[Bug 44636] New: Sentinel HASP 'hardlock.sys' kernel driver access to CR4 via %ESI register operand not handled in ntoskrnl emulate_instruction

https://bugs.winehq.org/show_bug.cgi?id=44636

Bug ID: 44636 Summary: Sentinel HASP 'hardlock.sys' kernel driver access to CR4 via %ESI register operand not handled in ntoskrnl emulate_instruction Product: Wine Version: 3.2 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 37852

This time it's another variant of bug 30220 now with %ESI being register operand.

--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Minitab/Minitab 16

$ WINEDEBUG=+seh,+relay,+winedevice,+ntoskrnl wine ./Mtb.exe >>log.txt 2>&1 ... 0019:trace:winedevice:load_driver_module L"C:\windows\system32\drivers\hardlock.sys": relocating from 0x10000 to 0x780000 ... 0019:Call driver init 0x80ac20 (obj=0x11cb28,str=L"\Registry\Machine\System\CurrentControlSet\Services\hardlock") ... 0019:Call ntoskrnl.exe.RtlInitUnicodeString(0065fc74,007efa18 L"\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt") ret=00786720 0019:Call ntdll.RtlInitUnicodeString(0065fc74,007efa18 L"\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt") ret=7bc7e247 0019:Ret ntdll.RtlInitUnicodeString() retval=0065fc74 ret=7bc7e247 0019:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0065fc74 ret=00786720 0019:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000084,36346b48) ret=00786748 0019:Call ntdll.RtlAllocateHeap(00110000,00000000,00000084) ret=7ecce269 0019:Ret ntdll.RtlAllocateHeap() retval=0011cd08 ret=7ecce269 0019:trace:ntoskrnl:ExAllocatePoolWithTag 132 pool 1 -> 0x11cd08 0019:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011cd08 ret=00786748 0019:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000148,34356b48) ret=007879d7 0019:Call ntdll.RtlAllocateHeap(00110000,00000000,00000148) ret=7ecce269 0019:Ret ntdll.RtlAllocateHeap() retval=0011d2e8 ret=7ecce269 0019:trace:ntoskrnl:ExAllocatePoolWithTag 328 pool 1 -> 0x11d2e8 0019:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011d2e8 ret=007879d7 0019:Call ntoskrnl.exe.RtlInitUnicodeString(0011d2e8,00000000) ret=00787a0f 0019:Call ntdll.RtlInitUnicodeString(0011d2e8,00000000) ret=7bc7e247 0019:Ret ntdll.RtlInitUnicodeString() retval=0011d2e8 ret=7bc7e247 0019:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0011d2e8 ret=00787a0f 0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x787a18 ip=00787a18 tid=0019 0019:trace:seh:raise_exception eax=00110078 ebx=00000000 ecx=0011d2f0 edx=00000000 esi=0011d2e8 edi=0011cd08 0019:trace:seh:raise_exception ebp=0065fbb4 esp=0065fb64 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010202 0019:trace:seh:call_vectored_handlers calling handler at 0x7ecc9f55 code=c0000096 flags=0 0019:trace:seh:call_vectored_handlers handler at 0x7ecc9f55 returned 0 0019:trace:seh:call_stack_handlers calling handler at 0x7bcb01c8 code=c0000096 flags=0 0019:Call KERNEL32.UnhandledExceptionFilter(0065f664) ret=7bcb0203 wine: Unhandled privileged instruction at address 0x787a18 (thread 0019), starting debugger... --- snip ---

Disassembly:

--- snip --- .... 00787A16 FFF6 PUSH ESI 00787A18 0F20E6 MOV ESI,CR4 ; unhandled opcode 00787A1B 66:81E6 F7FF AND SI,0FFF7 00787A20 0F22E6 MOV CR4,ESI ; unhandled opcode 00787A23 5E POP ESI 00787A24 66:05 C800 ADD AX,0C8 00787A28 FFF7 PUSH EDI 00787A2A 66:8946 02 MOV WORD PTR DS:[ESI+2],AX 00787A2E E9 F4F40600 JMP hardlock.007F6F27 ... --- snip ---

Source: https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#...

--- snip --- 329 switch(*instr) 330 { 331 case 0x0f: /* extended instruction */ 332 switch(instr[1]) 333 { 334 case 0x22: /* mov eax, crX */ 335 switch (instr[2]) 336 { 337 case 0xc0: 338 TRACE("mov eax,cr0 at 0x%08x, EAX=0x%08x\n", context->Eip,context->Eax ); 339 context->Eip += prefixlen+3; 340 return ExceptionContinueExecution; 341 case 0xe0: 342 TRACE("mov eax,cr4 at 0x%08x, EAX=0x%08x\n", context->Eip,context->Eax ); 343 context->Eip += prefixlen+3; 344 return ExceptionContinueExecution; 345 default: 346 break; /*fallthrough to bad instruction handling */ 347 } 348 ERR("Unsupported EAX -> CR register, eip+2 is %02x\n", instr[2]); 349 break; /*fallthrough to bad instruction handling */ 350 case 0x20: /* mov crX, eax */ 351 switch (instr[2]) 352 { 353 case 0xe0: /* mov cr4, eax */ 354 /* CR4 register . See linux/arch/i386/mm/init.c, X86_CR4_ defs 355 * bit 0: VME Virtual Mode Exception ? 356 * bit 1: PVI Protected mode Virtual Interrupt 357 * bit 2: TSD Timestamp disable 358 * bit 3: DE Debugging extensions 359 * bit 4: PSE Page size extensions 360 * bit 5: PAE Physical address extension 361 * bit 6: MCE Machine check enable 362 * bit 7: PGE Enable global pages 363 * bit 8: PCE Enable performance counters at IPL3 364 */ 365 TRACE("mov cr4,eax at 0x%08x\n",context->Eip); 366 context->Eax = 0; 367 context->Eip += prefixlen+3; 368 return ExceptionContinueExecution; --- snip ---

%EAX as register operand is handled but %ESI not.

0x0f 0x20-0x2f

20: MOV Rd,Cd 21: MOV Rd,Dd 22: MOV Cd,Rd 23: MOV Dd,Rd

$ sha1sum MTBen1610su.exe f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe

$ du -sh MTBen1610su.exe 93M MTBen1610su.exe

$ wine --version wine-3.2-293-g0a72708126

Regards