[Bug 45655] New: Acronis Storage Filter Management Driver 'fltsrv.sys' crashes on unimplemented function 'ntoskrnl.exe.DbgQueryDebugFilterState' in trace mode

17 Aug 2018


      https://bugs.winehq.org/show_bug.cgi?id=45655
Bug ID: 45655
           Summary: Acronis Storage Filter Management Driver 'fltsrv.sys'
                    crashes on unimplemented function
                    'ntoskrnl.exe.DbgQueryDebugFilterState' in trace mode
           Product: Wine
           Version: 3.13
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
as it says.
--- snip ---
...
0028:Call driver init 0x789a4c
(obj=0x11ccd0,str=L"\Registry\Machine\System\CurrentControlSet\Services\fltsrv") 
...
0028:Call ntoskrnl.exe.RtlInitUnicodeString(0065fb3c,00792408 L"EnableTrace")
ret=007858d1
0028:Call ntdll.RtlInitUnicodeString(0065fb3c,00792408 L"EnableTrace")
ret=7bc813a3
0028:Ret  ntdll.RtlInitUnicodeString() retval=0065fb3c ret=7bc813a3
0028:Ret  ntoskrnl.exe.RtlInitUnicodeString() retval=0065fb3c ret=007858d1
0028:Call ntoskrnl.exe.ZwOpenKey(0065fa98,00000001,0065fa70) ret=00790c21
0028:Call ntdll.NtOpenKey(0065fa98,00000001,0065fa70) ret=7bc813a3
0028:trace:reg:open_key
((nil),L"\Registry\Machine\System\CurrentControlSet\Services\fltsrv\Parameters",1,0x65fa98)
0028:trace:reg:open_key <- 0x44
0028:Ret  ntdll.NtOpenKey() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=00790c21
0028:Call
ntoskrnl.exe.ZwQueryValueKey(00000044,0065fa2c,00000002,0065fa60,00000014,0065fa34)
ret=00790c86
0028:Call
ntdll.NtQueryValueKey(00000044,0065fa2c,00000002,0065fa60,00000014,0065fa34)
ret=7bc813a3
0028:trace:reg:NtQueryValueKey (0x44,L"EnableTrace",2,0x65fa60,20)
0028:Ret  ntdll.NtQueryValueKey() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwQueryValueKey() retval=00000000 ret=00790c86
0028:Call ntoskrnl.exe.ZwClose(00000044) ret=00790b84
0028:Call ntdll.NtClose(00000044) ret=7bc813a3
0028:Ret  ntdll.NtClose() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwClose() retval=00000000 ret=00790b84 
...
0028:Call hal.KeGetCurrentIrql() ret=0078914f
0028:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0028:Ret  hal.KeGetCurrentIrql() retval=00000000 ret=0078914f
0028:Call hal.KeGetCurrentIrql() ret=00785e7f
0028:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0028:Ret  hal.KeGetCurrentIrql() retval=00000000 ret=00785e7f
0028:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x11cf04) stub!
0028:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x11cf04 0) stub!
0028:Call KERNEL32.RaiseException(80000100,00000001,00000002,0065faf4)
ret=7e98b32d
0028:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b44733b
ip=7b44733b tid=0028
0028:trace:seh:raise_exception  info[0]=7e98b360
0028:trace:seh:raise_exception  info[1]=7e98baeb
wine: Call from 0x7b44733b to unimplemented function
ntoskrnl.exe.DbgQueryDebugFilterState, aborting 
--- snip ---
One has to explicitly enable trace mode by adding the following registry key:
--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fltsrv\Parameters]
"EnableTrace"=dword:00000001
--- snip ---
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...
--- snip ---
 114 @ stub DbgQueryDebugFilterState
--- snip ---
Prototype:
https://github.com/processhacker/processhacker/blob/master/phnt/include/ntdb...
--- snip ---
NTSYSAPI NTSTATUS NTAPI DbgQueryDebugFilterState(
    _In_ ULONG ComponentId,
    _In_ ULONG Level
);
--- snip ---
It's enough to dump the parameters and return 'STATUS_NOT_IMPLEMENTED'.
With that in place the driver is a bit more verbose using
'ntdll:vDbgPrintExWithPrefix()'.
--- snip ---
...
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x112774, 0
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x1126bc) stub!
0027:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x1126bc 0) stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x1126bc) stub!
0027:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x1126bc 0) stub!
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x2
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Trace:driver.cpp(37):OnLoad:
passed...
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x14883c, 0
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x148874, 0
0027:fixme:ntoskrnl:ObQueryNameString (0x1488a0 0x148988 128 0x65fa94) stub
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x148994, 0
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x14878c, 0
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x1487d0, 0
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x2
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Version=2227,
DeviceNotificationDisabled=0
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x1
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: status=0xC0000002
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x2
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d:
Trace:driver.cpp(56):OnUnload: passed...
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x14865c) stub!
0027:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x14865c 0) stub!
0027:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x148994, 0, 0, 0, (nil)
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d (nil)
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Expression 'LockWithStatus()'
failed with status 0xc0000002, Source File: threading\mutex.cpp, line 32
...
--- snip ---
ProtectionID scan:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\windows\system32\drivers\fltsrv.sys
File Type : 32-Bit Driver (BAD checksum - won't load!), Good Checksum = 01ED8Bh
Size : 0123744 (01E360h) Byte(s)  | Machine: 0x14C (I386)
Compilation TimeStamp : 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT)
[TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | PE Header | - |
Offset: 0x000000F0 | VA: 0x004000F0 | -
[TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | DebugDirectory | -
| Offset: 0x000139B4 | VA: 0x004151B4 | -
-> File Appears to be Digitally Signed @ Offset 017A00h, size : 06960h / 026976
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (3 calculated 2 recorded... 1 invalid
addresses) 
[!]    * table may be compressed / encrypted *
[LoadConfig] CodeIntegrity -> Flags 0x5352 | Catalog 0x5344 (21316) | Catalog
Offset 0x1E431CED | Reserved 0x4EDC114E
[LoadConfig] GuardAddressTakenIatEntryTable 0x356CB182 | Count 0x821065B8
(2182112696)
[LoadConfig] GuardLongJumpTargetTable 0x1 | Count 0x325C3A4B (844905035)
[LoadConfig] HybridMetadataPointer 0x5C373232 | DynamicValueRelocTable
0x6E72656B
[LoadConfig] FailFastIndirectProc 0x775C6C65 | FailFastPointer 0x2E5C6E69
[LoadConfig] UnknownZero1 0x7074756F
[File Heuristics] -> Flag #1 : 00000100000001001101000000000100 (0x0404D004)
[Entrypoint Section Entropy] : 6.66 (section #0) ".text   " | Size : 0x13308
(78600) byte(s)
[DllCharacteristics] -> Flag : (0x0140) -> ASLR | DEP
[SectionCount] 6 (0x6) | ImageSize 0x1C000 (114688) byte(s)
[VersionInfo] Company Name : Acronis International GmbH
[VersionInfo] Product Name : Acronis Storage Filter Management
[VersionInfo] Product Version : 1.3.0.2227
[VersionInfo] File Description : Acronis Storage Filter Management Driver
[VersionInfo] File Version : 1.3.0.2227
[VersionInfo] Original FileName : fltsrv.sys
[VersionInfo] Internal Name : fltsrv
[VersionInfo] Version Comments : Acronis Storage Filter Management
[VersionInfo] Legal Trademarks : Acronis International GmbH. All rights
reserved.
[VersionInfo] Legal Copyrights : Copyright © Acronis International GmbH.
2002-2013.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[Debug Info] (record 1 of 1) (file offset 0x139B0)
Characteristics : 0x0 | TimeDateStamp : 0x5638DF2A (Tue 03rd Nov 2015 16:22:02
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x4C (76) 
AddressOfRawData : 0x166A4 | PointerToRawData : 0x14EA4
CvSig : 0x53445352 | SigGuid 1E431CED-114E-4EDC-82B16C35B8651082
Age : 0x1 (1) | Pdb : K:\2227\kernel\win.output\Win32\Release\fltsrv.pdb
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.247 Second(s) [0000000F7h (247) tick(s)] [135 of 580 scan(s)
done]
--- snip ---
$ sha1sum ADD12_trial_en-US.exe 
da5cd4fb2b457b86bc9a76b0fafd96ceec5608e6e  ADD12_trial_en-US.exe
$ du -sh ADD12_trial_en-US.exe 
293M    ADD12_trial_en-US.exe
$ wine --version
wine-3.13-318-gccf6211c0a
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 45655] New: Acronis Storage Filter Management Driver 'fltsrv.sys' crashes on unimplemented function 'ntoskrnl.exe.DbgQueryDebugFilterState' in trace mode