wine-9.8
I met a strange behavior when I use wine with the load of DLL. Many functions are not loaded in memory.
Code: Select all
cat > /tmp/test.c << "EOF"
#include <stdio.h>
#include <windows.h>
typedef UINT (CALLBACK* LPFNDLLFUNC1)(LPCSTR, UINT);
int main() {
HINSTANCE hDLL = LoadLibrary("./kernel32.dll");
printf("Kernel32.dll Base Address: 0x%p\n", hDLL);
void * opcode_address = (void *)hDLL + 0x1c893;
printf("opcode address at 0x1c893: 0x%p\n", opcode_address);
printf("opcode value at 0x1c893: %I64x\n", *((unsigned long long int *) (opcode_address+sizeof(unsigned long long int)*0)));
return 0;
}
EOF
x86_64-w64-mingw32-gcc /tmp/test.c -Wall -o /tmp/test.exe && /tmp/test.exeCode: Select all
Kernel32.dll Base Address: 0x00007FF9CE140000
opcode address at 0x1c893: 0x00007FF9CE15C893
opcode value at 0x1c893: cccccccc0005cb59
Code: Select all
Kernel32.dll Base Address: 0x00006fffffa70000
opcode address at 0x1c893: 0x00006fffffa8c893
opcode value at 0x1c893: 660a50b70f000000
if I load the Kernel32.dll in radare2 at 0x000000018001c893, I have
Code: Select all
0x18001c893 59 pop rcx
0x18001c894 cb retf
0x18001c895 0500cccccc add eax, 0xcccccc00
If I open gdb.exe in wine, I see that for many functions their function opcodes are not loaded, the memory contains only \x00 bytes at the place of their function opcodes.
Is it normal?
Is there a way to enable the load of all DLL function opcodes in memory to obtain the same behavior as on MSWindows ?
Thank you in advance.
