Am 16.06.2010 11:37, schrieb Alexandre Julliard:
Markus Amsler<markus.ams...@oribi.org> writes:
+ * Windows checks the following conditions before emulating an ATL thunk:
+ * - DEP policy allows emulating
+ * - thunk has memory type MEM_PRIVATE and is readable
+ * - jmp func is executable
+ * - thunk signature (movl, jmp) matches
+ * - a "secret" flag is set:
+ * The flag gets set before calling WndProc and cleared after WndProc
+ * or a thunk was emulated.
+ * In Windows XP SP 3 this flag is located at TEB+0xfb4.
*/
Where does that information come from?
From my attemp to write a test for atl thunks. I had a hard time to get
windows to emulate an atl thunk, so I worked my way backward from a
working atl thunk example. I knew there had to be some secret flag,
because in the WndProc atl thunks worked, outside not. So I took a hard
look at the TEB and found it.
It was clean reverse engineered. I put it into to patch, to document it
somewhere.
Markus