I'd like to force a coredump from a program (or see its memory at a specific time in some other way). There are a couple of problems though:
I've tried changing the code to both:
xor eax, eax
call eax
and some random stuff which wasn't a real instruction - both time SEH kicked in and rescued the application.
How can I get the information? I need the memory image from a specific time and can patch the exact place where it occurs.
Since you have access to the source code of wine, I'd suggest just altering the wine SEH code, and/or the implementation of the IsDebuggerPresent() function.
Another option would be to modify the application to suspend itself by raising a SIGSTOP signal. Windows applications in Wine can still access linux APIs by invoking int $0x80, so you could inject some code like the following:
mov %eax, $20 ;; sys_getpid
int $0x80
mov %ebx, %eax ;; load pid parameter
mov %eax, $37 ;; sys_kill
mov %ecx, $19 ;; sig = SIGSTOP
int $0x80 ;; after executing this instruction, execution will halt
Then you can mmap ranges from /proc/(pid)/mem to read out the process's memory, or even attach gdb and use its generate-core-file command. Alternately, you could change this to simply raise SIGQUIT or something to trigger a core dump right then and there (assuming wine hasn't installed a SIGQUIT handler - but with the right syscalls that can be overcome as well).