https://bugs.winehq.org/show_bug.cgi?id=44912
--- Comment #3 from dereklesho52@Gmail.com --- (In reply to Anastasius Focht from comment #0)
Hello folks,
besides the traditional 'KERNEL32.CreateProcessW()' API it also uses native API to create process(es).
--- snip --- $ pwd /home/focht/winetest/drive_c/users/focht/Local Settings/Application Data/Tibia/packages/Tibia/bin
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+ntdll wine ./client.exe >>log.txt 2>&1 ... 003d:Call KERNEL32.CreateProcessW(00000000,001c8630 L""C:\users\focht\Local Settings\Application Data\Tibia\packages\Tibia\bin\client_launcher.exe" ",00000000,00000000,00000000,00000410,00000000,01d7c6b8 L"C:/users/focht/Local Settings/Application Data/Tibia/packages/Tibia/bin",0033cf2c,0033cf1c) ret=0047235f ... 0044:Call KERNEL32.__wine_kernel_init() ret=7bc6d171 ... 003d:Ret KERNEL32.CreateProcessW() retval=00000001 ret=0047235f ... 0044:Call KERNEL32.CreateProcessW(00000000,0033d6cc L""C:\users\focht\Local Settings\Application Data\Tibia\packages\Tibia\bin\client_launcher.exe" 3",00000000,00000000,00000000,00000410,00000000,00000000,0033d1a0,0033d190) ret=7e72e854 ... 0044:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7e72e854 ... 0044:Call ntdll.RtlInitUnicodeString(0033e75c,00162030 L""C:\users\focht\Local Settings\Application Data\Tibia\packages\Tibia\bin\client_launcher.exe" 6 ") ret=0045e9fe 0044:Ret ntdll.RtlInitUnicodeString() retval=0033e75c ret=0045e9fe ... 0044:Call ntdll.RtlCreateProcessParameters(0033e770,0033e764,00000000,00000000, 0033e75c,00000000,00000000,00000000,00000000,00000000) ret=004519b8 ... 0044:Ret ntdll.RtlCreateProcessParameters() retval=00000000 ret=004519b8 ... 0044:Call ntdll.RtlCreateUserProcess(0033e764,00000040,00390000,00000000,00000000, 00000000,00000000,00000000,00000000,0033e780) ret=0046fb4d 0044:fixme:ntdll:RtlCreateUserProcess (0x33e764 64 0x390000 (nil) (nil) (nil) 0 (nil) (nil) 0x33e780): stub 0044:Ret ntdll.RtlCreateUserProcess() retval=c0000002 ret=0046fb4d ... 0048:Call KERNEL32.GetStringTypeW(00000001,00162fe8 L"00:52:30: Launching game...\r\n00:52:30: Failed to launch game.\r\n",00000001,005bf46a) ret=7dde5042 --- snip ---
Wine currently has the process creation sequence not implemented at native API level (albeit it uses some native API calls). It would require a bit redesign/moving code (dlls/kernel32/process.c:create_process, ...) around but into places that would make Wine more compatible with Windows with regards to process creation (although the heavy lifting is done in Windows kernel).
- ntdll.NtCreateProcess
- ntdll.RtlCreateUserProcess
...
Also related: bug 23451 ("VMWare Thinapps (packaged with version >4.5) and XenoCode wrapped apps fail to run (differences in process creation sequence at native API level)")
$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe
$ wine --version wine-3.5-107-gf4573adb0f
Regards
I am almost done getting create_process to work inside ntdll, just a few bugs to clear up. In the mean time, I have been researching the functionality of RtlCreateUserProcess.
According to https://malwaretips.com/threads/ntcreateuserprocess-api-hook-process-monitor...
In windows Vista and up, RtlCreateUserProcess simply maps to NtCreateUserProcess, so when researching, that might be useful to find more information.
Also, according to http://www.rohitab.com/discuss/topic/40191-ntcreateuserprocess/
"On Windows Vista and later, the CreateProcessInternalW function uses the NtCreateUserProcess function to create the new process."
Although it will probably suffice to have both NtCreateUserProcess and CreateProcessInternalW call create_process.