[Bug 44658] New: Custom Win7+ APIset lookup/ resolver tool relies on presence of 'ApiSetMap' field in PEB
https://bugs.winehq.org/show_bug.cgi?id=44658
Bug ID: 44658 Summary: Custom Win7+ APIset lookup/resolver tool relies on presence of 'ApiSetMap' field in PEB Product: Wine Version: 3.3 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
to track the following Wine-Staging patchset just for the memes ;-)
https://github.com/wine-staging/wine-staging/tree/master/patches/ntdll-ApiSe...
Tracing the origin to Wine-Staging issue tracker:
https://dev.wine-staging.com/patches/91/
--- quote --- I found an application which tries to enumerate the loaded apisets by using the PEB. This patch adds a dummy struct so that the application does no longer crash. The definition should match the one for Win 7/8. As usual Microsoft changed the format in newer windows versions again ;-). --- quote ---
Ohhhh-kay?
I found some useful information at Geoff Chappell's site:
https://www.geoffchappell.com/studies/windows/win32/apisetschema/index.htm
https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index....
Nice illustration:
https://www.cylance.com/en_us/blog/universal-unhooking-blinding-security-sof... (in 'API Set Schema' section)
An example application which makes use of this (source only):
https://gist.github.com/lucasg/9aa464b95b4b7344cb0cddbdb4214b25#file-apisetl...
It also has a small test suite.
$ wine --version wine-3.3
Regards
https://bugs.winehq.org/show_bug.cgi?id=44658
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |source Status|NEW |STAGED Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/ntdll-ApiSetMap
https://bugs.winehq.org/show_bug.cgi?id=44658
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://github.com/zodiacon | |/ApiSetView/releases/downlo | |ad/v0.8/ApiSetView.exe Summary|Custom Win7+ APIset |Multiple Win7+ APIset |lookup/resolver tool relies |lookup/resolver tools need |on presence of 'ApiSetMap' |'ApiSetMap' field in PEB |field in PEB |(ApiSetView, Dependencies)
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting. I've found a couple of projects on Github making use of 'ApiSetMap' field in PEB.
https://github.com/lucasg/Dependencies ("Dependencies - An open-source modern Dependency Walker") -> .NET 4.0
https://github.com/zodiacon/ApiSetView ("Api Set Viewer")
https://github.com/zodiacon/ApiSetView/releases/download/v0.8/ApiSetView.exe
--- snip --- $ WINEDEBUG=+seh,+relay wine ./ApiSetView.exe >>log.txt 2>&1 ... 00b4:trace:seh:raise_exception code=c0000005 flags=0 addr=0x4031f1 ip=004031f1 tid=00b4 00b4:trace:seh:raise_exception info[0]=00000000 00b4:trace:seh:raise_exception info[1]=00000010 00b4:trace:seh:raise_exception eax=00000000 ebx=7e840e68 ecx=0031fafc edx=0031fafc esi=0031fb10 edi=00000000 00b4:trace:seh:raise_exception ebp=0031f9cc esp=0031f96c cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 00b4:trace:seh:call_stack_handlers calling handler at 0x46a853 code=c0000005 flags=0 ... wine: Unhandled page fault on read access to 00000010 at address 004031F1 (thread 00b4), starting debugger... --- snip ---
Disassembly of crash site:
--- snip --- 004031B0 | push ebp | 004031B1 | mov ebp,esp | 004031B3 | push FFFFFFFF | 004031B5 | push apisetview.46A853 | 004031BA | mov eax,dword ptr fs:[0] | 004031C0 | push eax | 004031C1 | sub esp,44 | 004031C4 | push ebx | 004031C5 | push esi | 004031C6 | push edi | 004031C7 | mov eax,dword ptr ds:[47B320] | 004031CC | xor eax,ebp | 004031CE | push eax | 004031CF | lea eax,dword ptr ss:[ebp-C] | 004031D2 | mov dword ptr fs:[0],eax | 004031D8 | mov edx,ecx | 004031DA | mov dword ptr ss:[ebp-28],edx | 004031DD | mov eax,dword ptr fs:[18] | 004031E3 | mov eax,dword ptr ds:[eax+30] | PEB 004031E6 | mov edi,dword ptr ds:[eax+38] | PEB->ApiSetMap 004031E9 | mov eax,dword ptr ds:[edx+8] | 004031EC | sub eax,dword ptr ds:[edx] | 004031EE | sar eax,5 | 004031F1 | mov ebx,dword ptr ds:[edi+10] | *boom* ... --- snip ---
Corresponding source code:
https://github.com/zodiacon/ApiSetView/blob/master/ApiSetView/ApiSets.cpp#L5...
--- snip --- void ApiSets::Build() { auto peb = NtCurrentTeb()->ProcessEnvironmentBlock; auto apiSetMap = static_cast<PAPI_SET_NAMESPACE>(peb->Reserved9[0]); auto apiSetMapAsNumber = reinterpret_cast<ULONG_PTR>(apiSetMap);
auto nsEntry = reinterpret_cast<PAPI_SET_NAMESPACE_ENTRY>((apiSetMap->EntryOffset + apiSetMapAsNumber));
_entries.reserve(apiSetMap->Count);
for (ULONG i = 0; i < apiSetMap->Count; i++) { ApiSetEntry entry; entry.Name = CString(reinterpret_cast<PWCHAR>(apiSetMapAsNumber + nsEntry->NameOffset), static_cast<int>(nsEntry->NameLength / sizeof(WCHAR))); entry.Sealed = (nsEntry->Flags & API_SET_SCHEMA_ENTRY_FLAGS_SEALED) != 0;
auto valueEntry = reinterpret_cast<PAPI_SET_VALUE_ENTRY>(apiSetMapAsNumber + nsEntry->ValueOffset); for (ULONG j = 0; j < nsEntry->ValueCount; j++) { CString value(reinterpret_cast<PWCHAR>(apiSetMapAsNumber + valueEntry->ValueOffset), valueEntry->ValueLength / sizeof(WCHAR)); entry.Values.push_back(value);
if (valueEntry->NameLength != 0) { CString alias(reinterpret_cast<PWCHAR>(apiSetMapAsNumber + valueEntry->NameOffset), valueEntry->NameLength / sizeof(WCHAR)); entry.Aliases.push_back(alias); }
valueEntry++; } nsEntry++; _entries.push_back(entry); } } --- snip ---
$ sha1sum ApiSetView.exe 9cc5f8d2c3008ee956fa1a2ea24f39eed8cc4b73 ApiSetView.exe
$ du -sh ApiSetView.exe 620K ApiSetView.exe
$ sha1sum Dependencies_x86_Release.zip b8ab5292100e11e009acf9289d27478c6b9413ac Dependencies_x86_Release.zip
$ du -sh Dependencies_x86_Release.zip 3.9M Dependencies_x86_Release.zip
$ wine --version wine-5.7-209-g4e2ad334b5
Regards
https://bugs.winehq.org/show_bug.cgi?id=44658
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://github.com/zodiacon |https://web.archive.org/web |/ApiSetView/releases/downlo |/20210726071744/https://git |ad/v0.8/ApiSetView.exe |hub.com/zodiacon/ApiSetView | |/releases/download/v0.8/Api | |SetView.exe
https://bugs.winehq.org/show_bug.cgi?id=44658
--- Comment #2 from Nikolay Sivov bunglehead@gmail.com --- ApiSetView seems to work now with wine-4853f65c844de8277b8b0420df1a2cdb1c5b17c8.
https://bugs.winehq.org/show_bug.cgi?id=44658
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |52583
https://bugs.winehq.org/show_bug.cgi?id=44658
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|STAGED |RESOLVED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- ApiSets are implemented now.
https://bugs.winehq.org/show_bug.cgi?id=44658
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 7.3.
-
wine-bugs@winehq.org -
WineHQ Bugzilla