On Sat, 04 Sep 2004 17:23:47 +0200, Uwe Bonnes wrote:
Call kernel32.GetModuleHandleA(0040a572 "Kernel32.dll") Ret kernel32.GetModuleHandleA() retval=40450000 Call kernel32.GetProcAddress(40450000,0040a57f "LoadLibraryA") Ret kernel32.GetProcAddress() retval=40517bd0 ret=0040a60b
and immediate hits an exception, which is handled:
trace:seh:EXC_RtlRaiseException code=c0000005 flags=0 addr=0x4123a1
0x0040a60b and 0x004123a1 are some way apart so I wouldn't say it's immediate.
Similar failure on the net also come up with an additional message: "Kernel32 call does not point into Kernel32.dll"
I suspect it's checking for a redirection of LoadLibrary to shim code by checking if the returned address of the call is within the boundaries described by the PE headers of kernel32.dll
Random guess: winebuild outputs 0 and 0 for SizeOfCode and BaseOfCode, maybe it's taking the address from GetProcAddress, casting the return of GetModuleHandleA to an IMAGE_NT_HEADERS structure then saying
if (( address_of_loadlibrary < headers->BaseOfCode + headers->SizeOfCode ) || address_of_loadlibrary > headers->BaseOfCode + headers->SizeOfCode ) { MessageBox("Incompatible SystemAnalyzer detected"); }
Not sure how you could verify this except by disassembling the app though.
thanks -mike