http://bugs.winehq.org/show_bug.cgi?id=23451
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntdll Summary|VMWare Thinapps (packaged |VMWare Thinapps (packaged |with version >4.5) don't |with version >4.5) don't |run |run, also affects XenoCode | |wrapped apps
--- Comment #5 from Anastasius Focht focht@gmx.net 2010-08-23 11:06:07 --- Hello,
adding some info... Not only VMWare Thinapps but also various Xenocode wrapped apps need a proper native process creation sequence (they both have this in common).
Another "target" which suffers from this, wrapped by Xenocode:
http://bypass.cdn.skybound.ca/stylizer/Stylizer5Setup.exe
--- snip --- $ sha1sum Stylizer5Setup.exe bd7039b5a67f9846ffdd1795be044f5bf65607a6 Stylizer5Setup.exe --- snip ---
--- snip --- Scanning -> c:\Program Files\Skybound Stylizer 5\Stylizer.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 13330168 (0CB66F8h) Byte(s) -> File Appears to be Digitally Signed @ Offset 0CB5800h, size : 0EF8h / 03832 byte(s) -> File has 13191168 (0C94800h) bytes of appended data starting at offset 021000h [File Heuristics] -> Flag : 00000000000001001000000000000100 (0x00048004) [!] XenoCode Virtual Application Studio 2010 detected ! --- snip ---
I dumped all Xenocode hooks into Wine's ntdll, quite impressive number (though NtCreateProcess is the culprit here):
--- snip --- 7BC1F2B8 __wine_stub_NtCreateProcess E9 E0087784 JMP 0038FB9D 7BC1F310 __wine_stub_NtCreateThread E9 2F077784 JMP 0038FA44 7BC1F394 __wine_stub_NtExtendSection E9 74AB7784 JMP 00399F0D 7BC1F5FC __wine_stub_NtQueryOpenSubKeys E9 CFF37684 JMP 0038E9D0 7BC1F998 __wine_stub_NtUnloadKeyEx E9 38EB7684 JMP 0038E4D5 7BC35610 NtNotifyChangeDirectoryFile E9 E2D77584 JMP 00392DF7 7BC3B090 NtQueryDirectoryFile E9 8D7C7584 JMP 00392D22 7BC3DC50 NtSetEaFile E9 EB4D7584 JMP 00392A40 7BC3DCC0 NtQueryEaFile E9 EB4F7584 JMP 00392CB0 7BC3DD60 NtSetVolumeInformationFile E9 0F4C7584 JMP 00392974 7BC3DDE0 NtCreateMailslotFile E9 7E537584 JMP 00393163 7BC3DF70 NtUnlockFile E9 99497584 JMP 0039290E 7BC3E1A0 NtCancelIoFile E9 C4507584 JMP 00393269 7BC3E370 NtCreateNamedPipeFile E9 6D4D7584 JMP 003930E2 7BC3E5F0 NtLockFile E9 74487584 JMP 00392E69 7BC3E8E0 NtFlushBuffersFile E9 6E467584 JMP 00392F53 7BC3F330 NtQueryVolumeInformationFile E9 52387584 JMP 00392B87 7BC3F9C0 NtSetInformationFile E9 15307584 JMP 003929DA 7BC400B0 NtFsControlFile E9 292E7584 JMP 00392EDE 7BC40570 NtDeviceIoControlFile E9 3B2A7584 JMP 00392FB0 7BC40840 NtWriteFileGather E9 E51F7584 JMP 0039282A 7BC40FF0 NtWriteFile E9 A7187584 JMP 0039289C 7BC41720 NtReadFileScatter E9 7E137584 JMP 00392AA3 7BC41C50 NtReadFile E9 C00E7584 JMP 00392B15 7BC42A10 NtCreateFile E9 BD077584 JMP 003931D2 7BC42A70 NtDeleteFile E9 B0057584 JMP 00393025 7BC42B40 NtOpenFile E9 81077584 JMP 003932C6 7BC43000 NtQueryAttributesFile E9 95FD7484 JMP 00392D9A 7BC43150 NtQueryFullAttributesFile E9 FEFA7484 JMP 00392C53 7BC43320 NtQueryInformationFile E9 C8F87484 JMP 00392BED 7BC4A9B0 LdrGetDllHandle E9 39537484 JMP 0038FCEE 7BC4C0E0 LdrShutdownThread E9 DA477484 JMP 003908BF 7BC50F00 NtCreatePagingFile E9 7A217484 JMP 0039307F 7BC512D0 NtQuerySection E9 E98A7484 JMP 00399DBE 7BC53F80 NtMakeTemporaryObject E9 A9DB7384 JMP 00391B2E 7BC54170 NtSetInformationObject E9 F0D87384 JMP 00391A65 7BC549B0 NtClose E9 3FD27384 JMP 00391BF4 7BC54A30 NtDuplicateObject E9 53D17384 JMP 00391B88 7BC54B40 NtQuerySecurityObject E9 EDCC7384 JMP 00391832 7BC54E20 NtQueryObject E9 A3CC7384 JMP 00391AC8 7BC5B290 NtOpenProcess E9 77497384 JMP 0038FC0C 7BC5B3E0 NtSetInformationProcess E9 FC457384 JMP 0038F9E1 7BC5C080 NtTerminateProcess E9 CE447384 JMP 00390553 7BC5C100 NtSetInformationKey E9 62257384 JMP 0038E667 7BC5C170 NtRestoreKey E9 72267384 JMP 0038E7E7 7BC5C1E0 NtQueryMultipleValueKey E9 48287384 JMP 0038EA2D 7BC5CB00 NtUnloadKey E9 8A1A7384 JMP 0038E58F 7BC5CBA0 NtSaveKey E9 E51B7384 JMP 0038E78A 7BC5CC40 NtFlushKey E9 E4217384 JMP 0038EE29 7BC5CCE0 NtEnumerateValueKey E9 9E217384 JMP 0038EE83 7BC5D210 NtQueryKey E9 81187384 JMP 0038EA96 7BC5D250 NtEnumerateKey E9 971C7384 JMP 0038EEEC 7BC5D3D0 NtDeleteKey E9 DD1B7384 JMP 0038EFB2 7BC5D4A0 NtSetValueKey E9 44117384 JMP 0038E5E9 7BC5D630 NtQueryValueKey E9 CF127384 JMP 0038E904 7BC5DAD0 NtDeleteValueKey E9 80147384 JMP 0038EF55 7BC5DBC0 NtOpenKey E9 9A0F7384 JMP 0038EB5F 7BC5E850 NtCreateKey E9 CC077384 JMP 0038F021 7BC5EBF0 NtReplaceKey E9 52FC7284 JMP 0038E847 7BC5EC70 NtNotifyChangeKey E9 C5FF7284 JMP 0038EC3A 7BC5EF10 NtLoadKey E9 B7FE7284 JMP 0038EDCC 7BC69390 NtSetSecurityObject E9 3D847284 JMP 003917D2 7BC75680 NtSignalAndWaitForSingleObject E9 52C37184 JMP 003919D7 7BC756E0 NtWaitForMultipleObjects E9 1FC27184 JMP 00391904 7BC75760 NtWaitForSingleObject E9 33C17184 JMP 00391898 7BC7E780 NtAreMappedFilesTheSame E9 16B57184 JMP 00399C9B 7BC7EAB0 NtOpenSection E9 6FB37184 JMP 00399E24 7BC800C0 NtQueryVirtualMemory E9 339C7184 JMP 00399CF8 7BC80930 NtCreateSection E9 35967184 JMP 00399F6A 7BC81430 NtUnmapViewOfSection E9 2C897184 JMP 00399D61 7BC83C20 NtMapViewOfSection E9 5F627184 JMP 00399E84 --- snip ---
Regards