http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #7 from Anastasius Focht focht@gmx.net 2009-05-17 05:51:14 --- Hello,
well I incidentally found an application which makes use of this (there are probably more). Newer versions of "Exeinfo PE" (Win32 PE identifier for packers, compressors, used compilers, exe protectors, obfuscators ..) have some anti-debugging tricks added. The application is coded in a way that Wine's STATUS_NOT_IMPLEMENTED return value is used for pointer parameter in next call, which queries for unimplemented "ProcessDebugObjectHandle" information class. I'll file a separate bug for "ProcessDebugObjectHandle".
--- snip --- 0021:Call ntdll.NtSetInformationThread(fffffffe,00000011,00000000,00000000) ret=004da0d5 0021:fixme:thread:NtSetInformationThread info class 17 not supported yet 0021:Ret ntdll.NtSetInformationThread() retval=c0000002 ret=004da0d5 0021:Call ntdll.NtQueryInformationProcess(ffffffff,0000001e,c0000002,00000004,00000000) ret=004da0e4 ... --- snip ---
Brain damaged app code or purpose (reconstruced and annotated after unpacking) ... decide.
--- snip --- ... pushl $0x0 pushl $0x0 pushl $0x11 pushl $0xfe call _NtSetInformationThread_thunk pushl %eax pushl $0x0 pushl $0x4 pushl %eax pushl $0x1e pushl $0xff call _NtQueryInformationProcess_thunk popl %eax testl %eax,%eax jnz bad_guy_we_are_being_debugged ... --- snip ---
Just faking "success" for ThreadHideFromDebugger is the way to go as there is no need for real implementation like Windows has (see comment #4). Also this is not an "enhancement" anymore as real apps depend on this.
Send the patch to wine-patches for review/inclusion. If the initial bug reporter isn't active anymore, let someone other do it ;-)
Regards