[Bug 44658] Multiple Win7+ APIset lookup/resolver tools need 'ApiSetMap' field in PEB (ApiSetView, Dependencies)

4 May 2020


      https://bugs.winehq.org/show_bug.cgi?id=44658
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download
                URL|                            |https://github.com/zodiacon
                   |                            |/ApiSetView/releases/downlo
                   |                            |ad/v0.8/ApiSetView.exe
            Summary|Custom Win7+ APIset         |Multiple Win7+ APIset
                   |lookup/resolver tool relies |lookup/resolver tools need
                   |on presence of 'ApiSetMap'  |'ApiSetMap' field in PEB
                   |field in PEB                |(ApiSetView, Dependencies)
--- Comment #1 from Anastasius Focht focht@gmx.net ---
Hello folks,
revisiting. I've found a couple of projects on Github making use of 'ApiSetMap'
field in PEB.
https://github.com/lucasg/Dependencies ("Dependencies - An open-source modern
Dependency Walker") -> .NET 4.0
https://github.com/zodiacon/ApiSetView ("Api Set Viewer")
https://github.com/zodiacon/ApiSetView/releases/download/v0.8/ApiSetView.exe
--- snip ---
$ WINEDEBUG=+seh,+relay wine ./ApiSetView.exe >>log.txt 2>&1
...
00b4:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4031f1 ip=004031f1
tid=00b4
00b4:trace:seh:raise_exception  info[0]=00000000
00b4:trace:seh:raise_exception  info[1]=00000010
00b4:trace:seh:raise_exception  eax=00000000 ebx=7e840e68 ecx=0031fafc
edx=0031fafc esi=0031fb10 edi=00000000
00b4:trace:seh:raise_exception  ebp=0031f9cc esp=0031f96c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
00b4:trace:seh:call_stack_handlers calling handler at 0x46a853 code=c0000005
flags=0 
...
wine: Unhandled page fault on read access to 00000010 at address 004031F1
(thread 00b4), starting debugger... 
--- snip ---
Disassembly of crash site:
--- snip ---
004031B0 | push ebp                        |
004031B1 | mov ebp,esp                     |
004031B3 | push FFFFFFFF                   |
004031B5 | push apisetview.46A853          |
004031BA | mov eax,dword ptr fs:[0]        |
004031C0 | push eax                        |
004031C1 | sub esp,44                      |
004031C4 | push ebx                        |
004031C5 | push esi                        |
004031C6 | push edi                        |
004031C7 | mov eax,dword ptr ds:[47B320]   |
004031CC | xor eax,ebp                     |
004031CE | push eax                        |
004031CF | lea eax,dword ptr ss:[ebp-C]    |
004031D2 | mov dword ptr fs:[0],eax        |
004031D8 | mov edx,ecx                     |
004031DA | mov dword ptr ss:[ebp-28],edx   |
004031DD | mov eax,dword ptr fs:[18]       |
004031E3 | mov eax,dword ptr ds:[eax+30]   | PEB
004031E6 | mov edi,dword ptr ds:[eax+38]   | PEB->ApiSetMap
004031E9 | mov eax,dword ptr ds:[edx+8]    |
004031EC | sub eax,dword ptr ds:[edx]      |
004031EE | sar eax,5                       |
004031F1 | mov ebx,dword ptr ds:[edi+10]   | *boom*
...
--- snip ---
Corresponding source code:
https://github.com/zodiacon/ApiSetView/blob/master/ApiSetView/ApiSets.cpp#L5...
--- snip ---
void ApiSets::Build() {
    auto peb = NtCurrentTeb()->ProcessEnvironmentBlock;
    auto apiSetMap = static_cast<PAPI_SET_NAMESPACE>(peb->Reserved9[0]);
    auto apiSetMapAsNumber = reinterpret_cast<ULONG_PTR>(apiSetMap);
auto nsEntry =
reinterpret_cast<PAPI_SET_NAMESPACE_ENTRY>((apiSetMap->EntryOffset +
apiSetMapAsNumber));
_entries.reserve(apiSetMap->Count);
for (ULONG i = 0; i < apiSetMap->Count; i++) {
        ApiSetEntry entry;
        entry.Name = CString(reinterpret_cast<PWCHAR>(apiSetMapAsNumber +
nsEntry->NameOffset), static_cast<int>(nsEntry->NameLength / sizeof(WCHAR)));
        entry.Sealed = (nsEntry->Flags & API_SET_SCHEMA_ENTRY_FLAGS_SEALED) !=
0;
auto valueEntry =
reinterpret_cast<PAPI_SET_VALUE_ENTRY>(apiSetMapAsNumber +
nsEntry->ValueOffset);
        for (ULONG j = 0; j < nsEntry->ValueCount; j++) {
            CString value(reinterpret_cast<PWCHAR>(apiSetMapAsNumber +
valueEntry->ValueOffset), valueEntry->ValueLength / sizeof(WCHAR));
            entry.Values.push_back(value);
if (valueEntry->NameLength != 0) {
                CString alias(reinterpret_cast<PWCHAR>(apiSetMapAsNumber +
valueEntry->NameOffset), valueEntry->NameLength / sizeof(WCHAR));
                entry.Aliases.push_back(alias);
            }
valueEntry++;
        }
        nsEntry++;
        _entries.push_back(entry);
    }
}
--- snip ---
$ sha1sum ApiSetView.exe 
9cc5f8d2c3008ee956fa1a2ea24f39eed8cc4b73  ApiSetView.exe
$ du -sh ApiSetView.exe 
620K    ApiSetView.exe
$ sha1sum Dependencies_x86_Release.zip 
b8ab5292100e11e009acf9289d27478c6b9413ac  Dependencies_x86_Release.zip
$ du -sh Dependencies_x86_Release.zip 
3.9M    Dependencies_x86_Release.zip
$ wine --version
wine-5.7-209-g4e2ad334b5
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 44658] Multiple Win7+ APIset lookup/resolver tools need 'ApiSetMap' field in PEB (ApiSetView, Dependencies)