Skip to content

Instantly share code, notes, and snippets.

@rmi1974

rmi1974/how_to_identify_nonhotpatchable_dllimports_from_wine_trace_logs.md

Last active March 29, 2020 15:05
Show Gist options
  • Save rmi1974/07ff6995cda7429a5359f721b7780a9d to your computer and use it in GitHub Desktop.
Save rmi1974/07ff6995cda7429a5359f721b7780a9d to your computer and use it in GitHub Desktop.
Download ZIP
How to identify non-hotpatchable dll imports from Wine trace logs #wine #debug #commandlinefu
Raw
how_to_identify_nonhotpatchable_dllimports_from_wine_trace_logs.md

How to identify non-hotpatchable dll imports from Wine trace logs

Courtesy of Wine Bugzilla #45703.

Assumption: The hooker dll uses GetProcAddress API for lookup

Create trace log:

WINEDEBUG=+seh,+relay wine ./WINWORD.EXE >>log2.txt 2>&1

Search for all API lookups in question:

  • Wine core dlls prelink/load base address range: 0x7xxxxxxx (Pattern '7.*')
  • Dll hooker load address: 0x10xxxxxx (Pattern 'ret=10xxxxxx' for GetProcAddress() call site)
$ egrep "(GetProcAddress\(7.*ret=10.*)" log.txt

0051:Call KERNEL32.GetProcAddress(7b420000,10155a28 "FlsAlloc") ret=1011c695
0051:Call KERNEL32.GetProcAddress(7b420000,10155a34 "FlsFree") ret=1011c6a8
0051:Call KERNEL32.GetProcAddress(7b420000,10155a3c "FlsGetValue") ret=1011c6bb
...
0051:Call KERNEL32.GetProcAddress(7bc10000,001a49a8 "NtSetValueKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3800 "NtDeleteValueKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a4a28 "NtRenameKey") ret=1001d194
0051:Call KERNEL32.GetProcAddress(7bc10000,001a3828 "NtQueryMultipleValueKey") ret=1001d194
...

Find all API functions currently not DECLSPEC_HOTPATCH in Wine source

  • Wine core dlls prelink/load base address range: 0x7xxxxxxx (Pattern '7.*')
  • Dll hooker load address: 0x10xxxxxx (Pattern 'ret=10xxxxxx' for GetProcAddress() call site)
  • Search Wine source tree for WINAPI decorated function bodies matching the API function name
  • Filter out all DECLSPEC_HOTPATCH ones
$ egrep "(GetProcAddress\(7.*ret=10.*)" log.txt  | cut -d "\"" -f2 | xargs -n1 -I '{}' egrep -R 'WINAPI.*{}\(' /home/focht/projects/wine/mainline-src/dlls/ | grep -v DECLSPEC_HOTPATCH
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:DWORD WINAPI FlsAlloc( PFLS_CALLBACK_FUNCTION callback )
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:BOOL WINAPI FlsFree( DWORD index )
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:PVOID WINAPI FlsGetValue( DWORD index )
/home/focht/projects/wine/mainline-src/dlls/kernel32/fiber.c:BOOL WINAPI FlsSetValue( DWORD index, PVOID data )
...
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI NtOpenFile( PHANDLE handle, ACCESS_MASK access,
/home/focht/projects/wine/mainline-src/dlls/ntdll/file.c:NTSTATUS WINAPI NtDeleteFile( POBJECT_ATTRIBUTES ObjectAttributes )
...

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment