process(ffffffff,0032f64c) ret=004034fc 0041:Call ntdll.NtQueryInformationProcess(ffffffff,0000001a,0032f5fc,00000004,00000000) ret=71276334 0041:Ret ntdll.NtQueryInformationProcess() retval=00000000 ret=71276334 0041:Ret KERNEL32.IsWow64Process() retval=00000001 ret=004034fc 0041:trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000 tid=0041 0041:trace:seh:raise_exception info[0]=00000000 0041:trace:seh:raise_exception info[1]=00000000 0041:trace:seh:raise_exception eax=0032f658 ebx=00000000 ecx=00000000 edx=00000001 esi=00000000 edi=00000003 0041:trace:seh:raise_exception ebp=0032f690 esp=0032f640 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0041:trace:seh:call_stack_handlers calling handler at 0x7b4740b0 code=c0000005 flags=0 ... wine: Unhandled page fault on read access to 00000000 at address 00000000 (thread 0041), starting debugger... ... --- snip --- Disassembly of crash site: --- snip --- 004034C6 | lea eax,dword ptr ss:[ebp-4] | 004034C9 | push eax | 004034CA | push 30 | 004034CC | lea eax,dword ptr ss:[ebp-38] | 004034CF | push eax | 004034D0 | push 0 | 004034D2 | push FFFFFFFF | 004034D4 | call dword ptr ds:[406024] | *boom* (NULL) 004034DA | mov ecx,dword ptr ss:[ebp-30] | 004034DD | xor edx,edx | 004034DF | test eax,eax | 004034E1 | cmovne ecx,edx | 004034E4 | mov eax,ecx | 004034E6 | leave | 004034E7 | ret | --- snip --- Walking backwards by using 'Find reference to address' in debugger: --- snip --- Address Disassembly 004023A7 mov dword ptr ds:[406024],eax 004034D4 call dword ptr ds:[406024] --- snip --- Code around 004023A7 -> part of custom imports resolver: --- snip --- 00402391 | push ip camera viewer.401138 | "NtWow64QueryInformationProcess64" 00402396 | push ebx | 00402397 | mov dword ptr ds:[406028],eax | 0040239C | call edi | 0040239E | push eax | 0040239F | call esi | 004023A1 | push ip camera viewer.40115C | "memcpy" 004023A6 | push ebx | 004023A7 | mov dword ptr ds:[406024],eax | 004023AC | call edi | ... --- snip --- Finding the corresponding part of trace log: --- snip --- ... 0041:Call KERNEL32.GetModuleHandleW(004010c0 L"ntdll") ret=0040239e 0041:Call ntdll.RtlInitUnicodeString(0032f5f8,004010c0 L"ntdll") ret=7125a3f6 0041:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7125a3f6 0041:Call ntdll.LdrGetDllHandle(00000000,00000000,0032f5f8,0032f5f0) ret=7125a41c 0041:Ret ntdll.LdrGetDllHandle() retval=00000000 ret=7125a41c 0041:Ret KERNEL32.GetModuleHandleW() retval=7bc30000 ret=0040239e 0041:Call KERNEL32.GetProcAddress(7bc30000,00401138 "NtWow64QueryInformationProcess64") ret=004023a1 0041:Ret KERNEL32.GetProcAddress() retval=00000000 ret=004023a1 ... --- snip --- Example code: https://github.com/giampaolo/psutil/blob/master/psutil/arch/windows/process_... VirusTotal info: https://www.virustotal.com/gui/file/190493c2c25d07cefc0b131f7afc162ab04a7850... https://www.virustotal.com/gui/file/190493c2c25d07cefc0b131f7afc162ab04a7850... $ sha1sum IPCameraViewer.exe 373a8311265ee8980e4ceb7b1d55524430add2fc IPCameraViewer.exe $ du -sh IPCameraViewer.exe 20M IPCameraViewer.exe $ wine --version wine-4.21-138-g7ca1c4900e Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.