https://bugs.winehq.org/show_bug.cgi?id=39406
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|LabVIEW 201x CVI kernel |Multiple kernel drivers |driver 'cvintdrv.sys' |crash due to missing |crashes due to missing |'ntoskrnl.SeExports' export |'ntoskrnl.SeExports' export |(SE_EXPORTS |(SE_EXPORTS structure) |structure)(LabVIEW 201x CVI | |'cvintdrv.sys', F-Secure | |BlackLight Engine 2.2 | |'fsbldrv.sys') URL|https://web.archive.org/web |https://web.archive.org/web |/20181022065706/http://down |/20210116145628/ftp://ftp.f |load.ni.com/evaluation/labv |-secure.com/anti-virus/tool |iew/ekit/other/downloader/2 |s/fsbl.exe |014LV-WinEng.exe |
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
I've found another much smaller download for reproduce:
F-Secure BlackLight Engine 2.2.x (Rootkit scanner) from bug 21038
Stable download via Internet Archive:
https://web.archive.org/web/20210116145628/ftp://ftp.f-secure.com/anti-virus...
To extract/debug the driver standalone, set a breakpoint on StartServiceA() and force quit. This prevents the "temp" rootkit detection helper driver/service binary from getting deleted immediately upon failure/unload.
Service registry entry:
--- snip --- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fsbl-standalone] "DisplayName"="F-Secure BlackLight Beta Engine Driver" "ErrorControl"=dword:00000001 "ImagePath"="C:\users\focht\Temp\F-Secure\BlackLight\fsbldrv.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000003 "Type"=dword:00000001 "WOW64"=dword:00000001 --- snip ---
Manually start:
--- snip ---- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+loaddll wine net start fsbl-standalone
log.txt 2>&1
... 0108:trace:ntoskrnl:load_driver loading driver L"C:\users\focht\Temp\F-Secure\BlackLight\fsbldrv.sys" 0108:Call KERNEL32.LoadLibraryW(000433b0 L"C:\users\focht\Temp\F-Secure\BlackLight\fsbldrv.sys") ret=0032606e ... 0108:trace:loaddll:build_module Loaded L"C:\users\focht\Temp\F-Secure\BlackLight\fsbldrv.sys" at 0000000000D60000: native 0108:Call LDR notification callback (proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000) ... 0108:trace:ntoskrnl:ldr_notify_callback loading L"fsbldrv.sys" ... 0108:trace:ntoskrnl:ldr_notify_callback relocating from 0000000000010000-000000000001D000 to 0000000000D60000-0000000000D6D000 ... 0108:Ret LDR notification callback (proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000) 0108:Ret ntdll.LdrLoadDll() retval=00000000 ret=7b020b30 ... 0108:Ret KERNEL32.LoadLibraryW() retval=00d60000 ret=0032606e ... 0108:Call driver init 0000000000D6A010 (obj=0000000000043200,str=L"\Registry\Machine\System\CurrentControlSet\Services\fsbl-standalone") 0108:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000D6A03C ip=0000000000D6A03C tid=0108 0108:trace:seh:dispatch_exception info[0]=0000000000000000 0108:trace:seh:dispatch_exception info[1]=0000000000000320 0108:trace:seh:dispatch_exception rax=0000000000000320 rbx=0000000000d6a010 rcx=0000000000043200 rdx=0000000000043368 0108:trace:seh:dispatch_exception rsi=000000007b6038a8 rdi=00000000000433b0 rbp=0000000000c3f890 rsp=0000000000c3f808 0108:trace:seh:dispatch_exception r8=0000000000d66108 r9=000000002ddfa232 r10=0000000000000028 r11=0000000000000000 0108:trace:seh:dispatch_exception r12=0000000000043200 r13=0000000000043368 r14=0000000000041908 r15=0000000000000000 0108:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0 code=c0000005 flags=0 ... 0108:fixme:ntoskrnl:MmGetSystemRoutineAddress L"IoCreateDeviceSecure" not found ... 0108:trace:ntoskrnl:MmGetSystemRoutineAddress L"IoValidateDeviceIoControlAccess" -> 0000000000312F98 ... 0108:Call ntoskrnl.exe._wcsnicmp(00d653c0 L"A;;GA;;;SY)(A;;GA;;;BA)",00d65824 L"A",00000001) ret=00d68f7f ... 0108:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00d68f7f 0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d6581c L"RC",00000002) ret=00d68fef ... 0108:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff5 ret=00d68fef 0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d65814 L"WD",00000002) ret=00d68fef ... 0108:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff0 ret=00d68fef 0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d6580c L"WO",00000002) ret=00d68fef ... 0108:Call ntoskrnl.exe._wcsnicmp(00d653d0 L"SY)(A;;GA;;;BA)",00d66164 L"BA",00000002) ret=00d69174 ... 0108:Ret ntoskrnl.exe._wcsnicmp() retval=00000011 ret=00d69174 0108:Call ntoskrnl.exe._wcsnicmp(00d653d0 L"SY)(A;;GA;;;BA)",00d6617c L"SY",00000002) ret=00d69174 ... 0108:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00d69174 0108:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000D691C8 ip=0000000000D691C8 tid=0108 0108:trace:seh:dispatch_exception info[0]=0000000000000000 0108:trace:seh:dispatch_exception info[1]=00000000ffffffff 0108:trace:seh:dispatch_exception rax=0000000000315338 rbx=0000000000d653d4 rcx=0000000028ec8348 rdx=0000000000000108 0108:trace:seh:dispatch_exception rsi=0000000000d66184 rdi=0000000000000006 rbp=0000000000000002 rsp=0000000000c3f520 0108:trace:seh:dispatch_exception r8=0000000000000000 r9=0000000000000000 r10=0000000000c3f06b r11=0000000000000000 0108:trace:seh:dispatch_exception r12=0000000010000000 r13=0000000000d66140 r14=00000000c000000d r15=0000000000c3f5c8 0108:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0 code=c0000005 flags=0 0108:trace:seh:call_vectored_handlers handler at 000000000031D2F0 returned 0 0108:trace:seh:call_vectored_handlers calling handler at 000000007B011BA0 code=c0000005 flags=0 0108:trace:seh:call_vectored_handlers handler at 000000007B011BA0 returned 0 ... 0108:trace:seh:start_debugger Starting debugger L"winedbg --auto 252 68" ... wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address 0000000000D691C8 (thread 0108), starting debugger... --- snip ---
Crash site using x64dbg (winedbg doesn't work here which is a different issue)
--- snip --- 0000000000D6916F | call <JMP.&_wcsnicmp> | 0000000000D69174 | test eax,eax | 0000000000D69176 | je fsbldrv.D69191 | 0000000000D69178 | inc edi | 0000000000D6917A | inc rbp | 0000000000D6917D | add rsi,18 | 0000000000D69181 | cmp edi,C | 0000000000D69184 | jb fsbldrv.D69160 | 0000000000D69186 | mov r13d,C0000073 | 0000000000D6918C | jmp fsbldrv.D6927B | 0000000000D69191 | lea rdi,qword ptr ss:[rbp+rbp*2] | 0000000000D69196 | cmp dword ptr ds:[r13+rdi*8+8],1 | 0000000000D6919C | mov eax,dword ptr ds:[r13+rdi*8+14] | 0000000000D691A1 | lea rbx,qword ptr ds:[rbx+rax*2] | 0000000000D691A5 | jne fsbldrv.D691B9 | 0000000000D691A7 | mov dl,20 | 0000000000D691A9 | mov cl,1 | 0000000000D691AB | call qword ptr ds:[<&IoIsWdmVersionAvailable>] | 0000000000D691B1 | test al,al | 0000000000D691B3 | jne fsbldrv.D691B9 | 0000000000D691B5 | xor ecx,ecx | 0000000000D691B7 | jmp fsbldrv.D691CC | 0000000000D691B9 | mov rax,qword ptr ds:[<&__wine_stub_SeExports> | 0000000000D691C0 | mov rdx,qword ptr ds:[r13+rdi*8] | 0000000000D691C5 | mov rcx,qword ptr ds:[rax] | 0000000000D691C8 | mov rcx,qword ptr ds:[rdx+rcx] | 0000000000D691CC | xor r13d,r13d | 0000000000D691CF | test rbx,rbx | 0000000000D691D2 | je fsbldrv.D6925C | --- snip ---
virustotal.com scans:
'fsbl.exe' app:
https://www.virustotal.com/gui/file/9f366a024370ed1c559f327db5266d3a27343d40...
'fsbldrv.sys' driver:
https://www.virustotal.com/gui/file/2a4426c59dac979b357f1d080bd3f63662d8513f...
$ sha1sum fsbl.exe b91cc97353117ed488acee290b39ef63ded7f5e4 fsbl.exe
$ du -sh fsbl.exe 1.1M fsbl.exe
$ wine --version wine-6.0-40-g00401d22782
Regards