https://bugs.winehq.org/show_bug.cgi?id=52059
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Component|-unknown |advapi32 Status|UNCONFIRMED |NEW URL| |https://web.archive.org/web | |/20211009060326/https://tes | |tmem.tz.ru/tm5.rar Keywords| |obfuscation Ever confirmed|0 |1 Summary|Non-installable program |TestMem5 v0.12 reports 'To |needs Admin rights. |enable AWE, you must run | |with Administrator | |privileges!' on startup | |(unable to add | |'SeLockMemoryPrivilege' due | |to 'LsaAddAccountRights' | |stub)
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
the app seems legit, although the original 'testmem.tz.ru' site/domain is flagged as dangerous by browsers/AV plugins.
https://www.virustotal.com/gui/file/b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe0...
Relevant part of trace log:
--- snip --- $ WINEDEBUG=+seh,+relay,+advapi,+server wine ./TM5.exe >>log.txt 2>&1 ... 0104:Call KERNEL32.CreateProcessA(00448fe4 "Z:\home\focht\Downloads\TM5\TM5.exe",004490e4 " \r\x07",00000000,00000000,00000000,00000020,00000000,00000000,00448fa0,01fb8418) ret=00403613 ... 013c: init_first_thread() = 0 { pid=0138, tid=013c, server_start=1d7e483224f8388 (-1.5113650), session_id=00000001, info_size=15826, machines={8664,014c} } ... 0104:Ret KERNEL32.CreateProcessA() retval=00000001 ret=00403613 ... 013c:Call KERNEL32.CreateThread(00000000,00000000,00404481,00000007,00000000,0044920c) ret=00404f68 ... 0158: *fd* 14 <- 308 013c:Ret KERNEL32.CreateThread() retval=000000a0 ret=00404f68 ... 0158:Call KERNEL32.LoadLibraryA(01f33c10 "bin\MT0.dll") ret=00403cb2 ... 0158:Ret KERNEL32.LoadLibraryA() retval=021f0000 ret=00403cb2 0158:Call KERNEL32.GetProcAddress(021f0000,01f33c28 "MemManager") ret=00403d6c 0158:Ret KERNEL32.GetProcAddress() retval=021f245d ret=00403d6c ... 0158:Call advapi32.OpenProcessToken(ffffffff,00000020,021cfba0) ret=021f121d 0158:Call ntdll.NtOpenProcessToken(ffffffff,00000020,021cfba0) ret=7b044236 0158: open_token( handle=ffffffff, access=00000020, attributes=00000000, flags=00000000 ) 0158: open_token() = 0 { token=00a4 } 0158:Ret ntdll.NtOpenProcessToken() retval=00000000 ret=7b044236 0158:Ret advapi32.OpenProcessToken() retval=00000001 ret=021f121d 0158:Call advapi32.LookupPrivilegeValueA(00000000,021f40f3,021cfb94) ret=021f1234 ... 0158:trace:advapi:LookupPrivilegeValueW --- snip ---
The log/trace was corrupted here - even in append mode. It tried to look up 'SeLockMemoryPrivilege'.
--- snip --- 0158:Ret advapi32.LookupPrivilegeValueA() retval=00000001 ret=021f1234 0158:Call advapi32.AdjustTokenPrivileges(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=021f124f 0158:Call ntdll.NtAdjustPrivilegesToken(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=7b043d85 0158: adjust_token_privileges( handle=00a4, disable_all=0, get_modified_state=0, privileges={{luid=0000000000000004,attr=2}} ) 0158: adjust_token_privileges() = NOT_ALL_ASSIGNED { len=00000000, privileges={} } 0158:Ret ntdll.NtAdjustPrivilegesToken() retval=00000106 ret=7b043d85 0158:Call ntdll.RtlNtStatusToDosError(00000106) ret=7b043d8e 0158:Ret ntdll.RtlNtStatusToDosError() retval=00000514 ret=7b043d8e 0158:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=021f124f 0158:Call KERNEL32.CloseHandle(000000a4) ret=021f1257 0158:Call ntdll.NtClose(000000a4) ret=7b038140 0158: close_handle( handle=00a4 ) 0158: close_handle() = 0 0158:Ret ntdll.NtClose() retval=00000000 ret=7b038140 0158:Ret KERNEL32.CloseHandle() retval=00000001 ret=021f1257 0158:Call KERNEL32.GetLastError() ret=021f125c 0158:Ret KERNEL32.GetLastError() retval=00000514 ret=021f125c ... --- snip ---
This obviously fails because 'SeLockMemoryPrivilege' is by default not present in the token. The call to AdjustTokenPrivileges() can only enable privileges that you already have (but are masked).
https://source.winehq.org/git/wine.git/blob/f03933fbb73152c7a54383fba411a611...
The app then tries to add the privilege to the current user account:
--- snip --- ... 0158:Call advapi32.OpenProcessToken(ffffffff,00000028,021cfb6c) ret=021f1061 0158:Call ntdll.NtOpenProcessToken(ffffffff,00000028,021cfb6c) ret=7b044236 0158: open_token( handle=ffffffff, access=00000028, attributes=00000000, flags=00000000 ) 0158: open_token() = 0 { token=00a4 } 0158:Ret ntdll.NtOpenProcessToken() retval=00000000 ret=7b044236 0158:Ret advapi32.OpenProcessToken() retval=00000001 ret=021f1061 0158:Call advapi32.GetTokenInformation(000000a4,00000001,00000000,00000000,021cfb60) ret=021f107b 0158:Call ntdll.NtQueryInformationToken(000000a4,00000001,00000000,00000000,021cfb60) ret=7b0443d4 0158: get_token_sid( handle=00a4, which_sid=00000001 ) 0158: get_token_sid() = BUFFER_TOO_SMALL { sid_len=28<invalid sid> } 0158:Ret ntdll.NtQueryInformationToken() retval=c0000023 ret=7b0443d4 0158:Call ntdll.RtlNtStatusToDosError(c0000023) ret=7b0443e1 0158:Ret ntdll.RtlNtStatusToDosError() retval=0000007a ret=7b0443e1 0158:Ret advapi32.GetTokenInformation() retval=00000000 ret=021f107b 0158:Call KERNEL32.GetProcessHeap() ret=021f1088 0158:Ret KERNEL32.GetProcessHeap() retval=00450000 ret=021f1088 0158:Call ntdll.RtlAllocateHeap(00450000,00000040,00000024) ret=021f1098 0158:Ret ntdll.RtlAllocateHeap() retval=00492fb0 ret=021f1098 0158:Call advapi32.GetTokenInformation(000000a4,00000001,00492fb0,00000024,021cfb60) ret=021f10af 0158:Call ntdll.NtQueryInformationToken(000000a4,00000001,00492fb0,00000024,021cfb60) ret=7b0443d4 0158: get_token_sid( handle=00a4, which_sid=00000001 ) 0158: get_token_sid() = 0 { sid_len=28, sid={S-1-5-21-0-0-0-1000} } 0158:Ret ntdll.NtQueryInformationToken() retval=00000000 ret=7b0443d4 0158:Ret advapi32.GetTokenInformation() retval=00000001 ret=021f10af 0158:Call advapi32.LsaAddAccountRights(0000cafe,00492fb8,021cfb74,00000001) ret=021f10c6 0158:fixme:advapi:LsaAddAccountRights (0000CAFE,00492FB8,021CFB74,0x00000001) stub 0158:Ret advapi32.LsaAddAccountRights() retval=00000000 ret=021f10c6 0158:Call advapi32.LookupPrivilegeValueA(00000000,021f4009,021cfb98) ret=021f10da 0158:trace:advapi:LookupPrivilegeValueW L"",L"SeLockMemoryPrivilege",021CFB98 ... 0158:trace:advapi:LookupPrivilegeValueW L"" -> 00000000-00000004 0158:Ret advapi32.LookupPrivilegeValueA() retval=00000001 ret=021f1234 0158:Call advapi32.AdjustTokenPrivileges(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=021f124f 0158:Call ntdll.NtAdjustPrivilegesToken(000000a4,00000000,021cfb90,00000010,00000000,00000000) ret=7b043d85 0158: adjust_token_privileges( handle=00a4, disable_all=0, get_modified_state=0, privileges={{luid=0000000000000004,attr=2}} ) 0158: adjust_token_privileges() = NOT_ALL_ASSIGNED { len=00000000, privileges={} } 0158:Ret ntdll.NtAdjustPrivilegesToken() retval=00000106 ret=7b043d85 0158:Call ntdll.RtlNtStatusToDosError(00000106) ret=7b043d8e 0158:Ret ntdll.RtlNtStatusToDosError() retval=00000514 ret=7b043d8e 0158:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=021f124f 0158:Call KERNEL32.CloseHandle(000000a4) ret=021f1257 0158:Call ntdll.NtClose(000000a4) ret=7b038140 0158: close_handle( handle=00a4 ) 0158: close_handle() = 0 0158:Ret ntdll.NtClose() retval=00000000 ret=7b038140 0158:Ret KERNEL32.CloseHandle() retval=00000001 ret=021f1257 0158:Call KERNEL32.GetLastError() ret=021f125c 0158:Ret KERNEL32.GetLastError() retval=00000514 ret=021f125c 0158:Call user32.MessageBoxA(00000000,021f4060 "To enable AWE, you must run with\r\nAdministrator privileges!",021f404b "TestMem5, AWE module",00200040) ret=021f24dd ---- snip ---
Since 'LsaAddAccountRights' is a stub, the privilege can't be added to the user account.
https://source.winehq.org/git/wine.git/blob/f03933fbb73152c7a54383fba411a611...
--- snip --- 165 /****************************************************************************** 166 * LsaAddAccountRights [ADVAPI32.@] 167 * 168 */ 169 NTSTATUS WINAPI LsaAddAccountRights( 170 LSA_HANDLE policy, 171 PSID sid, 172 PLSA_UNICODE_STRING rights, 173 ULONG count) 174 { 175 FIXME("(%p,%p,%p,0x%08x) stub\n", policy, sid, rights, count); 176 return STATUS_SUCCESS; 177 } --- snip ---
The sequence is pretty similar what is described here:
https://web.archive.org/web/20211128192224/https://stackoverflow.com/questio...
Poking a bit more reveals that the app will later make use AllocateUserPhysicalPages() API which requires this privilege.
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-al...
--- quote --- Remarks
The AllocateUserPhysicalPages function is used to allocate physical memory that can later be mapped within the virtual address space of the process. The SeLockMemoryPrivilege privilege must be enabled in the caller's token or the function will fail with ERROR_PRIVILEGE_NOT_HELD. For more information, see Privilege Constants. ... --- quote ---
You could probably do a quick hack by adding this privilege to the default (admin) token if you can build Wine from source but it won't get you far. AWS APIs are stubs in Wine:
* AllocateUserPhysicalPages * FreeUserPhysicalPages * MapUserPhysicalPages
Stable download link via Internet Archive:
https://web.archive.org/web/20211009060326/https://testmem.tz.ru/tm5.rar
https://www.virustotal.com/gui/file/b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe0...
$ sha1sum tm5.rar f141a919d7d1cfb1baaea671fb6dcd3bf213cdf7 tm5.rar
$ du -sh tm5.rar 24K tm5.rar
$ sha1sum TM5.exe 13122d07d828637943ca7e8043f77beca4e76928 TM5.exe $ sha1sum bin/MT0.dll 21c3a60a648615317421be93432697253a3c7ff3 bin/MT0.dll
Regards