https://bugs.winehq.org/show_bug.cgi?id=55967
--- Comment #5 from Bernhard Übelacker bernhardu@mailbox.org --- Created attachment 75674 --> https://bugs.winehq.org/attachment.cgi?id=75674 hack: ntdll: Do not use get_image_map_address for ntdll.
The issue here looks like some part of copy protection.
SWATH.exe opens ntdll.dll from disk, seeks to offset 0x9570 and reads 20 bytes. It looks like it uses these 20 bytes to locate the address of ZwQueryInformationProcess, and calls it. (CreateFileA, SetFilePointer, ReadFile, CloseHandle)
Unforatunately since commit efd03f40 the calculation results in the same function address, but ntdll.ZwQueryInformationProcess is no longer located there.
Attached patch reverts using the get_image_map_address wineserver call just for ntdll, and is enough to make SWATH work again.