16 Jun
2010
16 Jun
'10
9:37 a.m.
Markus Amsler markus.amsler@oribi.org writes:
- Windows checks the following conditions before emulating an ATL thunk:
- DEP policy allows emulating
- thunk has memory type MEM_PRIVATE and is readable
- jmp func is executable
- thunk signature (movl, jmp) matches
- a "secret" flag is set:
- The flag gets set before calling WndProc and cleared after WndProc
- or a thunk was emulated.
*/
- In Windows XP SP 3 this flag is located at TEB+0xfb4.
Where does that information come from?
--
Alexandre Julliard
julliard@winehq.org