(sorry, very bad english)
MS:
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
Between ProcessParameters and PostProcessInitRoutine are 312=104+52*4 Bytes.
In winternl.h from wine there are only 308 Bytes !
If you do: 0x14c - 0x014 then you become 0x138 = 312 and you think, its all ok. But it is not ok.
0x14c is in line PostProcessInitRoutine.
0x014 is in line SubSystemData
See the 2 lines:
ULONG NtGlobalFlag; /* 068/0bc */
LARGE_INTEGER CriticalSectionTimeout; /* 070/0c0 */
0x068 + 4 = 0x070 ?? No, it must be 0x06c ! (the 64bit column is ok: 0bc+4=0c0)
-> 0x14c in line PostProcessInitRoutine becomes 0x148.
-> 0x148 - 0x14c = 0x134 = 308, but MS say 312.
Who is wrong, MS or Wine?
winternl.h is wrong
Re: winternl.h is wrong
Just to be fun Teddy its two different sizes depending on if you are 32 bit system or a 64 bit system.
Wine is most likely wrong/based off older version of Windows. But due to this scary statement
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
http://msdn.microsoft.com/en-us/library ... 85%29.aspx Like here you pass in processid it goes and finds the PEB and returns the sessionid. Same with being debugged.
Ok if you had examples of user programs that depend on it being exactly right then it would be worth fixing. Otherwise broken is good enough. Due to number of viruses that use this being broken is a good thing. Who cares if infections crash.
So we need an application to justify fix this. Even then it would be worth while to make it a start up option.
A copy protection someone might demard it correct but these would also most likely one that checksums the items in memory and fails anyhow. So basically nothing with a snow balls chance of working do we know about that depends on it. Feel free to submit a bug report if you find 1 application that needs this correct.
Wine is most likely wrong/based off older version of Windows. But due to this scary statement
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
We mostly don't have to care Teddy. Any program depending on the structure to be exactly that is asking for it with future windows changes. There are functions in windows to process the PEB and extract information even so mostly not directly.[This structure may be altered in future versions of Windows.]
http://msdn.microsoft.com/en-us/library ... 85%29.aspx Like here you pass in processid it goes and finds the PEB and returns the sessionid. Same with being debugged.
Ok if you had examples of user programs that depend on it being exactly right then it would be worth fixing. Otherwise broken is good enough. Due to number of viruses that use this being broken is a good thing. Who cares if infections crash.
So we need an application to justify fix this. Even then it would be worth while to make it a start up option.
A copy protection someone might demard it correct but these would also most likely one that checksums the items in memory and fails anyhow. So basically nothing with a snow balls chance of working do we know about that depends on it. Feel free to submit a bug report if you find 1 application that needs this correct.
