2016-11-13 12:35 GMT-06:00 Andrew Wesie awesie@gmail.com:

Some anti-debug protections will try to read all of the memory for a loaded system DLL. This patch will handle the page fault when it attempts to read the space between sections.

Signed-off-by: Andrew Wesie awesie@gmail.com

dlls/ntdll/virtual.c | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c index e826fa0..f70e9fc 100644 --- a/dlls/ntdll/virtual.c +++ b/dlls/ntdll/virtual.c @@ -1512,6 +1512,11 @@ NTSTATUS virtual_handle_fault( LPCVOID addr, DWORD err, BOOL on_signal_stack ) /* ignore fault if page is writable now */ if (VIRTUAL_GetUnixProt( *vprot ) & PROT_WRITE) ret = STATUS_SUCCESS; }

•    if (err == 0 && (view->protect & VPROT_SYSTEM))
  

•    {
  

•        wine_anon_mmap(page, page_size, PROT_READ, MAP_FIXED);
  

•        ret = STATUS_SUCCESS;
  

•    }
     if (!on_signal_stack && (*vprot & VPROT_GUARD))
     {
         VIRTUAL_SetProt( view, page, page_size, *vprot & ~VPROT_GUARD );
  

This looks like a much nicer solution than my hack attached to the bug. I don't have time right now to check for all the implications of this patch, when / if I can get around to do a proper review I'll sign it off, for what it might be worth.