https://bugs.winehq.org/show_bug.cgi?id=37852
Bug ID: 37852 Summary: Sentinel HASP 'hardlock.sys' kernel driver custom imports resolver can't cope with many 'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to start) Product: Wine Version: 1.7.33 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 30220
No, we don't need to emulate I/O ... the opcode from crash https://bugs.winehq.org/show_bug.cgi?id=30220#c7 is actually an ASCII string.
The kernel driver is not only heavily obfuscated but also has an own imports resolver which fails to cope with Wine's forwards to 'ntdll.dll'.
--- snip --- ... 0054670E 68 18FA5A00 PUSH 005AFA18 ; UNICODE "\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt" 00546713 8D45 DC LEA EAX,[EBP-24] 00546716 50 PUSH EAX 00546717 C1EF 40 SHR EDI,40 0054671A FF15 28F65A00 CALL DWORD PTR DS:[5AF628] 00546720 8D36 LEA ESI,[ESI] ... --- snip ---
The driver's own IAT, dumped from memory:
--- snip --- ... 005AF3FC 00000000 005AF400 F761EC0C ; hal.KfAcquireSpinLock 005AF404 F761ED98 ; hal.KfReleaseSpinLock 005AF408 F761EE21 ; hal.HalGetBusData 005AF40C F761EFFA ; hal.KeGetCurrentIrql 005AF410 F761E928 ; hal.WRITE_PORT_UCHAR 005AF414 F761E820 ; hal.READ_PORT_UCHAR 005AF418 F761ED10 ; hal.KfRaiseIrql 005AF41C F761EC8C ; hal.KfLowerIrql 005AF420 F761E770 ; hal.KeStallExecutionProcessor 005AF424 00000000 005AF428 7ECE39B4 ; ntoskrnl_exe.KeBugCheck 005AF42C 7ECECD0C ; ntoskrnl_exe.IofCallDriver 005AF430 7ECE42A4 ; ntoskrnl_exe.KeReadStateEvent 005AF434 7ECE2070 ; ntoskrnl_exe.IoCancelIrp 005AF438 7ECE3AE8 ; ntoskrnl_exe.KeDelayExecutionThread 005AF43C 7ECECA85 ; ntoskrnl_exe.IoGetDeviceObjectPointer 005AF440 7ECEBED8 ; ntoskrnl_exe.IoBuildDeviceIoControlRequest 005AF444 7ED1073A ; ASCII "ntdll.RtlIntegerToUnicodeString" 005AF448 7ED0FE0F ; ASCII "ntdll.RtlAppendUnicodeStringToString" 005AF44C 7ECECE21 ; ntoskrnl_exe.IoGetConfigurationInformation 005AF450 7ECED88E ; ntoskrnl_exe.ExAllocatePoolWithTag 005AF454 7ED0FF5C ; ASCII "ntdll.RtlCompareMemory" 005AF458 7ECEDEB8 ; ntoskrnl_exe.KeInitializeEvent 005AF45C 7ED116CE ; ASCII "ntdll.ZwQueryInformationProcess" 005AF460 7ECEEBFD ; ntoskrnl_exe.MmMapIoSpace 005AF464 7ECE5BE8 ; ntoskrnl_exe.ObReferenceObjectByPointer 005AF468 7ECE25C4 ; ntoskrnl_exe.IoFileObjectType 005AF46C 7ECEC823 ; ntoskrnl_exe.IoCreateSymbolicLink 005AF470 7ECEC45A ; ntoskrnl_exe.IoCreateDevice 005AF474 7ECEF361 ; ntoskrnl_exe.PsGetVersion 005AF478 7ECEC6BE ; ntoskrnl_exe.IoDeleteDevice 005AF47C 7ECEC906 ; ntoskrnl_exe.IoDeleteSymbolicLink 005AF480 7ECEE15C ; ntoskrnl_exe.KeInitializeSpinLock 005AF484 7ECEDF3F ; ntoskrnl_exe.KeInitializeMutex 005AF488 7ED11DD4 ; ASCII "msvcrt.memmove" 005AF48C 7ED117DF ; ASCII "ntdll.ZwQueryValueKey" 005AF490 7ECED2CB ; ntoskrnl_exe.IoReportResourceUsage 005AF494 7ECEEFF2 ; ntoskrnl_exe.MmUnmapIoSpace 005AF498 7ED1134F ; ASCII "ntdll.ZwEnumerateValueKey" 005AF49C 7ED114DB ; ASCII "ntdll.ZwOpenKey" 005AF4A0 7ED119D9 ; ASCII "ntdll.ZwSetValueKey" 005AF4A4 7ECEF1F0 ; ntoskrnl_exe.ObfDereferenceObject 005AF4A8 7ECEDA29 ; ntoskrnl_exe.ExFreePool 005AF4AC 7ED1007D ; ASCII "ntdll.RtlCopyUnicodeString" 005AF4B0 7ED0FE34 ; ASCII "ntdll.RtlAppendUnicodeToString" 005AF4B4 7ED10B19 ; ASCII "ntdll.RtlQueryRegistryValues" 005AF4B8 7ED11DE3 ; ASCII "msvcrt.memset" 005AF4BC 7ED11E0A ; ASCII "msvcrt.sprintf" 005AF4C0 7ED11DC6 ; ASCII "msvcrt.memcpy" 005AF4C4 7ED0FDB0 ; ASCII "ntdll.RtlAnsiStringToUnicodeString" 005AF4C8 7ED1066D ; ASCII "ntdll.RtlInitAnsiString" 005AF4CC 7ECECDAC ; ntoskrnl_exe.IoGetRelatedDeviceObject 005AF4D0 7ECEF0D9 ; ntoskrnl_exe.ObReferenceObjectByHandle 005AF4D4 7ECEE3F4 ; ntoskrnl_exe.KeReleaseSemaphore 005AF4D8 7ECEBA2D ; ntoskrnl_exe.IoFreeIrp 005AF4DC 7ECEDE4C ; ntoskrnl_exe.KeGetCurrentThread 005AF4E0 7ECEB922 ; ntoskrnl_exe.IoAllocateIrp 005AF4E4 7ECEDB0D ; ntoskrnl_exe.ExInitializeResourceLite 005AF4E8 7ECE01AC ; ntoskrnl_exe.ExDeleteResourceLite 005AF4EC 7ECE4118 ; ntoskrnl_exe.KeLeaveCriticalRegion 005AF4F0 7ECDF184 ; ntoskrnl_exe.ExReleaseResourceLite 005AF4F4 7ECE3BC4 ; ntoskrnl_exe.KeEnterCriticalRegion 005AF4F8 7ECEB5A8 ; ntoskrnl_exe.IoReleaseCancelSpinLock 005AF4FC 7ECED768 ; ntoskrnl_exe.InterlockedExchange 005AF500 7ECEB538 ; ntoskrnl_exe.IoAcquireCancelSpinLock 005AF504 7ECE0020 ; ntoskrnl_exe.ExAcquireResourceExclusiveLite 005AF508 7ECEDDE0 ; ntoskrnl_exe.IoGetCurrentProcess 005AF50C 7ECE2A3C ; ntoskrnl_exe.IoIsSystemThread 005AF510 7ED11E5E ; ASCII "msvcrt.strlen" 005AF514 7ED111C1 ; ASCII "ntdll.ZwClose" 005AF518 7ECE2438 ; ntoskrnl_exe.IoDetachDevice 005AF51C 7ECEBD2A ; ntoskrnl_exe.IoFreeMdl 005AF520 7ECEEF82 ; ntoskrnl_exe.MmUnlockPages 005AF524 7ECE55E4 ; ntoskrnl_exe.MmUnmapLockedPages 005AF528 7ECE521C ; ntoskrnl_exe.MmMapLockedPages 005AF52C 7ECEEE8B ; ntoskrnl_exe.MmProbeAndLockPages 005AF530 7ECEBB3B ; ntoskrnl_exe.IoAllocateMdl 005AF534 7ED11BED ; ASCII "msvcrt._local_unwind2" 005AF538 7ED11BA4 ; ASCII "msvcrt._except_handler3" 005AF53C 7ECE4DFC ; ntoskrnl_exe.MmBuildMdlForNonPagedPool 005AF540 7ED10685 ; ASCII "ntdll.RtlInitString" 005AF544 7ED1168F ; ASCII "ntdll.ZwQueryInformationFile" 005AF548 7ECE4354 ; ntoskrnl_exe.KeReadStateSemaphore 005AF54C 7ECE067C ; ntoskrnl_exe.ExQueueWorkItem 005AF550 7ECEE0DE ; ntoskrnl_exe.KeInitializeSemaphore 005AF554 7ECEF2E3 ; ntoskrnl_exe.PsGetCurrentProcessId 005AF558 7ED11A69 ; ASCII "ntdll.ZwUnmapViewOfSection" 005AF55C 7ECE49DC ; ntoskrnl_exe.KeWaitForMultipleObjects 005AF560 7ECE0700 ; ntoskrnl_exe.ExRaiseException 005AF564 7ECEED07 ; ntoskrnl_exe.MmMapLockedPagesSpecifyCache 005AF568 7ED104B3 ; ASCII "ntdll.RtlFreeAnsiString" 005AF56C 7ED10DCC ; ASCII "ntdll.RtlUnicodeStringToAnsiString" 005AF570 7ECEEB67 ; ntoskrnl_exe.MmIsAddressValid 005AF574 7ECE5FDC ; ntoskrnl_exe.ProbeForRead 005AF578 7ED102B3 ; ASCII "ntdll.RtlEqualUnicodeString" 005AF57C 7ECE5B90 ; ntoskrnl_exe.ObOpenObjectByPointer 005AF580 7ED0F6FF ; ASCII "ntdll.DbgPrint" 005AF584 7ECE32D4 ; ntoskrnl_exe.IoSynchronousPageWrite 005AF588 7ECE2960 ; ntoskrnl_exe.IoGetTopLevelIrp 005AF58C 7ECEF478 ; ntoskrnl_exe.PsSetCreateProcessNotifyRoutine 005AF590 7ED11023 ; ASCII "ntdll.RtlWriteRegistryValue" 005AF594 7ECE6E20 ; ntoskrnl_exe.RtlCreateRegistryKey 005AF598 7ED0FF19 ; ASCII "ntdll.RtlCheckRegistryKey" 005AF59C 7ECE1F94 ; ntoskrnl_exe.IoAttachDeviceByPointer 005AF5A0 7ECE24BC ; ntoskrnl_exe.IoDeviceObjectType 005AF5A4 7ECEF268 ; ntoskrnl_exe.PsCreateSystemThread 005AF5A8 7ECE004C ; ntoskrnl_exe.ExAcquireResourceSharedLite 005AF5AC 7ECE68CC ; ntoskrnl_exe.PsProcessType 005AF5B0 7ECE6C68 ; ntoskrnl_exe.PsThreadType 005AF5B4 7ED113CD ; ASCII "ntdll.ZwFsControlFile" 005AF5B8 7ECE327C ; ntoskrnl_exe.IoStopTimer 005AF5BC 7ED104F4 ; ASCII "ntdll.RtlFreeUnicodeString" 005AF5C0 7ED11416 ; ASCII "ntdll.ZwLoadDriver" 005AF5C4 7ED11ABF ; ASCII "ntdll.ZwWriteFile" 005AF5C8 7ED11E50 ; ASCII "msvcrt.strcpy" 005AF5CC 7ED11E8A ; ASCII "msvcrt.strncpy" 005AF5D0 7ED11B30 ; ASCII "ntdll._alldiv" 005AF5D4 7ECDF33C ; ntoskrnl_exe.ExfInterlockedInsertTailList 005AF5D8 7ED11818 ; ASCII "ntdll.ZwReadFile" 005AF5DC 7ED102CF ; ASCII "ntdll.RtlExtendedIntegerMultiply" 005AF5E0 7ED10851 ; ASCII "ntdll.RtlLargeIntegerDivide" 005AF5E4 7ECDF3C0 ; ntoskrnl_exe.ExfInterlockedRemoveHeadList 005AF5E8 7ECEF572 ; ntoskrnl_exe.PsTerminateSystemThread 005AF5EC 7ECEE592 ; ntoskrnl_exe.KeSetPriorityThread 005AF5F0 7ECEE487 ; ntoskrnl_exe.KeQueryTimeIncrement 005AF5F4 7ED12FE8 ; OFFSET ntoskrnl_exe.KeTickCount 005AF5F8 7ED117C0 ; ASCII "ntdll.ZwQuerySystemInformation" 005AF5FC 7ECED800 ; ntoskrnl_exe.ExAllocatePool 005AF600 7ED112D9 ; ASCII "ntdll.ZwDeviceIoControlFile" 005AF604 7ED11215 ; ASCII "ntdll.ZwCreateFile" 005AF608 7ECEE506 ; ntoskrnl_exe.KeSetEvent 005AF60C 7ECEE67C ; ntoskrnl_exe.KeWaitForSingleObject 005AF610 7ECEE059 ; ntoskrnl_exe.KeReleaseMutex 005AF614 7ECEBAB6 ; ntoskrnl_exe.IoAllocateErrorLogEntry 005AF618 7ECE36C8 ; ntoskrnl_exe.IoWriteErrorLogEntry 005AF61C 7ECED650 ; ntoskrnl_exe.IofCompleteRequest 005AF620 7ED0FFA6 ; ASCII "ntdll.RtlCompareUnicodeString" 005AF624 7ED13000 ; OFFSET ntoskrnl_exe.KeServiceDescriptorTable 005AF628 7ED10699 ; ASCII "ntdll.RtlInitUnicodeString" 005AF62C 00000000 --- snip ---
Everything tagged 'ASCII' is an unresolved forwarded import.
The crash is due to 'ntdll.RtlInitUnicodeString' not being resolved.
$ sha1sum MTBen1610su.exe f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe
$ du -sh MTBen1610su.exe 93M MTBen1610su.exe
$ wine --version wine-1.7.33-146-g102d893
Regards