EasyAntiCheat.sys reads IoThreadToProcess and PsGetThreadProcessId to find out the offset of the KPROCESS and PID fields in the KTHREAD structure. They rely on the mov instruction using a 32-bit displacement to get the offset, so we have to make sure the fields are deep enough into the structure.
Signed-off-by: Derek Lesho dlesho@codeweavers.com --- dlls/ntoskrnl.exe/ntoskrnl.c | 1 - dlls/ntoskrnl.exe/ntoskrnl_private.h | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c index 818ff56d25..51603ec3d7 100644 --- a/dlls/ntoskrnl.exe/ntoskrnl.c +++ b/dlls/ntoskrnl.exe/ntoskrnl.c @@ -2394,7 +2394,6 @@ HANDLE WINAPI PsGetThreadId(PETHREAD thread) */ HANDLE WINAPI PsGetThreadProcessId( PETHREAD thread ) { - TRACE( "%p -> %p\n", thread, thread->kthread.id.UniqueProcess ); return thread->kthread.id.UniqueProcess; }
diff --git a/dlls/ntoskrnl.exe/ntoskrnl_private.h b/dlls/ntoskrnl.exe/ntoskrnl_private.h index a1e1b892e8..9d56b236a5 100644 --- a/dlls/ntoskrnl.exe/ntoskrnl_private.h +++ b/dlls/ntoskrnl.exe/ntoskrnl_private.h @@ -39,6 +39,8 @@ struct _OBJECT_TYPE struct _EPROCESS { DISPATCHER_HEADER header; + /* padding to require a 32-bit displacement */ + CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)]; PROCESS_BASIC_INFORMATION info; BOOL wow64; }; @@ -46,6 +48,8 @@ struct _EPROCESS struct _KTHREAD { DISPATCHER_HEADER header; + /* padding to require a 32-bit displacement */ + CHAR padding[0x100 - sizeof(DISPATCHER_HEADER)]; PEPROCESS process; CLIENT_ID id; unsigned int critical_region;