http://bugs.winehq.org/show_bug.cgi?id=12859
Summary: HideThreadFromDebugger in NtSetInformationThread Product: Wine Version: 0.9.60 Platform: Other OS/Version: other Status: UNCONFIRMED Severity: enhancement Priority: P2 Component: ntdll AssignedTo: wine-bugs@winehq.org ReportedBy: readams@readams.net
Created an attachment (id=12555) --> (http://bugs.winehq.org/attachment.cgi?id=12555) Add HideThreadFromDebugger to winternl.h and to NtSetInformationThread
This API exists in the windows NtSetInformationThread for some reason.
The sensible thing to do in wine here seems to be to just ignore this call.
Patch attached is against 0.9.60.
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #1 from Lei Zhang thestig@google.com 2008-04-28 19:01:04 --- Do you have a real world app that needs it?
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #2 from Rob Adams readams@readams.net 2008-04-28 19:29:22 --- Created an attachment (id=12558) --> (http://bugs.winehq.org/attachment.cgi?id=12558) example use of NTSetInformationThreat
This allows programs which employ a common anti-debugging technique under windows to run under wine.
I've attached a simple test program which shows how this would be used by such a program.
http://bugs.winehq.org/show_bug.cgi?id=12859
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch, testcase
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #3 from Juan Lang juan_lang@yahoo.com 2008-04-29 13:30:36 --- Patches should be sent to wine-patches , they're not picked up here.
http://bugs.winehq.org/show_bug.cgi?id=12859
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #4 from Anastasius Focht focht@gmx.net 2008-05-02 04:45:28 --- Hello,
this blog entry gives a possible "use case": http://nsylvain.blogspot.com/2007/08/threadhidefromdebugger-but-why.html
--- quote blog --- Alex_Ionescu said...
It's actually used by RtlQueryProcessDebugInformation when you're querying remote information... the routine creates a remote thread and hides it from the debugger, supposedly to stop the deadlock that would otherwise happen once the debugger receives the thread start routine. --- quote blog ---
Sounds plausible.
--- quote --- This allows programs which employ a common anti-debugging technique under windows to run under wine. --- quote ---
I'm curious ... do you have any example apps? I have yet to see the use of this information class in commercial protections because it's actually easy to "fix" = pretty useless.
Regards
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #5 from Austin English austinenglish@gmail.com 2008-10-30 02:18:30 --- Is this still an issue in current (1.1.7 or newer) wine?
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #6 from Anastasius Focht focht@gmx.net 2008-12-11 15:22:58 --- Hello,
--- quote --- Is this still an issue in current (1.1.7 or newer) wine? --- quote ---
Obviously yes. I just remembered a problem/bug where having such facility could be useful - but not as the bug reporter initially intended (common anti-debugging technique).
In bug 14697, I described a situation where a debugger implicitly triggered an APC (by using VirtualQueryEx) which failed invocation on remote process because all of the debuggee's threads were suspended in non alertable state due to pending (dll load) debug event and the debugger got stuck in synchronous wait on that APC to complete in its debug event handling loop.
A possible use case would be to create a special remote helper thread for carrying out certain APCs and hiding it from debugger, not relying on hijacking any debuggee threads to serve the APCs (like in comment #4 where I cited the blog entry)
But for the original bug reporter the question still remains: is there a commercial app which relies on this "feature"?
Regards
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #7 from Anastasius Focht focht@gmx.net 2009-05-17 05:51:14 --- Hello,
well I incidentally found an application which makes use of this (there are probably more). Newer versions of "Exeinfo PE" (Win32 PE identifier for packers, compressors, used compilers, exe protectors, obfuscators ..) have some anti-debugging tricks added. The application is coded in a way that Wine's STATUS_NOT_IMPLEMENTED return value is used for pointer parameter in next call, which queries for unimplemented "ProcessDebugObjectHandle" information class. I'll file a separate bug for "ProcessDebugObjectHandle".
--- snip --- 0021:Call ntdll.NtSetInformationThread(fffffffe,00000011,00000000,00000000) ret=004da0d5 0021:fixme:thread:NtSetInformationThread info class 17 not supported yet 0021:Ret ntdll.NtSetInformationThread() retval=c0000002 ret=004da0d5 0021:Call ntdll.NtQueryInformationProcess(ffffffff,0000001e,c0000002,00000004,00000000) ret=004da0e4 ... --- snip ---
Brain damaged app code or purpose (reconstruced and annotated after unpacking) ... decide.
--- snip --- ... pushl $0x0 pushl $0x0 pushl $0x11 pushl $0xfe call _NtSetInformationThread_thunk pushl %eax pushl $0x0 pushl $0x4 pushl %eax pushl $0x1e pushl $0xff call _NtQueryInformationProcess_thunk popl %eax testl %eax,%eax jnz bad_guy_we_are_being_debugged ... --- snip ---
Just faking "success" for ThreadHideFromDebugger is the way to go as there is no need for real implementation like Windows has (see comment #4). Also this is not an "enhancement" anymore as real apps depend on this.
Send the patch to wine-patches for review/inclusion. If the initial bug reporter isn't active anymore, let someone other do it ;-)
Regards
http://bugs.winehq.org/show_bug.cgi?id=12859
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |18500
http://bugs.winehq.org/show_bug.cgi?id=12859
Vitaliy Margolen vitaliy@kievinfo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 Severity|enhancement |normal
--- Comment #8 from Vitaliy Margolen vitaliy@kievinfo.com 2009-05-17 11:47:53 --- And confirming.
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #9 from Anastasius Focht focht@gmx.net 2009-05-18 15:14:17 --- Hello,
I should have looked more closely at the patch ... despite being very small and non-intrusive it contains a problem. Gcc might generate code where "status" return value isn't explicitly initialized which might result in garbage NTSTATUS returned. This is bad for next call which is coded in a way to take status as pointer parameter (bug 18500). I suggest you directly return STATUS_SUCCESS for ThreadHideFromDebugger case.
Regards
http://bugs.winehq.org/show_bug.cgi?id=12859
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #12555|0 |1 is obsolete| |
--- Comment #10 from Austin English austinenglish@gmail.com 2009-05-18 19:33:03 --- Created an attachment (id=21171) --> (http://bugs.winehq.org/attachment.cgi?id=21171) updated patch
Okay for you Focht?
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #11 from Anastasius Focht focht@gmx.net 2009-05-19 03:50:44 --- Hello,
--- quote --- updated patch
Okay for you Focht? --- quote ---
yes ... though you might condense that comment to "to satisfy copy protections" because apps use this API solely for hacking evasion. The initial rationale for this API (see comment #4) is something that Wine doesn't need. It can be implemented by using Wine internal functionality.
If people are curious about this info class they can always use g00gle to find the blog entry or archived bugzilla comments/discussion from this bug.
With bug 12859 and bug 18500 fixed (include check for NULL ptr arg), the app works as expected. It might also help other copy protected apps/games which employ this kind of anti-debugging tricks.
Regards
http://bugs.winehq.org/show_bug.cgi?id=12859
Andrey Turkin andrey.turkin@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |andrey.turkin@gmail.com
--- Comment #12 from Andrey Turkin andrey.turkin@gmail.com 2009-10-06 10:51:43 --- This particular call sequence should be handled now; thread won't be detached from debugger of course.
http://bugs.winehq.org/show_bug.cgi?id=12859
--- Comment #13 from Anastasius Focht focht@gmx.net 2009-10-06 13:12:09 --- Hello,
--- quote --- This particular call sequence should be handled now; thread won't be detached from debugger of course. --- quote ---
Yes, it's fixed by commit be910d973a432495a8372476f3c9a5547feb8602 (commit f2432a8bc2dddaa34cfca0abbaf8b0d1ac19b44b belongs to bug 18500). The app now works as expected. Thanks. I suggest to close this one.
Regards
http://bugs.winehq.org/show_bug.cgi?id=12859
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED
--- Comment #14 from Austin English austinenglish@gmail.com 2009-10-06 14:30:58 --- (In reply to comment #13)
Hello,
--- quote --- This particular call sequence should be handled now; thread won't be detached from debugger of course. --- quote ---
Yes, it's fixed by commit be910d973a432495a8372476f3c9a5547feb8602 (commit f2432a8bc2dddaa34cfca0abbaf8b0d1ac19b44b belongs to bug 18500). The app now works as expected. Thanks. I suggest to close this one.
Fixed.
http://bugs.winehq.org/show_bug.cgi?id=12859
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #15 from Alexandre Julliard julliard@winehq.org 2009-10-09 11:13:40 --- Closing bugs fixed in 1.1.31.
http://bugs.winehq.org/show_bug.cgi?id=12859
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |be910d973a432495a8372476f3c | |9a5547feb8602
http://bugs.winehq.org/show_bug.cgi?id=12859
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |http://www.asl-soft.hostoi. | |com/exeinfope.zip Hardware|Other |x86 OS|other |Linux
https://bugs.winehq.org/show_bug.cgi?id=12859
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.asl-soft.hostoi. |https://web.archive.org/web |com/exeinfope.zip |/20140709065806/http://www. | |asl-soft.hostoi.com/exeinfo | |pe.zip
-
wine-bugs@winehq.org -
WineHQ Bugzilla