Various anticheat/DRM schemes actually do direct syscalls on Windows, so Proton has patches that use seccomp to trap them and jump to the intended Nt* syscall. There was actually a feature added to the Linux kernel a few years ago (syscall user dispatch) so that Wine could stop using seccomp for this, but Wine is still not using it.Upstream Wine also supports direct syscalls on x86_64 macOS. macOS syscall numbers have a high bit set, so Windows syscall numbers (0 to ~300) are invalid macOS syscalls, that triggers SIGSYS, and then Wine jumps to the Nt* syscall.
No comments yet.