[Bug 29460] Multiple kernel drivers crash in entry due to ntoskrnl.exe IoGetCurrentProcess () being a stub (Ruijie Supplicant Su1xDriver.sys, nProtect GameGuard/ Tachyon Kernel Control Driver)

https://bugs.winehq.org/show_bug.cgi?id=29460

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Summary|Ruijie Supplicant |Multiple kernel drivers |Su1xDriver.sys crashes in |crash in entry due to |driver entry due to |ntoskrnl.exe |ntoskrnl.exe |IoGetCurrentProcess() being |IoGetCurrentProcess() being |a stub (Ruijie Supplicant |a stub |Su1xDriver.sys, nProtect | |GameGuard/Tachyon Kernel | |Control Driver)

--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,

revisiting, still present.

Refining summary to target more DRM schemes.

Also needed for nProtect GameGuard Personal 3.0

http://fs2.download82.com/software/bbd8ff9dba17080c0c121804efbd61d5/nprotect...

--- snip --- ... 004a:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\TKCtrl2k.sys" at 0x740000: native 004a:Call PE DLL (proc=0xf75f721f,module=0xf75f0000 L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) ... 004a:Ret PE DLL (proc=0xf75f721f,module=0xf75f0000 L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 004a:Ret KERNEL32.LoadLibraryW() retval=00740000 ret=7effaaa4 ... 004a:Call driver init 0x769b3f (obj=0x11c960,str=L"\Registry\Machine\System\CurrentControlSet\Services\TKCtrl") 004a:Call msvcrt.memset(00757760,00000000,0000a5e0) ret=00769ab4 004a:Ret msvcrt.memset() retval=00757760 ret=00769ab4 004a:Call ntdll.RtlInitUnicodeString(0063e7a0,00755fb0 L"\Device\TKCtrl") ret=00740bd5 004a:Ret ntdll.RtlInitUnicodeString() retval=0063e7a0 ret=00740bd5 004a:Call ntoskrnl.exe.IoCreateDevice(0011c960,00000000,0063e7a0,00000022,00000000,00000000,0063e79c) ret=00740bef 004a:Call ntdll.RtlAllocateHeap(00110000,00000008,000000b8) ret=7ecdff91 004a:Ret ntdll.RtlAllocateHeap() retval=0011cb20 ret=7ecdff91 004a:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00740bef 004a:Call ntdll.RtlInitUnicodeString(0063e7a8,00755f80 L"\DosDevices\TKCtrl") ret=00740c2d 004a:Ret ntdll.RtlInitUnicodeString() retval=0063e7a8 ret=00740c2d 004a:Call ntoskrnl.exe.IoCreateSymbolicLink(0063e7a8,0063e7a0) ret=00740c3b 004a:Call ntdll.NtCreateSymbolicLinkObject(0063e724,000f0001,0063e70c,0063e7a0) ret=7ece02ee 004a:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece02ee 004a:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00740c3b 004a:Call ntoskrnl.exe.PsGetCurrentProcessId() ret=007404d7 004a:Ret ntoskrnl.exe.PsGetCurrentProcessId() retval=00000044 ret=007404d7 004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=007404e2 004a:fixme:ntoskrnl:IoGetCurrentProcess () stub 004a:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=007404e2 004a:Call hal.KeGetCurrentIrql() ret=00753aec 004a:fixme:ntoskrnl:KeGetCurrentIrql stub! 004a:Ret hal.KeGetCurrentIrql() retval=00000000 ret=00753aec 004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=00753afd 004a:fixme:ntoskrnl:IoGetCurrentProcess () stub 004a:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=00753afd 004a:Call msvcrt._strnicmp(00756b80 "System",00000000,00000006) ret=00753b2e 004a:Ret msvcrt._strnicmp() retval=7fffffff ret=00753b2e 004a:Call msvcrt._strnicmp(00756b80 "System",00000001,00000006) ret=00753b2e 004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf753e253 ip=f753e253 tid=004a 004a:trace:seh:raise_exception info[0]=00000000 004a:trace:seh:raise_exception info[1]=00000001 004a:trace:seh:raise_exception eax=00000001 ebx=f75b1000 ecx=00000001 edx=00756b80 esi=0063e764 edi=0063e72c 004a:trace:seh:raise_exception ebp=00000006 esp=0063e6a0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010287 004a:trace:seh:call_vectored_handlers calling handler at 0x7ecdd005 code=c0000005 flags=0 004a:trace:seh:call_vectored_handlers handler at 0x7ecdd005 returned 0 004a:trace:seh:call_stack_handlers calling handler at 0x7bcad785 code=c0000005 flags=0 ... --- snip ---

Driver code:

--- snip --- 007418DA SUB ESP,8 007418DD CALL DWORD PTR DS:[<&ntoskrnl.IoGetCurrentProcess>] 007418E3 MOV DWORD PTR SS:[EBP-8],EAX ; PEPROCESS 007418E6 MOV DWORD PTR SS:[EBP-4],0 007418ED JMP SHORT TKFWFLT.007418F8 007418EF MOV EAX,DWORD PTR SS:[EBP-4] 007418F2 ADD EAX,1 007418F5 MOV DWORD PTR SS:[EBP-4],EAX 007418F8 CMP DWORD PTR SS:[EBP-4],3000 007418FF JGE SHORT TKFWFLT.0074192E 00741901 PUSH 6 ; len 00741903 MOV ECX,DWORD PTR SS:[EBP-8] 00741906 ADD ECX,DWORD PTR SS:[EBP-4] 00741909 PUSH ECX 0074190A PUSH TKFWFLT.007418D0 ; ASCII "System" 0074190F CALL DWORD PTR DS:[<&ntoskrnl._strnicmp>] ; msvcrt.MSVCRT__strnicmp 00741915 ADD ESP,0C 00741918 TEST EAX,EAX 0074191A JNZ SHORT TKFWFLT.0074192C 0074191C MOV EDX,DWORD PTR SS:[EBP-4] 0074191F MOV DWORD PTR DS:[74F820],EDX 00741925 MOV EAX,DWORD PTR DS:[74F820] 0074192A JMP SHORT TKFWFLT.00741930 0074192C JMP SHORT TKFWFLT.007418EF 0074192E XOR EAX,EAX 00741930 MOV ESP,EBP 00741932 POP EBP 00741933 RETN --- snip ---

Process name offset

--- snip --- #define SYSNAME "System"

ULONG GetProcessNameOffset(VOID) { PEPROCESS curproc; int i; curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) { return i; } } return 0; } --- snip ---

Anyway, the approach as seen in these "production" drivers is highly questionable. There are lengthy (old) threads on osronline.com stating this is completely fragile and subject to breaking at any time.

$ sha1sum nProtect-GameGuard_Personal-3.0_3745985868.exe 0dd17d9fbb9c6ee755ace60023631a1e1a7d60e9 nProtect-GameGuard_Personal-3.0_3745985868.exe

$] du -sh nProtect-GameGuard_Personal-3.0_3745985868.exe 1.7M nProtect-GameGuard_Personal-3.0_3745985868.exe

$ wine --version wine-2.14-50-g797a746fc2

Regards