Back to home page

DOS ain't dead

Forum index page

Log in | Register

Back to the forum
Board view  Mix view

GPF in "GetProcessHeapEx" | trun in "GetExitCodeProcess" (DOSX)

posted by DOS386(R), 24.12.2009, 09:59

Well, there are even more:

53. Exit code is truncated to 8 bits only, maybe a flaw rather than BUG, or just documentation bug ... GetExitCodeProcess :-|

54. SET DPMILDR=8 has an evil and undocumented side effect:

> - bit 3 (DPMILDR=8): prevents loader from trying to run another
> application in the current DPMI client. Instead the int 21h, ax=4B00h
> call is routed to the next handler in the chain. This is useful if
> the applications to run cannot share the client, which is mostly the
> case for Win32 applications where the relocation information has
> been stripped from the binary. To make this finally work as expected,
> it must be ensured that the DPMI host will run clients in separate
> address spaces (see HDPMI docs for details).

it (fired by CreateProcessA) stops preferring PE over MZ and if there is no DPMIST32.BIN inside, it will execute just the stub, "Need HX-DOS Extender to run !" is the "optimal" result :-|

55. README.TXT in DKRNL32 source DIR incorrectly writes:

> GetExitCodeProcess

at this occasion, EXITPROC.ASM and PROCESSW.ASM could be integrated into PROCESS.ASM, they are ridiculously small :-|

56. GPF:

3014 lstrcpy
3014 lstrcpyA
3044 lstrlen
3044 lstrlenA
3060 GetModuleHandleA
30C8 GetProcessHeap
30D0 IsBadReadPtr

dkrnl32: exception C0000005 (AKA GPF ?????), flags=0 occured at B7:12A084
        ax=8210 bx=100A7 cx=0 dx=128210
        si=126E47 di=126A00 bp=1268CC sp=1268C8
        ip = Module 'kernel32.dll'+3084  fs=?????????????????????

Filepos: $2484

2460  55                push ebp ; GetModuleHandleA
2461  8BEC              mov ebp,esp
2463  8B5508            mov edx,[ebp+8]
2466  23D2              and edx,edx
2468  750A              jnz $2474
246A  E8CDF3FFFF        call $183c
246F  8B4008            mov eax,[eax+8]
2472  EB06              jmp short $247a
2474  66B8824B          mov ax,$4b82
2478  CD21              int $21 ; Talk to DPMILD32, if present at all
247A  C9                leave
247B  C20400            ret 4

247E  8BFF              mov edi,edi ; NOPE

2480  55                push ebp ; GetProcessHeapEx (non-public ??????)
2481  8BEC              mov ebp,esp
2483  53                push ebx
2484  67648B1E3000      mov ebx,[word fs:$30] ; !!! BOOM !!! here it crashes
248A  8B430C            mov eax,[ebx+$0C]
248D  23C0              and eax,eax
248F  7532              jnz $24c3
2491  837D0800          cmp dword [ebp+8],0
2495  742C              jz $24c3
2497  6A00              push 0
2499  E8C2FFFFFF        call $2460
249E  8BD8              mov ebx,eax
24A0  035B3C            add ebx,[ebx+$3c]
24A3  8B4368            mov eax,[ebx+$68]
24A6  23C0              and eax,eax
24A8  7419              jz $24c3
24AA  8B4B6C            mov ecx,[ebx+$6c]
24AD  6A02              push 2
24AF  6A00              push 0
24B1  51                push ecx
24B2  50                push eax
24B3  6A00              push 0
24B5  E87A0E0000        call $3334
24BA  67648B1E3000      mov ebx,[word fs:$30]
24C0  89430C            mov [ebx+$0C],eax
24C3  5B                pop ebx
24C4  C9                leave
24C5  C20400            ret 4

24C8  6A01              push 1 ; GetProcessHeap
24CA  E8B1FFFFFF        call $2480
24CF  C3                ret ; What a sophisticated function :-)

After "some" usage of LoadLibraryA (and a few other), a GPF in DKRNL32 occurs :-( FS is secret, but SET DKRNL32=32 can reveal it: ZERO :surprised:

This is a LOGITECH mouse driver, but some software expect here
the following string:*** This is Copyright 1983 Microsoft ***


Complete thread:

Back to the forum
Board view  Mix view
15317 Postings in 1383 Threads, 254 registered users, 26 users online (0 registered, 26 guests)
DOS ain't dead | Admin contact
RSS Feed
powered by my little forum