is_first_thread_in_new_process() fails for wow64 child on vista+

[derekbruening]

From bruen...@google.com on June 21, 2012 12:11:00

using earliest injection on 32-bit child:

syscall: NtResumeThread pid=4172 tid=8264
make_writable: pc 0x00000000154c3000-0x00000000154ed000, currently r--- committed
make_unwritable: pc 0x00000000154c3000-0x00000000154ed000, currently rw-- committed
non-excluded, non-preinjected child should be injected
injecting into child process
is_first_thread_in_new_process: pid=0x104c vs me=0x1db8, xbx=0x000000007efde000 vs peb=0x000000007efdf000
Not first thread so not setting DR env vars in pid=0x104c

on vista+ the wow64 init sequence changed: kernel maps in 32-bit ntdll (xref issue #803 ), and
apparently has the first thread arg point at the 32-bit PEB instead of the
64-bit PEB. PEB from ProcessBasicInformation for wow64 process is 64-bit
PEB. this breaks the is_first_thread_in_new_process() heuristic. I may just
assume the PEB's are on subsequent pages for now (never seen otherwise).

xref comment at http://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx xref PR 215400: win32 start address wrong

no, there's no issue w/ using the 32-bit vs 64-bit thread start arg: it is 64-bit in all other respects

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=816

[derekbruening]

From derek.br...@gmail.com on June 21, 2012 14:52:03

This issue was closed by revision r1415 .

Status: Fixed