http://bugs.winehq.org/show_bug.cgi?id=23578
--- Comment #55 from Henri Verbeet hverbeet@gmail.com 2010-07-16 08:08:39 --- (In reply to comment #54)
ReadProcessMemory() calls NtReadVirtualMemory() which sends a read_process_memory request to wineserver. wineserver dynamically allocates a temporary buffer (of requested size), calls read_process_memory with that buffer and that function is the one actually reading from the process's virtual memory, however, it doesn't seem efficient. To read the memory, it seems like its pausing a thread in the running program, reads the memory and lets the thread continue.
Yeah, but it's worse than that. Look at the while-loop inside read_process_memory(), and the implementation of read_thread_long().
Another reasonable theory is VAC getting suspicious due to some implementation difference in Wine, and doing more aggressive scans because of that. I.e., that it wouldn't scan so much under normal circumstances. Considering the time it takes to reproduce this that would require prohibitive amounts of logging to track down / verify though.