Thanks for the reply! I'll take a closer look into trap_handler.
The DRM is wine-aware, but for an older wine version (before ntdll's move to PE). It appears to specifically create hooks around the creation of a thread, likely hooking NtCreateThreadEx itself (according to correspondence with the developers).
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, September 29, 2020 5:58 AM, Paul Gofman pgofman@codeweavers.com wrote:
I am not sure if this is acceptable either way, but wouldn't it be less of an application specific hack if to try to handle hardware breakpoints for the Unix part in a universal way in trap_handler()? As the DRM may apparently want to breakpoint any other TEB or PEB location the same way and ntdll.so is unlikely to avoid touching PEB completely.