Using StraceNT I was able to get this output.
Here’s a snippet:
IntellectualHeaven (R) System Call Tracer for NT, 2K, XP, 2K3.
Copyright (C) Pankaj Garg. All rights reserved.Tracing command: [“pdbstr” -r -p:accessiblemarshal.pdb -i:am3.stream -s:srcsrv]
[T3600] TlsGetValue(1, 0, 2bfef8, 182020, …) = 2c7778
[T3600] EnterCriticalSection(77c61b30, 2c7778, 2bfed0, 77c3a03b, …) = 0
[T3600] LeaveCriticalSection(77c61b30, 2bfed0, 77c3a0fa, d, …) = 0
[T3600] EnterCriticalSection(77c61b18, 2c7778, 2bfed0, 77c3a06c, …) = 0
[T3600] LeaveCriticalSection(77c61b18, 2bfed0, 77c3a108, c, …) = 0
[T3600] HeapFree(2c0000, 0, 2c7778, 0, …) = 1
[T3600] TlsSetValue(1, 0, 0, 2bfef8, …) = 1
[T2556] LeaveCriticalSection(2c1fdc, 6f1c0, 77c2d154, 4, …) = 0
[T2556] LeaveCriticalSection(2c7718, 6f1d8, 77c3b967, 13, …) = 0
[T2556] HeapFree(2c0000, 0, 2caa48, 1058d24, …) = 1
The results are certainly a bit clearer looking than the Linux/Wine results. I am still clueless however to the deeper meaning. I’ve been told I need to talk to timeless on IRC, that he is the one with major knowledge on reverse engineering.
This is turning into quite the rabbit hole.