2 * KERNEL32 thunks and other undocumented stuff
4 * Copyright 1997-1998 Marcus Meissner
5 * Copyright 1998 Ulrich Weigand
16 #include "stackframe.h"
18 #include "selectors.h"
23 #include "flatthunk.h"
27 /***********************************************************************
29 * Win95 internal thunks *
31 ***********************************************************************/
33 /***********************************************************************
34 * Generates a FT_Prolog call.
36 * 0FB6D1 movzbl edx,cl
37 * 8B1495xxxxxxxx mov edx,[4*edx + targetTable]
38 * 68xxxxxxxx push FT_Prolog
41 static void _write_ftprolog(LPBYTE relayCode ,DWORD *targetTable) {
45 *x++ = 0x0f;*x++=0xb6;*x++=0xd1; /* movzbl edx,cl */
46 *x++ = 0x8B;*x++=0x14;*x++=0x95;*(DWORD**)x= targetTable;
47 x+=4; /* mov edx, [4*edx + targetTable] */
48 *x++ = 0x68; *(DWORD*)x = (DWORD)GetProcAddress32(GetModuleHandle32A("KERNEL32"),"FT_Prolog");
49 x+=4; /* push FT_Prolog */
50 *x++ = 0xC3; /* lret */
51 /* fill rest with 0xCC / int 3 */
54 /***********************************************************************
55 * _write_qtthunk (internal)
56 * Generates a QT_Thunk style call.
59 * 8A4DFC mov cl , [ebp-04]
60 * 8B148Dxxxxxxxx mov edx, [4*ecx + targetTable]
61 * B8yyyyyyyy mov eax, QT_Thunk
64 static void _write_qtthunk(
65 LPBYTE relayCode, /* [in] start of QT_Thunk stub */
66 DWORD *targetTable /* [in] start of thunk (for index lookup) */
71 *x++ = 0x33;*x++=0xC9; /* xor ecx,ecx */
72 *x++ = 0x8A;*x++=0x4D;*x++=0xFC; /* movb cl,[ebp-04] */
73 *x++ = 0x8B;*x++=0x14;*x++=0x8D;*(DWORD**)x= targetTable;
74 x+=4; /* mov edx, [4*ecx + targetTable */
75 *x++ = 0xB8; *(DWORD*)x = (DWORD)GetProcAddress32(GetModuleHandle32A("KERNEL32"),"QT_Thunk");
76 x+=4; /* mov eax , QT_Thunk */
77 *x++ = 0xFF; *x++ = 0xE0; /* jmp eax */
78 /* should fill the rest of the 32 bytes with 0xCC */
81 /***********************************************************************
84 static LPVOID _loadthunk(LPCSTR module, LPCSTR func, LPCSTR module32,
85 struct ThunkDataCommon *TD32, DWORD checksum)
87 struct ThunkDataCommon *TD16;
91 if ((hmod = LoadLibrary16(module)) <= 32)
93 ERR(thunk, "(%s, %s, %s): Unable to load '%s', error %d\n",
94 module, func, module32, module, hmod);
98 if ( !(ordinal = NE_GetOrdinal(hmod, func))
99 || !(TD16 = PTR_SEG_TO_LIN(NE_GetEntryPointEx(hmod, ordinal, FALSE))))
101 ERR(thunk, "(%s, %s, %s): Unable to find '%s'\n",
102 module, func, module32, func);
106 if (TD32 && memcmp(TD16->magic, TD32->magic, 4))
108 ERR(thunk, "(%s, %s, %s): Bad magic %c%c%c%c (should be %c%c%c%c)\n",
109 module, func, module32,
110 TD16->magic[0], TD16->magic[1], TD16->magic[2], TD16->magic[3],
111 TD32->magic[0], TD32->magic[1], TD32->magic[2], TD32->magic[3]);
115 if (TD32 && TD16->checksum != TD32->checksum)
117 ERR(thunk, "(%s, %s, %s): Wrong checksum %08lx (should be %08lx)\n",
118 module, func, module32, TD16->checksum, TD32->checksum);
122 if (!TD32 && checksum && checksum != *(LPDWORD)TD16)
124 ERR(thunk, "(%s, %s, %s): Wrong checksum %08lx (should be %08lx)\n",
125 module, func, module32, *(LPDWORD)TD16, checksum);
132 /***********************************************************************
133 * GetThunkStuff (KERNEL32.53)
135 LPVOID WINAPI GetThunkStuff(LPSTR module, LPSTR func)
137 return _loadthunk(module, func, "<kernel>", NULL, 0L);
140 /***********************************************************************
141 * GetThunkBuff (KERNEL32.52)
142 * Returns a pointer to ThkBuf in the 16bit library SYSTHUNK.DLL.
144 LPVOID WINAPI GetThunkBuff(void)
146 return GetThunkStuff("SYSTHUNK.DLL", "ThkBuf");
149 /***********************************************************************
150 * ThunkConnect32 (KERNEL32)
151 * Connects a 32bit and a 16bit thunkbuffer.
153 UINT32 WINAPI ThunkConnect32(
154 struct ThunkDataCommon *TD, /* [in/out] thunkbuffer */
155 LPSTR thunkfun16, /* [in] win16 thunkfunction */
156 LPSTR module16, /* [in] name of win16 dll */
157 LPSTR module32, /* [in] name of win32 dll */
158 HMODULE32 hmod32, /* [in] hmodule of win32 dll */
159 DWORD dwReason /* [in] initialisation argument */
163 if (!lstrncmp32A(TD->magic, "SL01", 4))
167 TRACE(thunk, "SL01 thunk %s (%lx) <- %s (%s), Reason: %ld\n",
168 module32, (DWORD)TD, module16, thunkfun16, dwReason);
170 else if (!lstrncmp32A(TD->magic, "LS01", 4))
174 TRACE(thunk, "LS01 thunk %s (%lx) -> %s (%s), Reason: %ld\n",
175 module32, (DWORD)TD, module16, thunkfun16, dwReason);
179 ERR(thunk, "Invalid magic %c%c%c%c\n",
180 TD->magic[0], TD->magic[1], TD->magic[2], TD->magic[3]);
186 case DLL_PROCESS_ATTACH:
188 struct ThunkDataCommon *TD16;
189 if (!(TD16 = _loadthunk(module16, thunkfun16, module32, TD, 0L)))
194 struct ThunkDataSL32 *SL32 = (struct ThunkDataSL32 *)TD;
195 struct ThunkDataSL16 *SL16 = (struct ThunkDataSL16 *)TD16;
196 struct SLTargetDB *tdb;
198 if (SL16->fpData == NULL)
200 ERR(thunk, "ThunkConnect16 was not called!\n");
204 SL32->data = SL16->fpData;
206 tdb = HeapAlloc(GetProcessHeap(), 0, sizeof(*tdb));
207 tdb->process = PROCESS_Current();
208 tdb->targetTable = (DWORD *)(thunkfun16 + SL32->offsetTargetTable);
210 tdb->next = SL32->data->targetDB; /* FIXME: not thread-safe! */
211 SL32->data->targetDB = tdb;
213 TRACE(thunk, "Process %08lx allocated TargetDB entry for ThunkDataSL %08lx\n",
214 (DWORD)PROCESS_Current(), (DWORD)SL32->data);
218 struct ThunkDataLS32 *LS32 = (struct ThunkDataLS32 *)TD;
219 struct ThunkDataLS16 *LS16 = (struct ThunkDataLS16 *)TD16;
221 LS32->targetTable = PTR_SEG_TO_LIN(LS16->targetTable);
223 /* write QT_Thunk and FT_Prolog stubs */
224 _write_qtthunk ((LPBYTE)TD + LS32->offsetQTThunk, LS32->targetTable);
225 _write_ftprolog((LPBYTE)TD + LS32->offsetFTProlog, LS32->targetTable);
230 case DLL_PROCESS_DETACH:
238 /**********************************************************************
239 * QT_Thunk (KERNEL32)
241 * The target address is in EDX.
242 * The 16 bit arguments start at ESP+4.
243 * The number of 16bit argumentbytes is EBP-ESP-0x44 (68 Byte thunksetup).
246 REGS_ENTRYPOINT(QT_Thunk)
250 THDB *thdb = THREAD_Current();
252 memcpy(&context16,context,sizeof(context16));
254 CS_reg(&context16) = HIWORD(EDX_reg(context));
255 IP_reg(&context16) = LOWORD(EDX_reg(context));
256 EBP_reg(&context16) = OFFSETOF( thdb->cur_stack )
257 + (WORD)&((STACK16FRAME*)0)->bp;
259 argsize = EBP_reg(context)-ESP_reg(context)-0x44;
261 memcpy( ((LPBYTE)THREAD_STACK16(thdb))-argsize,
262 (LPBYTE)ESP_reg(context)+4, argsize );
264 EAX_reg(context) = Callbacks->CallRegisterShortProc( &context16, argsize );
265 EDX_reg(context) = HIWORD(EAX_reg(context));
269 /**********************************************************************
270 * FT_Prolog (KERNEL32.233)
272 * The set of FT_... thunk routines is used instead of QT_Thunk,
273 * if structures have to be converted from 32-bit to 16-bit
274 * (change of member alignment, conversion of members).
276 * The thunk function (as created by the thunk compiler) calls
277 * FT_Prolog at the beginning, to set up a stack frame and
278 * allocate a 64 byte buffer on the stack.
279 * The input parameters (target address and some flags) are
280 * saved for later use by FT_Thunk.
282 * Input: EDX 16-bit target address (SEGPTR)
283 * CX bits 0..7 target number (in target table)
284 * bits 8..9 some flags (unclear???)
285 * bits 10..15 number of DWORD arguments
287 * Output: A new stackframe is created, and a 64 byte buffer
288 * allocated on the stack. The layout of the stack
289 * on return is as follows:
291 * (ebp+4) return address to caller of thunk function
293 * (ebp-4) saved EBX register of caller
294 * (ebp-8) saved ESI register of caller
295 * (ebp-12) saved EDI register of caller
296 * (ebp-16) saved ECX register, containing flags
297 * (ebp-20) bitmap containing parameters that are to be converted
298 * by FT_Thunk; it is initialized to 0 by FT_Prolog and
299 * filled in by the thunk code before calling FT_Thunk
303 * (ebp-48) saved EAX register of caller (unclear, never restored???)
304 * (ebp-52) saved EDX register, containing 16-bit thunk target
309 * ESP is EBP-68 on return.
313 REGS_ENTRYPOINT(FT_Prolog)
315 /* Pop return address to thunk code */
316 EIP_reg(context) = STACK32_POP(context);
318 /* Build stack frame */
319 STACK32_PUSH(context, EBP_reg(context));
320 EBP_reg(context) = ESP_reg(context);
322 /* Allocate 64-byte Thunk Buffer */
323 ESP_reg(context) -= 64;
324 memset((char *)ESP_reg(context), '\0', 64);
326 /* Store Flags (ECX) and Target Address (EDX) */
327 /* Save other registers to be restored later */
328 *(DWORD *)(EBP_reg(context) - 4) = EBX_reg(context);
329 *(DWORD *)(EBP_reg(context) - 8) = ESI_reg(context);
330 *(DWORD *)(EBP_reg(context) - 12) = EDI_reg(context);
331 *(DWORD *)(EBP_reg(context) - 16) = ECX_reg(context);
333 *(DWORD *)(EBP_reg(context) - 48) = EAX_reg(context);
334 *(DWORD *)(EBP_reg(context) - 52) = EDX_reg(context);
336 /* Push return address back onto stack */
337 STACK32_PUSH(context, EIP_reg(context));
340 /**********************************************************************
341 * FT_Thunk (KERNEL32.234)
343 * This routine performs the actual call to 16-bit code,
344 * similar to QT_Thunk. The differences are:
345 * - The call target is taken from the buffer created by FT_Prolog
346 * - Those arguments requested by the thunk code (by setting the
347 * corresponding bit in the bitmap at EBP-20) are converted
348 * from 32-bit pointers to segmented pointers (those pointers
349 * are guaranteed to point to structures copied to the stack
350 * by the thunk code, so we always use the 16-bit stack selector
351 * for those addresses).
353 * The bit #i of EBP-20 corresponds here to the DWORD starting at
356 * FIXME: It is unclear what happens if there are more than 32 WORDs
357 * of arguments, so that the single DWORD bitmap is no longer
361 REGS_ENTRYPOINT(FT_Thunk)
363 DWORD mapESPrelative = *(DWORD *)(EBP_reg(context) - 20);
364 DWORD callTarget = *(DWORD *)(EBP_reg(context) - 52);
368 LPBYTE newstack, oldstack;
369 THDB *thdb = THREAD_Current();
371 memcpy(&context16,context,sizeof(context16));
373 CS_reg(&context16) = HIWORD(callTarget);
374 IP_reg(&context16) = LOWORD(callTarget);
375 EBP_reg(&context16) = OFFSETOF( thdb->cur_stack )
376 + (WORD)&((STACK16FRAME*)0)->bp;
378 argsize = EBP_reg(context)-ESP_reg(context)-0x44;
379 newstack = ((LPBYTE)THREAD_STACK16(thdb))-argsize;
380 oldstack = (LPBYTE)ESP_reg(context)+4;
382 memcpy( newstack, oldstack, argsize );
384 for (i = 0; i < 32; i++) /* NOTE: What about > 32 arguments? */
385 if (mapESPrelative & (1 << i))
387 SEGPTR *arg = (SEGPTR *)(newstack + 2*i);
388 *arg = PTR_SEG_OFF_TO_SEGPTR(SELECTOROF(thdb->cur_stack),
389 OFFSETOF(thdb->cur_stack) - argsize
390 + (*(LPBYTE *)arg - oldstack));
393 EAX_reg(context) = Callbacks->CallRegisterShortProc( &context16, argsize );
394 EDX_reg(context) = HIWORD(EAX_reg(context));
397 /**********************************************************************
398 * FT_ExitNN (KERNEL32.218 - 232)
400 * One of the FT_ExitNN functions is called at the end of the thunk code.
401 * It removes the stack frame created by FT_Prolog, moves the function
402 * return from EBX to EAX (yes, FT_Thunk did use EAX for the return
403 * value, but the thunk code has moved it from EAX to EBX in the
404 * meantime ... :-), restores the caller's EBX, ESI, and EDI registers,
405 * and perform a return to the CALLER of the thunk code (while removing
406 * the given number of arguments from the caller's stack).
409 static void FT_Exit(CONTEXT *context, int nPopArgs)
411 /* Return value is in EBX */
412 EAX_reg(context) = EBX_reg(context);
414 /* Restore EBX, ESI, and EDI registers */
415 EBX_reg(context) = *(DWORD *)(EBP_reg(context) - 4);
416 ESI_reg(context) = *(DWORD *)(EBP_reg(context) - 8);
417 EDI_reg(context) = *(DWORD *)(EBP_reg(context) - 12);
419 /* Clean up stack frame */
420 ESP_reg(context) = EBP_reg(context);
421 EBP_reg(context) = STACK32_POP(context);
423 /* Pop return address to CALLER of thunk code */
424 EIP_reg(context) = STACK32_POP(context);
425 /* Remove arguments */
426 ESP_reg(context) += nPopArgs;
427 /* Push return address back onto stack */
428 STACK32_PUSH(context, EIP_reg(context));
431 REGS_ENTRYPOINT(FT_Exit0) { FT_Exit(context, 0); }
432 REGS_ENTRYPOINT(FT_Exit4) { FT_Exit(context, 4); }
433 REGS_ENTRYPOINT(FT_Exit8) { FT_Exit(context, 8); }
434 REGS_ENTRYPOINT(FT_Exit12) { FT_Exit(context, 12); }
435 REGS_ENTRYPOINT(FT_Exit16) { FT_Exit(context, 16); }
436 REGS_ENTRYPOINT(FT_Exit20) { FT_Exit(context, 20); }
437 REGS_ENTRYPOINT(FT_Exit24) { FT_Exit(context, 24); }
438 REGS_ENTRYPOINT(FT_Exit28) { FT_Exit(context, 28); }
439 REGS_ENTRYPOINT(FT_Exit32) { FT_Exit(context, 32); }
440 REGS_ENTRYPOINT(FT_Exit36) { FT_Exit(context, 36); }
441 REGS_ENTRYPOINT(FT_Exit40) { FT_Exit(context, 40); }
442 REGS_ENTRYPOINT(FT_Exit44) { FT_Exit(context, 44); }
443 REGS_ENTRYPOINT(FT_Exit48) { FT_Exit(context, 48); }
444 REGS_ENTRYPOINT(FT_Exit52) { FT_Exit(context, 52); }
445 REGS_ENTRYPOINT(FT_Exit56) { FT_Exit(context, 56); }
448 /**********************************************************************
449 * WOWCallback16 (KERNEL32.62)(WOW32.2)
450 * Calls a win16 function with a single DWORD argument.
454 DWORD WINAPI WOWCallback16(
455 FARPROC16 fproc, /* [in] win16 function to call */
456 DWORD arg /* [in] single DWORD argument to function */
459 TRACE(thunk,"(%p,0x%08lx)...\n",fproc,arg);
460 ret = Callbacks->CallWOWCallbackProc(fproc,arg);
461 TRACE(thunk,"... returns %ld\n",ret);
465 /**********************************************************************
466 * WOWCallback16Ex (KERNEL32.55)(WOW32.3)
467 * Calls a function in 16bit code.
471 BOOL32 WINAPI WOWCallback16Ex(
472 FARPROC16 vpfn16, /* [in] win16 function to call */
473 DWORD dwFlags, /* [in] flags */
474 DWORD cbArgs, /* [in] nr of arguments */
475 LPVOID pArgs, /* [in] pointer to arguments (LPDWORD) */
476 LPDWORD pdwRetCode /* [out] return value of win16 function */
478 return Callbacks->CallWOWCallback16Ex(vpfn16,dwFlags,cbArgs,pArgs,pdwRetCode);
481 /***********************************************************************
482 * ThunkInitLS (KERNEL32.43)
483 * A thunkbuffer link routine
484 * The thunkbuf looks like:
486 * 00: DWORD length ? don't know exactly
487 * 04: SEGPTR ptr ? where does it point to?
488 * The pointer ptr is written into the first DWORD of 'thunk'.
489 * (probably correct implemented)
492 * segmented pointer to thunk?
494 DWORD WINAPI ThunkInitLS(
495 LPDWORD thunk, /* [in] win32 thunk */
496 LPCSTR thkbuf, /* [in] thkbuffer name in win16 dll */
497 DWORD len, /* [in] thkbuffer length */
498 LPCSTR dll16, /* [in] name of win16 dll */
499 LPCSTR dll32 /* [in] name of win32 dll (FIXME: not used?) */
503 if (!(addr = _loadthunk( dll16, thkbuf, dll32, NULL, len )))
508 *(DWORD*)thunk = addr[1];
513 /***********************************************************************
514 * Common32ThkLS (KERNEL32.45)
516 * This is another 32->16 thunk, independent of the QT_Thunk/FT_Thunk
517 * style thunks. The basic difference is that the parameter conversion
518 * is done completely on the *16-bit* side here. Thus we do not call
519 * the 16-bit target directly, but call a common entry point instead.
520 * This entry function then calls the target according to the target
521 * number passed in the DI register.
523 * Input: EAX SEGPTR to the common 16-bit entry point
524 * CX offset in thunk table (target number * 4)
525 * DX error return value if execution fails (unclear???)
526 * EDX.HI number of DWORD parameters
528 * (Note that we need to move the thunk table offset from CX to DI !)
530 * The called 16-bit stub expects its stack to look like this:
532 * (esp+40) 32-bit arguments
534 * (esp+8) 32 byte of stack space available as buffer
535 * (esp) 8 byte return address for use with 0x66 lret
537 * The called 16-bit stub uses a 0x66 lret to return to 32-bit code,
538 * and uses the EAX register to return a DWORD return value.
539 * Thus we need to use a special assembly glue routine
540 * (CallRegisterLongProc instead of CallRegisterShortProc).
542 * Finally, we return to the caller, popping the arguments off
545 * FIXME: The called function uses EBX to return the number of
546 * arguments that are to be popped off the caller's stack.
547 * This is clobbered by the assembly glue, so we simply use
548 * the original EDX.HI to get the number of arguments.
549 * (Those two values should be equal anyway ...?)
552 REGS_ENTRYPOINT(Common32ThkLS)
556 THDB *thdb = THREAD_Current();
558 memcpy(&context16,context,sizeof(context16));
560 DI_reg(&context16) = CX_reg(context);
561 CS_reg(&context16) = HIWORD(EAX_reg(context));
562 IP_reg(&context16) = LOWORD(EAX_reg(context));
563 EBP_reg(&context16) = OFFSETOF( thdb->cur_stack )
564 + (WORD)&((STACK16FRAME*)0)->bp;
566 argsize = HIWORD(EDX_reg(context)) * 4;
568 memcpy( ((LPBYTE)THREAD_STACK16(thdb))-argsize,
569 (LPBYTE)ESP_reg(context)+4, argsize );
571 EAX_reg(context) = Callbacks->CallRegisterLongProc(&context16, argsize + 32);
573 /* Clean up caller's stack frame */
575 EIP_reg(context) = STACK32_POP(context);
576 ESP_reg(context) += argsize;
577 STACK32_PUSH(context, EIP_reg(context));
580 /***********************************************************************
581 * OT_32ThkLSF (KERNEL32.40)
583 * YET Another 32->16 thunk. The difference to Common32ThkLS is that
584 * argument processing is done on both the 32-bit and the 16-bit side:
585 * The 32-bit side prepares arguments, copying them onto the stack.
587 * When this routine is called, the first word on the stack is the
588 * number of argument bytes prepared by the 32-bit code, and EDX
589 * contains the 16-bit target address.
591 * The called 16-bit routine is another relaycode, doing further
592 * argument processing and then calling the real 16-bit target
593 * whose address is stored at [bp-04].
595 * The call proceeds using a normal CallRegisterShortProc.
596 * After return from the 16-bit relaycode, the arguments need
597 * to be copied *back* to the 32-bit stack, since the 32-bit
598 * relaycode processes output parameters.
600 * Note that we copy twice the number of arguments, since some of the
601 * 16-bit relaycodes in SYSTHUNK.DLL directly access the original
602 * arguments of the caller!
604 * (Note that this function seems only to be used for
605 * OLECLI32 -> OLECLI and OLESVR32 -> OLESVR thunking.)
607 REGS_ENTRYPOINT(OT_32ThkLSF)
611 THDB *thdb = THREAD_Current();
613 memcpy(&context16,context,sizeof(context16));
615 CS_reg(&context16) = HIWORD(EDX_reg(context));
616 IP_reg(&context16) = LOWORD(EDX_reg(context));
617 EBP_reg(&context16) = OFFSETOF( thdb->cur_stack )
618 + (WORD)&((STACK16FRAME*)0)->bp;
620 argsize = 2 * *(WORD *)(ESP_reg(context) + 4) + 2;
622 memcpy( ((LPBYTE)THREAD_STACK16(thdb))-argsize,
623 (LPBYTE)ESP_reg(context)+4, argsize );
625 EAX_reg(context) = Callbacks->CallRegisterShortProc(&context16, argsize);
627 memcpy( (LPBYTE)ESP_reg(context)+4,
628 ((LPBYTE)THREAD_STACK16(thdb))-argsize, argsize );
631 /***********************************************************************
632 * ThunkInitLSF (KERNEL32.41)
633 * A thunk setup routine.
634 * Expects a pointer to a preinitialized thunkbuffer in the first argument
636 * 00..03: unknown (pointer, check _41, _43, _46)
639 * 06..23: unknown (space for replacement code, check .90)
641 * 24:>E800000000 call offset 29
642 * 29:>58 pop eax ( target of call )
643 * 2A: 2D25000000 sub eax,0x00000025 ( now points to offset 4 )
644 * 2F: BAxxxxxxxx mov edx,xxxxxxxx
645 * 34: 68yyyyyyyy push KERNEL32.90
649 * 3E ... 59: unknown (space for replacement code?)
650 * 5A: E8xxxxxxxx call <32bitoffset xxxxxxxx>
652 * 60: 81EA25xxxxxx sub edx, 0x25xxxxxx
654 * 67: 68xxxxxxxx push xxxxxxxx
655 * 6C: 68yyyyyyyy push KERNEL32.89
658 * This function checks if the code is there, and replaces the yyyyyyyy entries
659 * by the functionpointers.
660 * The thunkbuf looks like:
662 * 00: DWORD length ? don't know exactly
663 * 04: SEGPTR ptr ? where does it point to?
664 * The segpointer ptr is written into the first DWORD of 'thunk'.
667 * unclear, pointer to win16 thkbuffer?
669 LPVOID WINAPI ThunkInitLSF(
670 LPBYTE thunk, /* [in] win32 thunk */
671 LPCSTR thkbuf, /* [in] thkbuffer name in win16 dll */
672 DWORD len, /* [in] length of thkbuffer */
673 LPCSTR dll16, /* [in] name of win16 dll */
674 LPCSTR dll32 /* [in] name of win32 dll */
676 HMODULE32 hkrnl32 = GetModuleHandle32A("KERNEL32");
679 /* FIXME: add checks for valid code ... */
680 /* write pointers to kernel32.89 and kernel32.90 (+ordinal base of 1) */
681 *(DWORD*)(thunk+0x35) = (DWORD)GetProcAddress32(hkrnl32,(LPSTR)90);
682 *(DWORD*)(thunk+0x6D) = (DWORD)GetProcAddress32(hkrnl32,(LPSTR)89);
685 if (!(addr = _loadthunk( dll16, thkbuf, dll32, NULL, len )))
688 addr2 = PTR_SEG_TO_LIN(addr[1]);
690 *(DWORD*)thunk = (DWORD)addr2;
695 /***********************************************************************
696 * FT_PrologPrime (KERNEL32.89)
698 * This function is called from the relay code installed by
699 * ThunkInitLSF. It replaces the location from where it was
700 * called by a standard FT_Prolog call stub (which is 'primed'
701 * by inserting the correct target table pointer).
702 * Finally, it calls that stub.
704 * Input: ECX target number + flags (passed through to FT_Prolog)
705 * (ESP) offset of location where target table pointer
706 * is stored, relative to the start of the relay code
707 * (ESP+4) pointer to start of relay code
708 * (this is where the FT_Prolog call stub gets written to)
710 * Note: The two DWORD arguments get popped from the stack.
713 REGS_ENTRYPOINT(FT_PrologPrime)
715 DWORD targetTableOffset = STACK32_POP(context);
716 LPBYTE relayCode = (LPBYTE)STACK32_POP(context);
717 DWORD *targetTable = *(DWORD **)(relayCode+targetTableOffset);
718 DWORD targetNr = LOBYTE(ECX_reg(context));
720 _write_ftprolog(relayCode, targetTable);
722 /* We should actually call the relay code now, */
723 /* but we skip it and go directly to FT_Prolog */
724 EDX_reg(context) = targetTable[targetNr];
725 __regs_FT_Prolog(context);
728 /***********************************************************************
729 * QT_ThunkPrime (KERNEL32.90)
731 * This function corresponds to FT_PrologPrime, but installs a
732 * call stub for QT_Thunk instead.
734 * Input: (EBP-4) target number (passed through to QT_Thunk)
735 * EDX target table pointer location offset
736 * EAX start of relay code
739 REGS_ENTRYPOINT(QT_ThunkPrime)
741 DWORD targetTableOffset = EDX_reg(context);
742 LPBYTE relayCode = (LPBYTE)EAX_reg(context);
743 DWORD *targetTable = *(DWORD **)(relayCode+targetTableOffset);
744 DWORD targetNr = LOBYTE(*(DWORD *)(EBP_reg(context) - 4));
746 _write_qtthunk(relayCode, targetTable);
748 /* We should actually call the relay code now, */
749 /* but we skip it and go directly to QT_Thunk */
750 EDX_reg(context) = targetTable[targetNr];
751 __regs_QT_Thunk(context);
754 /***********************************************************************
756 * Another thunkbuf link routine.
757 * The start of the thunkbuf looks like this:
759 * 04: SEGPTR address for thunkbuffer pointer
762 VOID WINAPI ThunkInitSL(
763 LPBYTE thunk, /* [in] start of thunkbuffer */
764 LPCSTR thkbuf, /* [in] name/ordinal of thunkbuffer in win16 dll */
765 DWORD len, /* [in] length of thunkbuffer */
766 LPCSTR dll16, /* [in] name of win16 dll containing the thkbuf */
767 LPCSTR dll32 /* [in] win32 dll. FIXME: strange, unused */
771 if (!(addr = _loadthunk( dll16, thkbuf, dll32, NULL, len )))
774 *(DWORD*)PTR_SEG_TO_LIN(addr[1]) = (DWORD)thunk;
777 /**********************************************************************
782 BOOL32 WINAPI SSInit()
787 /**********************************************************************
788 * SSOnBigStack KERNEL32.87
789 * Check if thunking is initialized (ss selector set up etc.)
790 * We do that differently, so just return TRUE.
795 BOOL32 WINAPI SSOnBigStack()
797 TRACE(thunk, "Yes, thunking is initialized\n");
801 /**********************************************************************
803 * One of the real thunking functions. This one seems to be for 32<->32
804 * thunks. It should probably be capable of crossing processboundaries.
806 * And YES, I've seen nr=48 (somewhere in the Win95 32<->16 OLE coupling)
809 DWORD WINAPIV SSCall(
810 DWORD nr, /* [in] number of argument bytes */
811 DWORD flags, /* [in] FIXME: flags ? */
812 FARPROC32 fun, /* [in] function to call */
813 ... /* [in/out] arguments */
816 DWORD *args = ((DWORD *)&fun) + 1;
819 dbg_decl_str(thunk, 256);
821 dsprintf(thunk,"0x%08lx,",args[i]);
822 TRACE(thunk,"(%ld,0x%08lx,%p,[%s])\n",
823 nr,flags,fun,dbg_str(thunk));
828 case 4: ret = fun(args[0]);
830 case 8: ret = fun(args[0],args[1]);
832 case 12: ret = fun(args[0],args[1],args[2]);
834 case 16: ret = fun(args[0],args[1],args[2],args[3]);
836 case 20: ret = fun(args[0],args[1],args[2],args[3],args[4]);
838 case 24: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5]);
840 case 28: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5],args[6]);
842 case 32: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5],args[6],args[7]);
844 case 36: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5],args[6],args[7],args[8]);
846 case 40: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5],args[6],args[7],args[8],args[9]);
848 case 44: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5],args[6],args[7],args[8],args[9],args[10]);
850 case 48: ret = fun(args[0],args[1],args[2],args[3],args[4],args[5],args[6],args[7],args[8],args[9],args[10],args[11]);
853 WARN(thunk,"Unsupported nr of arguments, %ld\n",nr);
858 TRACE(thunk," returning %ld ...\n",ret);
862 /**********************************************************************
863 * W32S_BackTo32 (KERNEL32.51)
865 REGS_ENTRYPOINT(W32S_BackTo32)
867 LPDWORD stack = (LPDWORD)ESP_reg( context );
868 FARPROC32 proc = (FARPROC32) stack[0];
870 EAX_reg( context ) = proc( stack[2], stack[3], stack[4], stack[5], stack[6],
871 stack[7], stack[8], stack[9], stack[10], stack[11] );
873 EIP_reg( context ) = stack[1];
876 /**********************************************************************
877 * AllocSLCallback (KERNEL32)
879 * Win95 uses some structchains for callbacks. It allocates them
880 * in blocks of 100 entries, size 32 bytes each, layout:
882 * 0: PTR nextblockstart
884 * 8: WORD sel ( start points to blockstart)
888 * 18: PDB *owning_process;
891 * We ignore this for now. (Just a note for further developers)
892 * FIXME: use this method, so we don't waste selectors...
894 * Following code is then generated by AllocSLCallback. The code is 16 bit, so
895 * the 0x66 prefix switches from word->long registers.
898 * 6668x arg2 x pushl <arg2>
900 * EAx arg1 x jmpf <arg1>
902 * returns the startaddress of this thunk.
904 * Note, that they look very similair to the ones allocates by THUNK_Alloc.
906 * segmented pointer to the start of the thunk
910 DWORD finalizer, /* [in] finalizer function */
911 DWORD callback /* [in] callback function */
913 LPBYTE x,thunk = HeapAlloc( GetProcessHeap(), 0, 32 );
917 *x++=0x66;*x++=0x5a; /* popl edx */
918 *x++=0x66;*x++=0x68;*(DWORD*)x=finalizer;x+=4; /* pushl finalizer */
919 *x++=0x66;*x++=0x52; /* pushl edx */
920 *x++=0xea;*(DWORD*)x=callback;x+=4; /* jmpf callback */
922 *(PDB32**)(thunk+18) = PROCESS_Current();
924 sel = SELECTOR_AllocBlock( thunk , 32, SEGMENT_CODE, FALSE, FALSE );
928 /**********************************************************************
929 * FreeSLCallback (KERNEL32.274)
930 * Frees the specified 16->32 callback
934 DWORD x /* [in] 16 bit callback (segmented pointer?) */
936 FIXME(win32,"(0x%08lx): stub\n",x);
940 /**********************************************************************
941 * GetTEBSelectorFS (KERNEL.475)
942 * Set the 16-bit %fs to the 32-bit %fs (current TEB selector)
944 VOID WINAPI GetTEBSelectorFS( CONTEXT *context )
946 GET_FS( FS_reg(context) );
949 /**********************************************************************
950 * KERNEL_431 (KERNEL.431)
951 * IsPeFormat (W32SYS.2)
952 * Checks the passed filename if it is a PE format executeable
957 BOOL16 WINAPI IsPeFormat(
958 LPSTR fn, /* [in] filename to executeable */
959 HFILE16 hf16 /* [in] open file, if filename is NULL */
961 IMAGE_DOS_HEADER mzh;
962 HFILE32 hf=HFILE16_TO_HFILE32(hf16);
967 hf = OpenFile32(fn,&ofs,OF_READ);
968 if (hf==HFILE_ERROR32)
971 _llseek32(hf,0,SEEK_SET);
972 if (sizeof(mzh)!=_lread32(hf,&mzh,sizeof(mzh))) {
976 if (mzh.e_magic!=IMAGE_DOS_SIGNATURE) {
977 WARN(dosmem,"File has not got dos signature!\n");
981 _llseek32(hf,mzh.e_lfanew,SEEK_SET);
982 if (sizeof(DWORD)!=_lread32(hf,&xmagic,sizeof(DWORD))) {
987 return (xmagic == IMAGE_NT_SIGNATURE);
990 /***********************************************************************
991 * WOWHandle32 (KERNEL32.57)(WOW32.16)
992 * Converts a win16 handle of type into the respective win32 handle.
993 * We currently just return this handle, since most handles are the same
994 * for win16 and win32.
998 HANDLE32 WINAPI WOWHandle32(
999 WORD handle, /* [in] win16 handle */
1000 WOW_HANDLE_TYPE type /* [in] handle type */
1002 TRACE(win32,"(0x%04x,%d)\n",handle,type);
1003 return (HANDLE32)handle;
1006 /***********************************************************************
1007 * K32Thk1632Prolog (KERNEL32.492)
1009 REGS_ENTRYPOINT(K32Thk1632Prolog)
1011 LPBYTE code = (LPBYTE)EIP_reg(context) - 5;
1013 /* Arrrgh! SYSTHUNK.DLL just has to re-implement another method
1014 of 16->32 thunks instead of using one of the standard methods!
1015 This means that SYSTHUNK.DLL itself switches to a 32-bit stack,
1016 and does a far call to the 32-bit code segment of OLECLI32/OLESVR32.
1017 Unfortunately, our CallTo/CallFrom mechanism is therefore completely
1018 bypassed, which means it will crash the next time the 32-bit OLE
1019 code thunks down again to 16-bit (this *will* happen!).
1021 The following hack tries to recognize this situation.
1022 This is possible since the called stubs in OLECLI32/OLESVR32 all
1023 look exactly the same:
1024 00 E8xxxxxxxx call K32Thk1632Prolog
1025 05 FF55FC call [ebp-04]
1026 08 E8xxxxxxxx call K32Thk1632Epilog
1029 If we recognize this situation, we try to simulate the actions
1030 of our CallTo/CallFrom mechanism by copying the 16-bit stack
1031 to our 32-bit stack, creating a proper STACK16FRAME and
1032 updating thdb->cur_stack. */
1034 if ( code[5] == 0xFF && code[6] == 0x55 && code[7] == 0xFC
1035 && code[13] == 0x66 && code[14] == 0xCB)
1037 WORD stackSel = NtCurrentTeb()->stack_sel;
1038 DWORD stackBase = GetSelectorBase(stackSel);
1040 THDB *thdb = THREAD_Current();
1041 DWORD argSize = EBP_reg(context) - ESP_reg(context);
1042 char *stack16 = (char *)ESP_reg(context);
1043 char *stack32 = (char *)thdb->cur_stack - argSize;
1044 STACK16FRAME *frame16 = (STACK16FRAME *)stack16 - 1;
1046 TRACE(thunk, "before SYSTHUNK hack: EBP: %08lx ESP: %08lx cur_stack: %08lx\n",
1047 EBP_reg(context), ESP_reg(context), thdb->cur_stack);
1049 memset(frame16, '\0', sizeof(STACK16FRAME));
1050 frame16->frame32 = (STACK32FRAME *)thdb->cur_stack;
1051 frame16->ebp = EBP_reg(context);
1053 memcpy(stack32, stack16, argSize);
1054 thdb->cur_stack = PTR_SEG_OFF_TO_SEGPTR(stackSel, (DWORD)frame16 - stackBase);
1056 ESP_reg(context) = (DWORD)stack32;
1057 EBP_reg(context) = ESP_reg(context) + argSize;
1059 TRACE(thunk, "after SYSTHUNK hack: EBP: %08lx ESP: %08lx cur_stack: %08lx\n",
1060 EBP_reg(context), ESP_reg(context), thdb->cur_stack);
1063 SYSLEVEL_ReleaseWin16Lock();
1066 /***********************************************************************
1067 * K32Thk1632Epilog (KERNEL32.491)
1069 REGS_ENTRYPOINT(K32Thk1632Epilog)
1071 LPBYTE code = (LPBYTE)EIP_reg(context) - 13;
1073 SYSLEVEL_RestoreWin16Lock();
1075 /* We undo the SYSTHUNK hack if necessary. See K32Thk1632Prolog. */
1077 if ( code[5] == 0xFF && code[6] == 0x55 && code[7] == 0xFC
1078 && code[13] == 0x66 && code[14] == 0xCB)
1080 THDB *thdb = THREAD_Current();
1081 STACK16FRAME *frame16 = (STACK16FRAME *)PTR_SEG_TO_LIN(thdb->cur_stack);
1082 char *stack16 = (char *)(frame16 + 1);
1083 DWORD argSize = frame16->ebp - (DWORD)stack16;
1084 char *stack32 = (char *)frame16->frame32 - argSize;
1086 DWORD nArgsPopped = ESP_reg(context) - (DWORD)stack32;
1088 TRACE(thunk, "before SYSTHUNK hack: EBP: %08lx ESP: %08lx cur_stack: %08lx\n",
1089 EBP_reg(context), ESP_reg(context), thdb->cur_stack);
1091 thdb->cur_stack = (DWORD)frame16->frame32;
1093 ESP_reg(context) = (DWORD)stack16 + nArgsPopped;
1094 EBP_reg(context) = frame16->ebp;
1096 TRACE(thunk, "after SYSTHUNK hack: EBP: %08lx ESP: %08lx cur_stack: %08lx\n",
1097 EBP_reg(context), ESP_reg(context), thdb->cur_stack);
projects / wine / blob