[Bug 50431] New: SCM erroneously tries to start 64-bit kernel drivers as 32-bit service when 'ImagePath' contains '\\SystemRoot\\system32\\drivers' and 'WOW64=1'
https://bugs.winehq.org/show_bug.cgi?id=50431 Bug ID: 50431 Summary: SCM erroneously tries to start 64-bit kernel drivers as 32-bit service when 'ImagePath' contains '\\SystemRoot\\system32\\drivers' and 'WOW64=1' Product: Wine Version: 6.0-rc4 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: programs Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, as it says. Bug 47175 (https://bugs.winehq.org/show_bug.cgi?id=47175#c4) is kinda related but the mistake is not in the service creation part. Norton AntiVirus 2010 installer creates several 32-bit and 64-bit services. The kernel driver services are 64-bit by design (64-bit WINEPREFIX). The registry entries for these services contain a mix of different styles. 'WOW64' is always set because the services were created by a 32-bit installer process. Wine uses this flag only in case of failure to determine the binary type. 64-bit kernel drivers should be always started as 64-bit. Registry: --- snip --- ... [System\\CurrentControlSet\\Services\\BHDrvx64] 1609425565 "Description"="SONAR Engine Driver" "DisplayName"="BHDrvx64" "ErrorControl"=dword:00000001 "ImagePath"="C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NAV_17.0.0.136\\Definitions\\BASHDefs\\20090829.001\\BHDrvx64.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000003 "Type"=dword:00000001 "WOW64"=dword:00000001 ... [System\\CurrentControlSet\\Services\\IDSVia64] 1609419518 "Description"="Symantec Intrusion Prevention Driver" "DisplayName"="IDSVia64" "ErrorControl"=dword:00000001 "ImagePath"="C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NAV_17.0.0.136\\Definitions\\IPSDefs\\20090828.002\\IDSVia64.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000001 "Type"=dword:00000001 "WOW64"=dword:00000001 ... [System\\CurrentControlSet\\Services\\ccHP] 1609437834 #time=1d6df9f4d82eda4 "DisplayName"="Symantec Hash Provider" "ErrorControl"=dword:00000001 "ImagePath"="\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000001 "Type"=dword:00000001 "WOW64"=dword:00000001 ... --- snip --- 'ccHP' kernel service doesn't work here. SCM erroneously starts 'winedevice' hosting process as 32-bit hence loading the 64-bit kernel driver binary will obviously fail. --- snip --- $ pwd /home/focht/.wine/drive_c/windows/system32/drivers/NAVx64/1100000.088 $ file * cchpx64.cat: data ccHPx64.inf: Windows setup INFormation ccHPx64.sys: PE32+ executable (native) x86-64, for MS Windows iron.cat: data Iron.inf: Windows setup INFormation Ironx64.sys: PE32+ executable (native) x86-64, for MS Windows isolate.ini: Little-endian UTF-16 Unicode text, with CRLF line terminators srtsp64.cat: data srtsp64.inf: Windows setup INFormation srtsp64.sys: PE32+ executable (native) x86-64, for MS Windows srtspx64.cat: data srtspx64.inf: Windows setup INFormation srtspx64.sys: PE32+ executable (native) x86-64, for MS Windows SymDS64.cat: data SymDS64.sys: PE32+ executable (native) x86-64, for MS Windows SymDS.inf: Windows setup INFormation SymEFA64.cat: data SymEFA64.sys: PE32+ executable (native) x86-64, for MS Windows SymEFA.inf: Windows setup INFormation symnet64.cat: data SymNet.inf: Windows setup INFormation symnetv64.cat: data SymNetV.inf: Windows setup INFormation symtdiv.sys: PE32+ executable (native) x86-64, for MS Windows --- snip --- Trace log: --- snip --- $ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl,+ntdll,+server,+service wineboot
log.txt 2>&1 ... 003c:trace:service:load_service_config Image path = L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys" 003c:trace:service:load_service_config Group = (null) ... 003c:trace:service:load_service_config Service account name = L"LocalSystem" ... 003c:trace:service:load_service_config Display name = L"Symantec Hash Provider" 003c:trace:service:load_service_config Service dependencies : (none) 003c:trace:service:load_service_config Group dependencies : (none) ... 003c:Call KERNEL32.ExpandEnvironmentStringsW(0003b9d0 L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",000439c0,0000003c) ret=1400062de 003c:Call kernelbase.ExpandEnvironmentStringsW(0003b9d0 L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",000439c0,0000003c) ret=7bc4429f 003c:Call ntdll.RtlInitUnicodeString(0021f628,0003b9d0 L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys") ret=7b042c06 003c:Ret ntdll.RtlInitUnicodeString() retval=00000078 ret=7b042c06 003c:Call ntdll.RtlExpandEnvironmentStrings_U(00000000,0021f628,0021f618,0021f614) ret=7b042c47 003c:Ret ntdll.RtlExpandEnvironmentStrings_U() retval=00000000 ret=7b042c47 003c:Ret kernelbase.ExpandEnvironmentStringsW() retval=0000003c ret=7bc4429f 003c:Ret KERNEL32.ExpandEnvironmentStringsW() retval=0000003c ret=1400062de 003c:Call KERNEL32.GetBinaryTypeW(000439c0 L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",0021f7c0) ret=140006473 003c:Call kernelbase.CreateFileW(000439c0 L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",80000000,00000001,00000000,7fd700000003,00000000,00000000) ret=7b61b63d ... 003c:Call ntdll.RtlDosPathNameToNtPathName_U(000439c0 L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",0021f458,00000000,00000000) ret=7b0160a0 003c:Ret ntdll.RtlDosPathNameToNtPathName_U() retval=00000001 ret=7b0160a0 003c:Call ntdll.NtCreateFile(0021f3e8,80100080,0021f428,0021f418,00000000,00000000,00000001,00000001,00000060,00000000,00000000) ret=7b01623a 003c:Ret ntdll.NtCreateFile() retval=c000003a ret=7b01623a 003c:Call ntdll.RtlNtStatusToDosError(c000003a) ret=7b01633c 003c:Ret ntdll.RtlNtStatusToDosError() retval=00000003 ret=7b01633c ... 003c:Ret kernelbase.CreateFileW() retval=ffffffffffffffff ret=7b61b63d 003c:Ret KERNEL32.GetBinaryTypeW() retval=00000000 ret=140006473 ... 0054:trace:ntoskrnl:load_driver loading driver L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys" ... 0054:Call KERNEL32.LoadLibraryW(0012d578 L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys") ret=0036490e 0054:Call kernelbase.LoadLibraryW(0012d578 L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys") ret=7bc3ab84 ... 0054:Call ntdll.LdrGetDllPath(0012d578 L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",00000000,00d5faf0,00d5fae8) ret=7b01bc26 0054:Ret ntdll.LdrGetDllPath() retval=00000000 ret=7b01bc26 ... 0054:Call ntdll.LdrLoadDll(0012d958 L"C:\\windows\\syswow64;C:\\windows\\system32;C:\\windows\\system;C:\\windows;.;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem;C:\\windows\\system32\\WindowsPowershell\\v1.0",00000000,00d5fb10,00d5faf8) ret=7b01bdfc ... 0054: create_file( access=80100000, sharing=00000005, create=1, options=00000060, attrs=00000000, objattr={rootdir=0000,attributes=00000000,sd={},name=L""}, filename="/home/focht/projects/wine/mainline-install-x86_64/lib/wine/cchpx64.sys" ) ... 0054: create_file() = NO_SUCH_FILE { handle=0000 } ... 0054:Ret ntdll.LdrLoadDll() retval=c0000135 ret=7b01bdfc ... 0054:Ret kernelbase.LoadLibraryW() retval=00000000 ret=7bc3ab84 ... 0054:err:ntoskrnl:ZwLoadDriver failed to create driver L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\ccHP": c0000142 --- snip ---
'\\SystemRoot\\system32\\drivers' is a valid path for REG_EXPAND_SZ type 'ImagePath' as well. It doesn't need to be '%SystemRoot%\\xxx'. Due to 'GetBinaryTypeW' failure, the "else" path is taken which uses 'WOW64' flag. All services created by 32-bit installer have 'WOW64' set by design, including the 64-bit services which leads to the incorrect "fallback" choice. Wine source: https://source.winehq.org/git/wine.git/blob/784cb2060ab63076adc349dcb1d15a6c... --- snip --- 856 static DWORD get_winedevice_binary_path(struct service_entry *service_entry, WCHAR **path, BOOL *is_wow64) 857 { 858 static const WCHAR winedeviceW[] = {'\\','w','i','n','e','d','e','v','i','c','e','.','e','x','e',0}; 859 WCHAR system_dir[MAX_PATH]; 860 DWORD type; 861 862 if (!is_win64) 863 *is_wow64 = FALSE; 864 else if (GetBinaryTypeW(*path, &type)) 865 *is_wow64 = (type == SCS_32BIT_BINARY); 866 else 867 *is_wow64 = service_entry->is_wow64; 868 869 GetSystemDirectoryW(system_dir, MAX_PATH); 870 HeapFree(GetProcessHeap(), 0, *path); 871 if (!(*path = HeapAlloc(GetProcessHeap(), 0, lstrlenW(system_dir) * sizeof(WCHAR) + sizeof(winedeviceW)))) 872 return ERROR_NOT_ENOUGH_SERVER_MEMORY; 873 874 lstrcpyW(*path, system_dir); 875 lstrcatW(*path, winedeviceW); 876 return ERROR_SUCCESS; 877 } --- snip --- Virustotal.com scan of the binary: https://www.virustotal.com/gui/file/b8110fba782df5f9bfc25d39315b5ccd1f375b20... $ sha1sum NAV10TBEN.exe eadfb9c860146186c548aba695a9be87607f5586 NAV10TBEN.exe $ du -sh NAV10TBEN.exe 74M NAV10TBEN.exe $ wine --version wine-6.0-rc4 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50431 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20111104092310/http://spft | |rl.digitalriver.com/pub/sym | |antec/tbyb/NAM/NAV10TBEN.ex | |e Keywords| |download -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
https://bugs.winehq.org/show_bug.cgi?id=50431 Fabian Maurer <dark.shadow4(a)web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4(a)web.de -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla