On 4/14/21 23:05, David Torok wrote:
A real implementation would be preferable of course. This helped me run Legends of Runeterra, which is looking for a "ret" instruction in the syscall thunk of NtCreateThread. With it being defined as a stub in the spec file, the code generated by the compiler (with the call into __wine_spec_unimplemented_stub) does not have a ret instruction, which causes the initialization of the anti tamper component to fail. NtCreateThread was not called at all in this case, just hooked.
Ah, so it is not actually called, I see, thanks. And of course I was very naive in quick guessing it can be done on top of NtCreateThreadEx, that one is completely different and NtCreateThread looks like lower level one.