https://bugs.winehq.org/show_bug.cgi?id=40800
Dmitry Timoshkov dmitry@baikal.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever confirmed|0 |1
--- Comment #4 from Dmitry Timoshkov dmitry@baikal.ru --- The application contains a custom imports resolver which gets called at the start of the execution. Since the IAT (the imports table) has been already processed by the PE loader custom imports resolver tries to access the addresses calculated from the PE import thunks and that leads to an access violation because the relative virtual addresses there have been already replaced by real addresses of the imported APIs.
There is an interesting detail about the process: the application uses ReadProcessMemory() in order to read the IAT before resolving its contents (instead of a straight memcpy() or accessing the IAT directly in memory), perhaps win9x returns original mapped PE file contents in that case, making this technique work.
Probably it's possible to add a hack to ReadProcessMemory() to read the mapped file contents in order to emulate win9x behaviour, but I'd suggest to try writing a simple test app to confirm my theory first.