[Bug 45703] Microsoft Office 365 applications crash on startup ( Microsoft AppV ISV virtual filesystem technology requires several native and core API to be hot-patchable )

24 Nov 2018


      https://bugs.winehq.org/show_bug.cgi?id=45703
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |http://officecdn.microsoft.
                   |                            |com.edgesuite.net/db/492350
                   |                            |F6-3A01-4F97-B9C0-C7C6DDF67
                   |                            |D60/media/en-US/WordRetail.
                   |                            |img
            Summary|Microsoft Office 365        |Microsoft Office 365
                   |applications crash on WINE  |applications crash on
                   |3.14                        |startup (Microsoft AppV ISV
                   |                            |virtual filesystem
                   |                            |technology requires several
                   |                            |native and core API to be
                   |                            |hot-patchable)
          Component|-unknown                    |ntdll
           Keywords|regression                  |obfuscation
                 CC|                            |focht@gmx.net
--- Comment #9 from Anastasius Focht focht@gmx.net ---
Hello folks,
confirming.
The main problem here is Microsoft Application Packaging and Virtualization
technology "App-V". It relies on hooking of native API and other core dlls to
implement virtual filesystems.
Download links for testing:
https://www.ryadel.com/en/ms-office-2016-365-official-iso-img-images-for-dow...
Example of virtualized filesystem within MS Office 2016 (365) installation,
with redirection target directory structure:
--- snip ---
$ tree --charset=ANSI -L 2 -d .wine/drive_c/Program\ Files/Microsoft\
Office/root/vfs/
.wine/drive_c/Program Files/Microsoft Office/root/vfs/
|-- Common AppData
|   |-- Microsoft
|   `-- Microsoft Help
|-- Common Programs
|   `-- Microsoft Office 2016 Tools
|-- Fonts
|   `-- private
|-- ProgramFilesCommonX86
|   |-- DESIGNER
|   |-- Microsoft Shared
|   `-- ODBC
|-- ProgramFilesX86
|   `-- Microsoft Office
|-- SystemX86
`-- Windows
    |-- Installer
    `-- PCHEALTH
17 directories
--- snip ---
The crash from initial bug report in debugger:
--- snip ---
Unhandled exception: page fault on read access to 0x6809f184 in 32-bit code
(0x7bc3f58d).
Register dump:
 CS:0023 SS:002b DS:002b ES:002b FS:0063 GS:006b
 EIP:7bc3f58d ESP:0033cf50 EBP:0033d378 EFLAGS:00010206(  R- --  I   - -P- )
 EAX:680956f0 EBX:0033d400 ECX:0033d388 EDX:10082601
 ESI:00000000 EDI:00000000
...
Backtrace:
=>0 0x7bc3f58d NtQueryDirectoryFile+0x7d(handle=<couldn't compute location>,
event=<couldn't compute location>, apc_routine=<couldn't compute location>,
apc_context=<couldn't compute location>, io=<couldn't compute location>,
buffer=<couldn't compute location>, length=<couldn't compute location>,
info_class=<couldn't compute location>, single_entry=<couldn't compute
location>, mask=<couldn't compute location>, restart_scan=<couldn't compute
location>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/directory.c:1949]
in ntdll (0x0033d378)
  1 0x100a3f7e in appvisvsubsystems32 (+0xa3f7d) (0x0033d3c0)
  2 0x1008272e in appvisvsubsystems32 (+0x8272d) (0x0033d454)
  3 0x1008362c in appvisvsubsystems32 (+0x8362b) (0x0033d488)
  4 0x7bc28d01 lookup_manifest_file+0x160(dir=0x98, ai=0x33f5cc)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/actctx.c:3100] in ntdll
(0x0033f538)
  5 0x7bc3462d RtlCreateActivationContext+0x67c(handle=<couldn't compute
location>, ptr=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/actctx.c:3199] in ntdll
(0x0033f608)
  6 0x7bc579f0 fixup_imports+0xcbf(wm=0x17fa70, load_path="C:\Program
Files\Microsoft Office\root\Office16;C:\windows\system32")
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:810] in ntdll
(0x0033f718)
  7 0x7bc581cd load_native_dll+0x71c(load_path="C:\Program Files\Microsoft
Office\root\Office16;C:\windows\system32", name=<is not available>, file=<is
not available>)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:2070] in ntdll
(0x0033f968)
  8 0x7bc589c4 load_dll+0x5d3(load_path="C:\Program Files\Microsoft
Office\root\Office16;C:\windows\system32", libname="wwlib.dll", flags=0x1000)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:2570] in ntdll
(0x0033fb18)
  9 0x7bc59223 LdrLoadDll+0x5d(path_name=<couldn't compute location>,
flags=<couldn't compute location>, libname=<couldn't compute location>,
hModule=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:2603] in ntdll
(0x0033fb68)
  10 0x7b45a4ec load_library+0xdb(libname=0x33fc08, flags=0x1000)
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:975] in kernel32
(0x0033fbe8)
  11 0x7b45ac01 LoadLibraryExW+0xdb()
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:1035] in
kernel32 (0x0033fc28)
  12 0x0040178f in winword (+0x178e) (0x0033fe74)
  13 0x00401163 in winword (+0x1162) (0x0033fec0)
  14 0x7b461b82 call_process_entry+0x11() in kernel32 (0x0033fed8)
  15 0x7b463d00 start_process+0x14f(entry=<couldn't compute location>,
peb=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1273] in
kernel32 (0x0033ffd8)
  16 0x7b461b8e start_process_wrapper+0x9() in kernel32 (0x0033ffec)
0x7bc3f58d NtQueryDirectoryFile+0x7d
[/home/focht/projects/wine/mainline-src/dlls/ntdll/directory.c:1949] in ntdll:
testb    $0x8,0x9a94(%eax)
1949        TRACE("(%p %p %p %p %p %p 0x%08x 0x%08x 0x%08x %s 0x%08x\n",
--- snip ---
Wine calls native API in internal function 'lookup_manifest_file':
--- snip ---
...
7BC28CD0  8985 BCDFFFFF    MOV DWORD PTR SS:[LOCAL.2065],EAX
7BC28CD6  6A 01            PUSH 1
7BC28CD8  56               PUSH ESI
7BC28CD9  6A 00            PUSH 0
7BC28CDB  6A 03            PUSH 3
7BC28CDD  68 00200000      PUSH 2000
7BC28CE2  50               PUSH EAX
7BC28CE3  8D85 E0DFFFFF    LEA EAX,[LOCAL.2056]
7BC28CE9  50               PUSH EAX
7BC28CEA  6A 00            PUSH 0
7BC28CEC  6A 00            PUSH 0
7BC28CEE  6A 00            PUSH 0
7BC28CF0  FFB5 B0DFFFFF    PUSH DWORD PTR SS:[LOCAL.2068]
7BC28CF6  8985 A4DFFFFF    MOV DWORD PTR SS:[LOCAL.2071],EAX
7BC28CFC  E8 0F680100      CALL NtQueryDirectoryFile
...
--- snip ---
ntdll.dll NtQueryDirectoryFile (hooked):
--- snip ---
7BC3F510  E9 DB404494      JMP 100835F0
7BC3F515  05 EB4A0A00      ADD EAX,0A4AEB    ; base pointer to GOT
7BC3F51A  8D4C24 04        LEA ECX,[ESP+4]
7BC3F51E  83E4 F0          AND ESP,FFFFFFF0
7BC3F521  FF71 FC          PUSH DWORD PTR DS:[ECX-4]
7BC3F524  55               PUSH EBP
7BC3F525  89E5             MOV EBP,ESP
7BC3F527  57               PUSH EDI
7BC3F528  56               PUSH ESI
7BC3F529  53               PUSH EBX
7BC3F52A  51               PUSH ECX
7BC3F52B  81EC 18040000    SUB ESP,418
7BC3F531  8B59 10          MOV EBX,DWORD PTR DS:[ECX+10]
7BC3F534  8B11             MOV EDX,DWORD PTR DS:[ECX]
--- snip ---
App-V client side: 'AppVIsvSubsystems32.dll'
App-V remote/server side: 'OfficeClickToRun.exe' (RPC server)
Another native API example to also show the detour lib uses instruction
boundary padding.
ntdll.dll NtOpenKeyEx (patched):
--- snip ---
7BC6EC50  E9 4BD43F94      JMP 1006C0A0
7BC6EC55  CC               INT3
7BC6EC56  CC               INT3
7BC6EC57  FF71 FC          PUSH DWORD PTR DS:[ECX-4]
7BC6EC5A  55               PUSH EBP
7BC6EC5B  89E5             MOV EBP,ESP
7BC6EC5D  53               PUSH EBX
7BC6EC5E  89CB             MOV EBX,ECX
7BC6EC60  51               PUSH ECX
7BC6EC61  8B01             MOV EAX,DWORD PTR DS:[ECX]
7BC6EC63  8B51 04          MOV EDX,DWORD PTR DS:[ECX+4]
7BC6EC66  8B49 08          MOV ECX,DWORD PTR DS:[ECX+8]
7BC6EC69  83EC 0C          SUB ESP,0C
7BC6EC6C  FF73 0C          PUSH DWORD PTR DS:[EBX+0C]
7BC6EC6F  E8 FCF9FFFF      CALL 7BC6E670
7BC6EC74  8D65 F8          LEA ESP,[EBP-8]
7BC6EC77  59               POP ECX
7BC6EC78  5B               POP EBX
7BC6EC79  5D               POP EBP
7BC6EC7A  8D61 FC          LEA ESP,[ECX-4]
7BC6EC7D  C2 1000          RETN 10
--- snip ---
ntdll.dll NtOpenKeyEx (unmodified):
--- snip ---
7BC6EC50  8D4C24 04        LEA ECX,[ARG.1]
7BC6EC54  83E4 F0          AND ESP,FFFFFFF0
7BC6EC57  FF71 FC          PUSH DWORD PTR DS:[ECX-4]
7BC6EC5A  55               PUSH EBP
7BC6EC5B  89E5             MOV EBP,ESP
7BC6EC5D  53               PUSH EBX
7BC6EC5E  89CB             MOV EBX,ECX
7BC6EC60  51               PUSH ECX
7BC6EC61  8B01             MOV EAX,DWORD PTR DS:[ECX]
7BC6EC63  8B51 04          MOV EDX,DWORD PTR DS:[ECX+4]
7BC6EC66  8B49 08          MOV ECX,DWORD PTR DS:[ECX+8]
7BC6EC69  83EC 0C          SUB ESP,0C
7BC6EC6C  FF73 0C          PUSH DWORD PTR DS:[EBX+0C]
7BC6EC6F  E8 FCF9FFFF      CALL 7BC6E670
7BC6EC74  8D65 F8          LEA ESP,[LOCAL.3]
7BC6EC77  59               POP ECX
7BC6EC78  5B               POP EBX
7BC6EC79  5D               POP EBP
7BC6EC7A  8D61 FC          LEA ESP,[ECX-4]
7BC6EC7D  C2 1000          RETN 10
--- snip ---
List of potentially hooked native and core API using one-liner on trace log
file:
--- snip ---
$ WINEDEBUG=+seh,+relay wine ./WINWORD.EXE >>log2.txt 2>&1
...
$ egrep "(GetProcAddress(7.*ret=10.*)" log.txt
0051:Call KERNEL32.GetProcAddress(7b420000,10155a28 "FlsAlloc") ret=1011c695
0051:Call KERNEL32.GetProcAddress(7b420000,10155a34 "FlsFree") ret=1011c6a8
0051:Call KERNEL32.GetProcAddress(7b420000,10155a3c "FlsGetValue") ret=1011c6bb
0051:Call KERNEL32.GetProcAddress(7b420000,10155a48 "FlsSetValue") ret=1011c6ce
0051:Call KERNEL32.GetProcAddress(7b420000,10155a54
"InitializeCriticalSectionEx") ret=1011c6e1
0051:Call KERNEL32.GetProcAddress(7b420000,10171a54 "CreateEventExW")
ret=1011c6f4
0051:Call KERNEL32.GetProcAddress(7b420000,10171a74 "CreateSemaphoreExW")
ret=1011c707
0051:Call KERNEL32.GetProcAddress(7b420000,10155a70 "SetThreadStackGuarantee")
ret=1011c71a
0051:Call KERNEL32.GetProcAddress(7b420000,101796e8 "CreateThreadpoolTimer")
ret=1011c72d
0051:Call KERNEL32.GetProcAddress(7b420000,10155a88 "SetThreadpoolTimer")
ret=1011c740
0051:Call KERNEL32.GetProcAddress(7b420000,10155a9c
"WaitForThreadpoolTimerCallbacks") ret=1011c753
0051:Call KERNEL32.GetProcAddress(7b420000,10155abc "CloseThreadpoolTimer")
ret=1011c766
0051:Call KERNEL32.GetProcAddress(7b420000,101796a0 "CreateThreadpoolWait")
ret=1011c779
0051:Call KERNEL32.GetProcAddress(7b420000,10155ad4 "SetThreadpoolWait")
ret=1011c78c
0051:Call KERNEL32.GetProcAddress(7b420000,10155ae8 "CloseThreadpoolWait")
ret=1011c79f
0051:Call KERNEL32.GetProcAddress(7b420000,10155afc "FlushProcessWriteBuffers")
ret=1011c7b2
0051:Call KERNEL32.GetProcAddress(7b420000,10155b18
"FreeLibraryWhenCallbackReturns") ret=1011c7c5
0051:Call KERNEL32.GetProcAddress(7b420000,10155b38
"GetCurrentProcessorNumber") ret=1011c7d8
0051:Call KERNEL32.GetProcAddress(7b420000,10155b54
"GetLogicalProcessorInformation") ret=1011c7eb
0051:Call KERNEL32.GetProcAddress(7b420000,10155b74 "CreateSymbolicLinkW")
ret=1011c7fe
0051:Call KERNEL32.GetProcAddress(7b420000,10155b88 "SetDefaultDllDirectories")
ret=1011c811
0051:Call KERNEL32.GetProcAddress(7b420000,10155ba4 "EnumSystemLocalesEx")
ret=1011c824
0051:Call KERNEL32.GetProcAddress(7b420000,10155bb8 "CompareStringEx")
ret=1011c837
0051:Call KERNEL32.GetProcAddress(7b420000,10155bc8 "GetDateFormatEx")
ret=1011c84a
0051:Call KERNEL32.GetProcAddress(7b420000,10155bd8 "GetLocaleInfoEx")
ret=1011c85d
0051:Call KERNEL32.GetProcAddress(7b420000,10155be8 "GetTimeFormatEx")
ret=1011c870
0051:Call KERNEL32.GetProcAddress(7b420000,10155bf8 "GetUserDefaultLocaleName")
ret=1011c883
0051:Call KERNEL32.GetProcAddress(7b420000,10155c14 "IsValidLocaleName")
ret=1011c896
0051:Call KERNEL32.GetProcAddress(7b420000,10155c28 "LCMapStringEx")
ret=1011c8a9
0051:Call KERNEL32.GetProcAddress(7b420000,10155c38 "GetCurrentPackageId")
ret=1011c8bc
0051:Call KERNEL32.GetProcAddress(7b420000,10155c4c "GetTickCount64")
ret=1011c8cf
0051:Call KERNEL32.GetProcAddress(7b420000,10155c5c
"GetFileInformationByHandleExW") ret=1011c8e2
0051:Call KERNEL32.GetProcAddress(7b420000,10155c7c
"SetFileInformationByHandleW") ret=1011c8f5
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4628 "NtOpenKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4668 "NtOpenKeyEx") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3738 "NtOpenKeyTransacted")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3760 "NtOpenKeyTransactedEx")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4728 "NtDeleteKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4768 "NtFlushKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a47a8 "NtCreateKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3788 "NtCreateKeyTransacted")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4828 "NtEnumerateKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4868 "NtQueryKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a48a8 "NtQueryObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a37b0 "NtSetInformationKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4928 "NtQueryValueKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a37d8 "NtEnumerateValueKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a49a8 "NtSetValueKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3800 "NtDeleteValueKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4a28 "NtRenameKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3828 "NtQueryMultipleValueKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3850 "NtNotifyChangeKey")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a36c0
"NtNotifyChangeMultipleKeys") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a36e8 "NtQuerySecurityObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3698 "NtSetSecurityObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a2d60 "NtDuplicateObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4be8 "NtClose") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,101715dc "IsWow64Process")
ret=10087759
0051:Call KERNEL32.GetProcAddress(7bc10000,00184bb0 "NtCreateFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,00184bf0 "NtOpenFile") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,00184c30 "NtDeleteFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,0018d360 "NtQueryAttributesFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,0018d388
"NtQueryFullAttributesFile") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001941f0 "NtQueryDirectoryFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,00194218 "NtSetInformationFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,00184d70 "NtClose") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00184db0 "CreateActCtxA")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00184df0 "CreateActCtxW")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,00194240 "NtQueryInformationFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00194268 "GetModuleFileNameA")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00193428 "GetModuleFileNameW")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,001964c8 "GetCurrentDirectoryA")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00185bd8 "GetCurrentDirectoryW")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00184bb0 "CoInitializeEx")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00184bf0 "CoUninitialize")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,0018da60 "CoCreateInstanceEx")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,001949e0 "CoCreateInstance")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,0018ec10 "CoRegisterClassObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,001a3698 "CoRevokeClassObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,001a36c0 "CoGetClassObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,001a36e8 "CoGetInstanceFromFile")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00197548 "CoResumeClassObjects")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00197570 "CoSuspendClassObjects")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00184e30 "OleInitialize")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00184e70 "OleUninitialize")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00197598 "OleRegEnumFormatEtc")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e7d0000,00184ef0 "OleRun") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e920000,00192678 "RegisterActiveObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e920000,00194a38 "RevokeActiveObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e920000,00184fb0 "GetActiveObject")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,001957c8 "CreateProcessW")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00195808 "CreateProcessA")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7b420000,00195848 "WinExec") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e750000,00196820 "CreateProcessAsUserW")
ret=1001d194
0051:Call KERNEL32.GetProcAddress(7e750000,00191390 "CreateProcessAsUserA")
ret=1001d194
--- snip ---
Another one-liner to show which API functions that are being looked up are
currently not 'DECLSPEC_HOTPATCH' in Wine source.
* filter for all core dlls (prelink/load base address range) API functions that
are getting looked up from specific dll (load base address range)
* filter for all function body (definition) occurrences in Wine sources, which
have no DECLSPEC_HOTPATCH
--- snip ---
$ egrep "(GetProcAddress(7.*ret=10.*)" log.txt  | cut -d """ -f2 | xargs -n1
-I '{}' egrep -R 'WINAPI.*{}(' /home/focht/projects/wine/mainline-src/dlls/ |
grep -v DECLSPEC_HOTPATCH
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:DWORD WINAPI
FlsAlloc( PFLS_CALLBACK_FUNCTION callback )
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:BOOL WINAPI
FlsFree( DWORD index )
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:PVOID WINAPI
FlsGetValue( DWORD index )
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:BOOL WINAPI
FlsSetValue( DWORD index, PVOID data )
/home/focht/projects/wine/mainline-src/dlls/kernel32/sync.c:BOOL WINAPI
InitializeCriticalSectionEx( CRITICAL_SECTION *crit, DWORD spincount, DWORD
flags )
/home/focht/projects/wine/mainline-src/dlls/ntdll/critsection.c:NTSTATUS WINAPI
RtlInitializeCriticalSectionEx( RTL_CRITICAL_SECTION *crit, ULONG spincount,
ULONG flags )
/home/focht/projects/wine/mainline-src/dlls/kernel32/thread.c:BOOL WINAPI
SetThreadStackGuarantee(PULONG stacksize)
/home/focht/projects/wine/mainline-src/dlls/kernel32/thread.c:PTP_TIMER WINAPI
CreateThreadpoolTimer( PTP_TIMER_CALLBACK callback, PVOID userdata,
/home/focht/projects/wine/mainline-src/dlls/kernel32/thread.c:VOID WINAPI
SetThreadpoolTimer( TP_TIMER *timer, FILETIME *due_time,
/home/focht/projects/wine/mainline-src/dlls/kernel32/thread.c:PTP_WAIT WINAPI
CreateThreadpoolWait( PTP_WAIT_CALLBACK callback, PVOID userdata,
/home/focht/projects/wine/mainline-src/dlls/kernel32/thread.c:VOID WINAPI
SetThreadpoolWait( TP_WAIT *wait, HANDLE handle, FILETIME *due_time )
/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:VOID WINAPI
FlushProcessWriteBuffers(void)
/home/focht/projects/wine/mainline-src/dlls/ntdll/thread.c:ULONG WINAPI
NtGetCurrentProcessorNumber(void)
/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:BOOL WINAPI
GetLogicalProcessorInformation(PSYSTEM_LOGICAL_PROCESSOR_INFORMATION buffer,
PDWORD pBufLen)
/home/focht/projects/wine/mainline-src/dlls/kernel32/path.c:BOOLEAN WINAPI
CreateSymbolicLinkW(LPCWSTR link, LPCWSTR target, DWORD flags)
/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:BOOL WINAPI
SetDefaultDllDirectories( DWORD flags )
/home/focht/projects/wine/mainline-src/dlls/kernel32/locale.c:BOOL WINAPI
EnumSystemLocalesEx( LOCALE_ENUMPROCEX proc, DWORD flags, LPARAM lparam, LPVOID
reserved )
/home/focht/projects/wine/mainline-src/dlls/kernel32/locale.c:INT WINAPI
CompareStringEx(LPCWSTR locale, DWORD flags, LPCWSTR str1, INT len1,
/home/focht/projects/wine/mainline-src/dlls/kernel32/lcformat.c:INT WINAPI
GetDateFormatEx(LPCWSTR localename, DWORD flags,
/home/focht/projects/wine/mainline-src/dlls/kernel32/locale.c:INT WINAPI
GetLocaleInfoEx(LPCWSTR locale, LCTYPE info, LPWSTR buffer, INT len)
/home/focht/projects/wine/mainline-src/dlls/kernel32/lcformat.c:INT WINAPI
GetTimeFormatEx(LPCWSTR localename, DWORD flags,
/home/focht/projects/wine/mainline-src/dlls/kernel32/locale.c:INT WINAPI
GetUserDefaultLocaleName(LPWSTR localename, int buffersize)
/home/focht/projects/wine/mainline-src/dlls/kernel32/locale.c:BOOL WINAPI
IsValidLocaleName( LPCWSTR locale )
/home/focht/projects/wine/mainline-src/dlls/kernel32/locale.c:INT WINAPI
LCMapStringEx(LPCWSTR name, DWORD flags, LPCWSTR src, INT srclen, LPWSTR dst,
INT dstlen,
/home/focht/projects/wine/mainline-src/dlls/kernel32/version.c:LONG WINAPI
GetCurrentPackageId(UINT32 *len, BYTE *buffer)
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtOpenKey( PHANDLE retkey, ACCESS_MASK access, const OBJECT_ATTRIBUTES *attr )
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
RtlpNtOpenKey( PHANDLE retkey, ACCESS_MASK access, OBJECT_ATTRIBUTES *attr )
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtOpenKeyEx( PHANDLE retkey, ACCESS_MASK access, const OBJECT_ATTRIBUTES *attr,
ULONG options )
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtOpenKeyTransacted( PHANDLE retkey, ACCESS_MASK access, const
OBJECT_ATTRIBUTES *attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtOpenKeyTransactedEx( PHANDLE retkey, ACCESS_MASK access, const
OBJECT_ATTRIBUTES *attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtDeleteKey( HANDLE hkey )
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtFlushKey(HANDLE key)
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtCreateKey( PHANDLE retkey, ACCESS_MASK access, const OBJECT_ATTRIBUTES *attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
RtlpNtCreateKey( PHANDLE retkey, ACCESS_MASK access, const OBJECT_ATTRIBUTES
*attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtCreateKeyTransacted( PHANDLE retkey, ACCESS_MASK access, const
OBJECT_ATTRIBUTES *attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtEnumerateKey( HANDLE handle, ULONG index, KEY_INFORMATION_CLASS info_class,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtQueryKey( HANDLE handle, KEY_INFORMATION_CLASS info_class,
/home/focht/projects/wine/mainline-src/dlls/ntdll/om.c:NTSTATUS WINAPI
NtQueryObject(IN HANDLE handle,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtSetInformationKey(
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtQueryValueKey( HANDLE handle, const UNICODE_STRING *name,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
RtlpNtQueryValueKey( HANDLE handle, ULONG *result_type, PBYTE dest,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtEnumerateValueKey( HANDLE handle, ULONG index,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtSetValueKey( HANDLE hkey, const UNICODE_STRING *name, ULONG TitleIndex,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
RtlpNtSetValueKey( HANDLE hkey, ULONG type, const void *data,
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtDeleteValueKey( HANDLE hkey, const UNICODE_STRING *name )
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtRenameKey( HANDLE handle, UNICODE_STRING *name )
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtQueryMultipleValueKey(
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtNotifyChangeKey(
/home/focht/projects/wine/mainline-src/dlls/ntdll/reg.c:NTSTATUS WINAPI
NtNotifyChangeMultipleKeys(
/home/focht/projects/wine/mainline-src/dlls/ntdll/sec.c:NTSTATUS WINAPI
NtSetSecurityObject(HANDLE Handle,
/home/focht/projects/wine/mainline-src/dlls/ntdll/om.c:NTSTATUS WINAPI
NtDuplicateObject( HANDLE source_process, HANDLE source,
/home/focht/projects/wine/mainline-src/dlls/ntdll/om.c:NTSTATUS WINAPI NtClose(
HANDLE Handle )
/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:BOOL WINAPI
IsWow64Process(HANDLE hProcess, PBOOL Wow64Process)
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtCreateFile( PHANDLE handle, ACCESS_MASK access, POBJECT_ATTRIBUTES attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtOpenFile( PHANDLE handle, ACCESS_MASK access,
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtDeleteFile( POBJECT_ATTRIBUTES ObjectAttributes )
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtQueryAttributesFile( const OBJECT_ATTRIBUTES *attr, FILE_BASIC_INFORMATION
*info )
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtQueryFullAttributesFile( const OBJECT_ATTRIBUTES *attr,
/home/focht/projects/wine/mainline-src/dlls/ntdll/directory.c:NTSTATUS WINAPI
NtQueryDirectoryFile( HANDLE handle, HANDLE event,
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtSetInformationFile(HANDLE handle, PIO_STATUS_BLOCK io,
/home/focht/projects/wine/mainline-src/dlls/ntdll/om.c:NTSTATUS WINAPI NtClose(
HANDLE Handle )
/home/focht/projects/wine/mainline-src/dlls/kernel32/actctx.c:HANDLE WINAPI
CreateActCtxA(PCACTCTXA pActCtx)
/home/focht/projects/wine/mainline-src/dlls/kernel32/actctx.c:HANDLE WINAPI
CreateActCtxW(PCACTCTXW pActCtx)
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI
NtQueryInformationFile( HANDLE hFile, PIO_STATUS_BLOCK io,
/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:DWORD WINAPI
GetModuleFileNameA(
/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:DWORD WINAPI
GetModuleFileNameW( HMODULE hModule, LPWSTR lpFileName, DWORD size )
/home/focht/projects/wine/mainline-src/dlls/wininet/ftp.c:BOOL WINAPI
FtpGetCurrentDirectoryA(HINTERNET hFtpSession, LPSTR lpszCurrentDirectory,
/home/focht/projects/wine/mainline-src/dlls/kernel32/path.c:UINT WINAPI
GetCurrentDirectoryA( UINT buflen, LPSTR buf )
/home/focht/projects/wine/mainline-src/dlls/wininet/ftp.c:BOOL WINAPI
FtpGetCurrentDirectoryW(HINTERNET hFtpSession, LPWSTR lpszCurrentDirectory,
/home/focht/projects/wine/mainline-src/dlls/kernel32/path.c:UINT WINAPI
GetCurrentDirectoryW( UINT buflen, LPWSTR buf )
/home/focht/projects/wine/mainline-src/dlls/shell32/shellole.c:HRESULT WINAPI
SHCoCreateInstance(
/home/focht/projects/wine/mainline-src/dlls/ole32/compobj.c:HRESULT WINAPI
CoRegisterClassObject(
/home/focht/projects/wine/mainline-src/dlls/ole32/compobj.c:HRESULT WINAPI
CoResumeClassObjects(void)
/home/focht/projects/wine/mainline-src/dlls/ole32/compobj.c:HRESULT WINAPI
CoSuspendClassObjects(void)
--- snip ---
It seems *not* all API looked up are actually getting detoured. All native API
for sure and a good chunk of the others. It's possible to figure out the exact
number that are getting hot-patched at runtime using scriptable debugger that
scans all core dll entries for out-of-module/inter-modular jumps.
Tidbit: I've tested the same install with Wine 3.0 and it doesn't work there
either. It even suffers from additional problems. So your claim "it worked" -
it was likely just by chance. A debug build of Wine (-O0, -O1), no GOT/PIC at
entry, older GCC versions etc.
Anyway, this problem domain is known for years. There were various discussions
in the past on how to mitigate this. More recent one:
https://bugs.winehq.org/show_bug.cgi?id=45199#c30 (and follow-up comments).
* making Win32 API hot-patchable by default
* use '-fno-PIC' by default
* implement proper NT-style syscall thunks for native API (Wine-Staging)
Yet we still keep to continue the practice "as needed", polluting the tree
source with 'DECLSPEC_HOTPATCH'. Analysing/debugging that is just monkey work.
$ sha1sum WordRetail.img 
7e327f7d685ff6da81e831e918959380908b25b7  WordRetail.img
$ du -sh WordRetail.img 
4.2G    WordRetail.img
$ wine --version
wine-3.21
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 45703] Microsoft Office 365 applications crash on startup ( Microsoft AppV ISV virtual filesystem technology requires several native and core API to be hot-patchable )