http://bugs.winehq.org/show_bug.cgi?id=59644 Bug ID: 59644 Summary: Enigma Virtual Box packed applications fail with file access errors since commit 35916176078 Product: Wine Version: 11.6 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: kernel32 Assignee: wine-bugs@list.winehq.org Reporter: a1678991@iroserver.net CC: jinoh.kang.kr@gmail.com Regression SHA1: 3591617607890a1443c4b0bc2586a27f0c24608d Distribution: ArchLinux Applications packed with Enigma Virtual Box (EVB) that use file virtualization fail to start on Wine since commit 3591617607890a14 ( "kernelbase: Replace FileAllInformation with FileStatInformation in GetFileInformationByHandle()". EVB embeds application files inside the executable and hooks NtQueryInformationFile to intercept file metadata queries for its virtual files. The hook handles known info classes including FileAllInformation (class 18) but does not handle the newer FileStatInformation (class 68). When the unrecognized class 68 passes through the hook, Wine's native handler queries the raw stand-in device handle and returns incorrect data. Steps to reproduce: 1. Obtain an application packed with Enigma Virtual Box that virtualizes files (application assets embedded inside executable, not on disk). A NW.js application with EVB packing is a common example. 2. Run the packed executable under Wine: WINEPREFIX=/path/to/prefix wine application.exe Expected results: The application starts normally. EVB's file virtualization works and the application can access its embedded files. Actual results: The application fails with file access errors. For NW.js applications this manifests as "UNKNOWN, unknown error" or "TypeError: Bad argument" because GetFileInformationByHandle returns incorrect file metadata. Regression test: Bisected to the exact commit. Three Wine builds tested 3 times each, each with its own dedicated clean WINEPREFIX (initialized with wineboot -i, no DLL overrides, no third-party wrappers): === 5641e4aa83b (parent of breaking commit) === Run 1: (no error) Run 2: (no error) Run 3: (no error) === 35916176078 (breaking commit — FileStatInformation) === Run 1: [err] Uncaught Error: UNKNOWN, unknown error 'S:\' Run 2: [err] Uncaught TypeError: Bad argument Run 3: [err] Uncaught Error: UNKNOWN, unknown error 'S:\' === 01c0792b42f (revert on top of Wine 11.6 504683b22d3) === Run 1: (no error) Run 2: (no error) Run 3: (no error) Analysis: EVB hooks NtQueryInformationFile with an inline JMP patch (0xE9). The hook dispatches on the FileInformationClass parameter. It handles FileBasicInformation (4), FileStandardInformation (5), and FileAllInformation (18), but does NOT handle FileStatInformation (68). EVB virtualizes files by returning a \Device\Null stand-in handle from NtCreateFile. When GetFileInformationByHandle uses class 18, EVB intercepts and returns correct virtual file attributes. When it uses class 68, EVB doesn't recognize it, the call falls through to Wine's native handler which queries the raw NUL device, and the returned metadata is meaningless. Confirmed by calling NtQueryInformationFile directly on an EVB stand-in handle with a sentinel-filled buffer: - Class 5 and 18: EVB intercepts, returns correct EndOfFile (17714 bytes), zero unwritten sentinel bytes - Class 68: EVB does not intercept, falls through, returns device attributes GetFileInformationByHandle in kernelbase is NOT hooked by EVB — it relies on intercepting the NtQueryInformationFile call that kernelbase makes internally. Proposed fix: Revert the FileStatInformation change in GetFileInformationByHandle back to FileAllInformation. If the original fix for Wine-Bug #46070 regresses, a more targeted fix for that specific case would be preferable to changing the info class globally. Test application characteristics: - PE32 (x86), 30.5 MB, 11 unnamed sections (Enigma Protector characteristic) - Entry point 0x0308fd9c inside writable .data section (EP unpacker stub) - Linker version 10.0, PE timestamp 2014-02-25 - Enigma Protector CA certificate issued 2016-01-27 (EP version circa 4.x-5.x) - Inner application: NW.js 0.12.3 (Chromium 41 / io.js 1.2 / V8 4.1) - Enigma Virtual Box virtualizes src/, node_modules/, package.json and other assets inside the executable Environment: - Arch Linux x86_64 (kernel 6.19.11) - Wine 11.6 (master at 504683b22d3) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.