https://bugs.winehq.org/show_bug.cgi?id=45926
Bug ID: 45926 Summary: Windows Sysinternals ProcessExplorer v12-16+ crashes due to missing advapi32.I_QueryTagInformation() stub Product: Wine Version: 3.17 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: advapi32 Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says.
--- snip --- $ WINEDEBUG=+seh,+relay wine ./procexp64.exe >>log.txt 2>&1 ... 002d:Call KERNEL32.LoadLibraryW(1400d20a8 L"advapi32.dll") ret=140080b4a 002d:Ret KERNEL32.LoadLibraryW() retval=7f4d2a1a0000 ret=140080b4a 002d:Call KERNEL32.GetProcAddress(7f4d2a1a0000,1400ecf08 "I_QueryTagInformation") ret=140080b5a 002d:Ret KERNEL32.GetProcAddress() retval=00000000 ret=140080b5a ... 002d:trace:seh:NtRaiseException code=c0000005 flags=0 addr=(nil) ip=0 tid=002d 002d:trace:seh:NtRaiseException info[0]=0000000000000008 002d:trace:seh:NtRaiseException info[1]=0000000000000000 002d:trace:seh:NtRaiseException rax=0000000000000001 rbx=000000014012c9c8 rcx=0000000000000000 rdx=0000000000000003 002d:trace:seh:NtRaiseException rsi=000000014012c9c0 rdi=000000014012c9d0 rbp=0000000000000000 rsp=000000000023f9b8 002d:trace:seh:NtRaiseException r8=000000000023f9e0 r9=000000014012c9c8 r10=0000000000000000 r11=0000000000000246 002d:trace:seh:NtRaiseException r12=0000000140126560 r13=0000000000000000 r14=000000000000000a r15=0000000140000000 002d:trace:seh:RtlVirtualUnwind type 1 rip 14006377a rsp 23f9c0 002d:trace:seh:dump_unwind_info **** func 63720-637a6 --- snip ---
Disassembly at crash site (running under x64dbg):
--- snip --- 0000000140063720 | mov qword ptr ss:[rsp+8],rbx | 0000000140063725 | mov qword ptr ss:[rsp+10],rbp | 000000014006372A | mov qword ptr ss:[rsp+18],rsi | 000000014006372F | push rdi | 0000000140063730 | sub rsp,30 | 0000000140063734 | mov rsi,rcx | 0000000140063737 | mov rcx,qword ptr ds:[rcx] | 000000014006373A | mov rbx,r9 | 000000014006373D | mov rdi,r8 | 0000000140063740 | mov rbp,rdx | 0000000140063743 | test rcx,rcx | 0000000140063746 | je procexp64.14006375B | 0000000140063748 | call qword ptr ds:[1400D0958] | 000000014006374E | mov qword ptr ds:[rbx],0 | 0000000140063755 | mov dword ptr ds:[rdi],0 | 000000014006375B | lea r8,qword ptr ss:[rsp+20] | 0000000140063760 | mov edx,3 | 0000000140063765 | xor ecx,ecx | 0000000140063767 | mov dword ptr ss:[rsp+20],ebp | 000000014006376B | mov qword ptr ss:[rsp+28],0 | 0000000140063774 | call qword ptr ds:[14012CC68] | NULL *boom* 000000014006377A | test eax,eax | 000000014006377C | jne procexp64.140063791 | 000000014006377E | mov rdx,qword ptr ss:[rsp+28] | 0000000140063783 | mov ecx,dword ptr ds:[rdx] | 0000000140063785 | mov dword ptr ds:[rdi],ecx | 0000000140063787 | mov rcx,qword ptr ds:[rdx+8] | 000000014006378B | mov qword ptr ds:[rbx],rcx | 000000014006378E | mov qword ptr ds:[rsi],rdx | 0000000140063791 | mov rbx,qword ptr ss:[rsp+40] | 0000000140063796 | mov rbp,qword ptr ss:[rsp+48] | 000000014006379B | mov rsi,qword ptr ss:[rsp+50] | 00000001400637A0 | add rsp,30 | 00000001400637A4 | pop rdi | 00000001400637A5 | ret | --- snip ---
Using the "find references to address" method for 0x14012CC68 one comes across this:
--- snip --- 0000000140080B4A | lea rdx,qword ptr ds:[1400ECF08] | "I_QueryTagInformation" 0000000140080B51 | mov rcx,rax | 0000000140080B54 | call qword ptr ds:[1400D0968] | 0000000140080B5A | lea rcx,qword ptr ds:[1400ECF30] | L"wow64cpu" 0000000140080B61 | mov qword ptr ds:[14012CC68],rax | --- snip ---
which corresponds to the trace log snippet earlier.
At one point Wine might implement service process tags as well for mapping service hosting threads with their owner service. Service tags were introduced with Windows Vista. The tag is contained in the TEB of every thread (sub-process tag) and is used in threads owned by service processes as a way to link them with their owning service name.
https://github.com/processhacker/processhacker/blob/master/phlib/svcsup.c#L4...
--- snip --- PPH_STRING PhGetServiceNameFromTag( _In_ HANDLE ProcessId, _In_ PVOID ServiceTag ) { static PQUERY_TAG_INFORMATION I_QueryTagInformation = NULL; PPH_STRING serviceName = NULL; TAG_INFO_NAME_FROM_TAG nameFromTag;
if (!I_QueryTagInformation) { I_QueryTagInformation = PhGetDllProcedureAddress(L"advapi32.dll", "I_QueryTagInformation", 0);
if (!I_QueryTagInformation) return NULL; }
memset(&nameFromTag, 0, sizeof(TAG_INFO_NAME_FROM_TAG)); nameFromTag.InParams.dwPid = HandleToUlong(ProcessId); nameFromTag.InParams.dwTag = PtrToUlong(ServiceTag);
I_QueryTagInformation(NULL, eTagInfoLevelNameFromTag, &nameFromTag);
if (nameFromTag.OutParams.pszName) { serviceName = PhCreateString(nameFromTag.OutParams.pszName); LocalFree(nameFromTag.OutParams.pszName); }
return serviceName; } --- snip ---
https://github.com/processhacker/processhacker/blob/2bb718f36a702fde6cb346e9...
--- snip --- _Must_inspect_result_ DWORD WINAPI I_QueryTagInformation( _In_opt_ LPCWSTR pszMachineName, _In_ TAG_INFO_LEVEL eInfoLevel, _Inout_ PVOID pTagInfo ); --- snip ---
$ sha1sum ProcessExplorer.zip 97d882b15890471ea9942c80997c180fbfcbba26 ProcessExplorer.zip
$ du -sh ProcessExplorer.zip 1.9M ProcessExplorer.zip
$wine --version wine-3.17-39-gc96eba60e3
Regards