[Bug 49165] Multiple kernel drivers crash in entry point due to 'IoGetDeviceObjectPointer' returning a stub device when the device object doesn't exist (VeraCrypt 1.24 'veracrypt_x64.sys', NAV 2010 'ccHPx64.sys')

31 Dec 2020


      https://bugs.winehq.org/show_bug.cgi?id=49165
Anastasius Focht focht@gmx.net changed:
What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|https://launchpad.net/verac |https://web.archive.org/web
                   |rypt/trunk/1.24-update6/+do |/20200319114317/https://lau
                   |wnload/VeraCrypt%20Portable |nchpadlibrarian.net/4686578
                   |%201.24-Update6.exe         |62/VeraCrypt%20Portable%201
                   |                            |.24-Update6.exe
            Summary|VeraCrypt 1.24 filter       |Multiple kernel drivers
                   |driver 'veracrypt_x64.sys'  |crash in entry point due to
                   |crashes in entry point      |'IoGetDeviceObjectPointer'
                   |('IoGetDeviceObjectPointer' |returning a stub device
                   |must not return a stub      |when the device object
                   |device if the device object |doesn't exist (VeraCrypt
                   |doesn't exist)              |1.24 'veracrypt_x64.sys',
                   |                            |NAV 2010 'ccHPx64.sys')
--- Comment #4 from Anastasius Focht focht@gmx.net ---
Hello folks,
adding another driver and refining summary for collecting.
Symantec Hash Provider driver 'ccHP' from Norton Antivirus 2010.
https://web.archive.org/web/20111104092310/http://spftrl.digitalriver.com/pu...
NOTE: Needs multiple prerequisite bugs fixed or worked around before coming to
this place.
* bug 34083 ("Norton/Symantec AntiVirus 10.x installers fail to validate
embedded certificate (CERT with multiple OU fields, crypt32.CertGetNameStringW
must return RDNs in reverse order)")
* bug 50431 ("SCM erroneously tries to start 64-bit kernel drivers as 32-bit
service when 'ImagePath' contains '\SystemRoot\system32\drivers' and
'WOW64=1')"
To debug driver crashes it's best to disable autostart.
Change start type to "manual" (3).
--- snip ---
[System\CurrentControlSet\Services\ccHP]
...
"Start"=dword:00000003
--- snip ---
--- snip ---
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl wine net start ccHP >>log.txt 2>&1
...
0054:trace:ntoskrnl:load_driver loading driver
L"C:\windows\system32\drivers\NAVx64\1100000.088\ccHPx64.sys"
0054:Call KERNEL32.LoadLibraryW(00041490
L"C:\windows\system32\drivers\NAVx64\1100000.088\ccHPx64.sys")
ret=0032606e 
...
0054:Ret  KERNEL32.LoadLibraryW() retval=00d60000 ret=0032606e
...
0054:Call driver init 0000000000DF8008
(obj=0000000000042DD0,str=L"\Registry\Machine\System\CurrentControlSet\Services\ccHP") 
...
0054:Call ntoskrnl.exe.IoWMIRegistrationControl(00def6c8,80010001) ret=00d61775
0054:fixme:ntoskrnl:IoWMIRegistrationControl (0000000000DEF6C8 2147549185) stub
0054:Ret  ntoskrnl.exe.IoWMIRegistrationControl() retval=00000000 ret=00d61775
0054:Call
ntoskrnl.exe.IoGetDeviceObjectPointer(00c3f710,001f01ff,00c3f708,00c3f700)
ret=00d61c9f
...
0054:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\Device\SYMEFA" 1f01ff
0000000000C3F708 0000000000C3F700
0054:Ret  ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=00d61c9f
0054:Call
ntoskrnl.exe.IoBuildSynchronousFsdRequest(0000001b,0034d5c8,00000000,00000000,00000000,00c3f720,00c3f738)
ret=00d61d1b
0054:trace:ntoskrnl:IoBuildSynchronousFsdRequest (27 000000000034D5C8
0000000000000000 0 0000000000000000 0000000000C3F738)
0054:trace:ntoskrnl:IoBuildAsynchronousFsdRequest (27 000000000034D5C8
0000000000000000 0 0000000000000000 0000000000C3F738)
0054:trace:ntoskrnl:IoAllocateIrp -128, 0
0054:Call ntdll.RtlAllocateHeap(009c0000,00000000,00000310) ret=0031fab9
0054:Ret  ntdll.RtlAllocateHeap() retval=009c03b0 ret=0031fab9
0054:trace:ntoskrnl:ExAllocatePoolWithTag 784 pool 0 -> 00000000009C03B0
0054:trace:ntoskrnl:IoInitializeIrp 00000000009C03B0, 784, -128
0054:Call msvcrt.memset(009c03b0,00000000,00000310) ret=0031fb53
0054:Ret  msvcrt.memset() retval=009c03b0 ret=0031fb53
0054:trace:seh:dispatch_exception code=c0000005 flags=0 addr=000000000032069E
ip=000000000032069E tid=0054
0054:trace:seh:dispatch_exception  info[0]=0000000000000001
0054:trace:seh:dispatch_exception  info[1]=00000000009be038
0054:trace:seh:dispatch_exception  rax=00000000009c03b0 rbx=000000000000001b
rcx=00000000e421390f rdx=0000000000000037
0054:trace:seh:dispatch_exception  rsi=000000000034d5c8 rdi=00000000009c03b0
rbp=0000000000c3f560 rsp=0000000000c3f510
0054:trace:seh:dispatch_exception   r8=0000000000000000  r9=0000000000000000
r10=0000000000c3efe2 r11=0000000000000000
0054:trace:seh:dispatch_exception  r12=00000000009be080 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
0054:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=c0000005 flags=0
0054:trace:seh:call_vectored_handlers handler at 000000000031D2F0 returned 0
0054:trace:seh:call_vectored_handlers calling handler at 000000007B011BA0
code=c0000005 flags=0
0054:trace:seh:call_vectored_handlers handler at 000000007B011BA0 returned 0 
--- snip ---
Virustotal.com scan of the installer binary:
https://www.virustotal.com/gui/file/b8110fba782df5f9bfc25d39315b5ccd1f375b20...
$ sha1sum NAV10TBEN.exe 
eadfb9c860146186c548aba695a9be87607f5586  NAV10TBEN.exe
$ du -sh NAV10TBEN.exe 
74M    NAV10TBEN.exe
$ wine --version
wine-6.0-rc4
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 49165] Multiple kernel drivers crash in entry point due to 'IoGetDeviceObjectPointer' returning a stub device when the device object doesn't exist (VeraCrypt 1.24 'veracrypt_x64.sys', NAV 2010 'ccHPx64.sys')