On 12/18/19 05:07, Ken Thomases wrote:
On Dec 17, 2019, at 6:34 PM, Andrew Wesie awesie@gmail.com wrote:
A stub for bug 45667 has been sitting in staging for a while. It is sufficient for League of Legends, but it is not correct by any definition.
The challenge with MemoryWorkingSetExInformation is that it requires information that is not exposed by the Linux kernel.
Are the semantics of the fields of MEMORY_WORKING_SET_EX_BLOCK documented or explained somewhere? It's hard to comment intelligently without that.
-Ken
.
There is some basic description of the fields here in MS docs: https://docs.microsoft.com/en-us/windows/win32/api/psapi/ns-psapi-psapi_work...
It is referenced from QueryWorkingSetEx description: https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-queryworki...
The patchset is also related for https://bugs.winehq.org/show_bug.cgi?id=48268, but the thing in that bug is not going to work anyway, working set info is just a minor issue for that rootkit (the bigger include, but not limited to, minifilter FS driver and exhaustive execution environment check / intervention; the thing is not going to work even under VMs or in any sane native Windows installation which does not disable every possible malware protection).