Home/ Questions/Q 1054883
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T17:28:35+00:00

I’d like to force a coredump from a program (or see its memory at

  • 0

I’d like to force a coredump from a program (or see its memory at a specific time in some other way). There are a couple of problems though:

  • I’m running it under wine (cannot run via winedbg, because the application detects it)
  • The application uses exceptions / SEH / other handlers, which capture non-standard events
  • Even attaching strace stops the program from working
  • I’d like to poke around, so there are no specific areas that I could print
  • Well… I don’t have the source

I’ve tried changing the code to both:

xor eax, eax
call eax

and some random stuff which wasn’t a real instruction – both time SEH kicked in and rescued the application.

How can I get the information? I need the memory image from a specific time and can patch the exact place where it occurs.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since you have access to the source code of wine, I’d suggest just altering the wine SEH code, and/or the implementation of the IsDebuggerPresent() function.

    Another option would be to modify the application to suspend itself by raising a SIGSTOP signal. Windows applications in Wine can still access linux APIs by invoking int $0x80, so you could inject some code like the following:

    mov %eax, $20  ;; sys_getpid
int $0x80
mov %ebx, %eax ;; load pid parameter
mov %eax, $37  ;; sys_kill
mov %ecx, $19  ;; sig = SIGSTOP
int $0x80      ;; after executing this instruction, execution will halt

    Then you can mmap ranges from /proc/(pid)/mem to read out the process’s memory, or even attach gdb and use its generate-core-file command. Alternately, you could change this to simply raise SIGQUIT or something to trigger a core dump right then and there (assuming wine hasn’t installed a SIGQUIT handler – but with the right syscalls that can be overcome as well).

    • 0