http://bugs.winehq.org/show_bug.cgi?id=21061
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Status|UNCONFIRMED |NEW Component|-unknown |ntoskrnl Summary|SUPERAntiSpyware |SUPERAntiSpyware |saskutil.sys kernel driver |'saskutil.sys' kernel |crashes on load |driver crashes on load | |(expects valid SDT/SST | |pointing to valid SSDT) Ever confirmed|0 |1 Severity|enhancement |normal
--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, refining info.
--- snip --- 003474F0 PUSH EBP 003474F1 MOV EBP,ESP 003474F3 MOV EAX,DWORD PTR DS:[<&ntoskrnl.ZwOpenKey>] 003474F8 MOV ECX,DWORD PTR DS:[EAX+1] 003474FB MOV EDX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 00347501 MOV EAX,DWORD PTR DS:[EDX] 00347503 MOV ECX,DWORD PTR DS:[EAX+ECX*4] 00347506 MOV DWORD PTR DS:[34F57C],ECX 0034750C MOV EDX,DWORD PTR DS:[<&ntoskrnl.ZwCreateKey>] 00347512 MOV EAX,DWORD PTR DS:[EDX+1] 00347515 MOV ECX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 0034751B MOV EDX,DWORD PTR DS:[ECX] 0034751D MOV EAX,DWORD PTR DS:[EDX+EAX*4] 00347520 MOV DWORD PTR DS:[34F580],EAX 00347525 MOV ECX,DWORD PTR DS:[<&ntoskrnl.ZwDeleteKey>] 0034752B MOV EDX,DWORD PTR DS:[ECX+1] 0034752E MOV EAX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 00347533 MOV ECX,DWORD PTR DS:[EAX] 00347535 MOV EDX,DWORD PTR DS:[ECX+EDX*4] 00347538 MOV DWORD PTR DS:[34F59C],EDX 0034753E MOV EAX,DWORD PTR DS:[<&ntoskrnl.ZwQueryKey>] 00347543 MOV ECX,DWORD PTR DS:[EAX+1] 00347546 MOV EDX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 0034754C MOV EAX,DWORD PTR DS:[EDX] 0034754E MOV ECX,DWORD PTR DS:[EAX+ECX*4] 00347551 MOV DWORD PTR DS:[34F588],ECX 00347557 MOV EDX,DWORD PTR DS:[<&ntoskrnl.ZwEnumerateKey>] 0034755D MOV EAX,DWORD PTR DS:[EDX+1] 00347560 MOV ECX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 00347566 MOV EDX,DWORD PTR DS:[ECX] 00347568 MOV EAX,DWORD PTR DS:[EDX+EAX*4] 0034756B MOV DWORD PTR DS:[34F58C],EAX 00347570 MOV ECX,DWORD PTR DS:[<&ntoskrnl.ZwEnumerateValueKey>] 00347576 MOV EDX,DWORD PTR DS:[ECX+1] 00347579 MOV EAX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 0034757E MOV ECX,DWORD PTR DS:[EAX] 00347580 MOV EDX,DWORD PTR DS:[ECX+EDX*4] 00347583 MOV DWORD PTR DS:[34F590],EDX 00347589 MOV EAX,DWORD PTR DS:[<&ntoskrnl.ZwQueryValueKey>] 0034758E MOV ECX,DWORD PTR DS:[EAX+1] 00347591 MOV EDX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 00347597 MOV EAX,DWORD PTR DS:[EDX] 00347599 MOV ECX,DWORD PTR DS:[EAX+ECX*4] 0034759C MOV DWORD PTR DS:[34F594],ECX 003475A2 MOV EDX,DWORD PTR DS:[<&ntoskrnl.ZwSetValueKey>] 003475A8 MOV EAX,DWORD PTR DS:[EDX+1] 003475AB MOV ECX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 003475B1 MOV EDX,DWORD PTR DS:[ECX] 003475B3 MOV EAX,DWORD PTR DS:[EDX+EAX*4] 003475B6 MOV DWORD PTR DS:[34F598],EAX 003475BB MOV ECX,DWORD PTR DS:[<&ntoskrnl.ZwDeleteValueKey>] 003475C1 MOV EDX,DWORD PTR DS:[ECX+1] 003475C4 MOV EAX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>] 003475C9 MOV ECX,DWORD PTR DS:[EAX] 003475CB MOV EDX,DWORD PTR DS:[ECX+EDX*4] 003475CE MOV DWORD PTR DS:[34F584],EDX 003475D4 XOR EAX,EAX 003475D6 POP EBP 003475D7 RETN --- snip ---
IMHO outside of Wine's scope, requires redesign/concept of shared "kernel" address space (to allow global SSDT hooking).
$ sha1sum SUPERAntiSpyware.exe 4c252fa69448d282d4a1ffc37b4bcfba1c401e3a SUPERAntiSpyware.exe
$ du -sh SUPERAntiSpyware.exe 18M SUPERAntiSpyware.exe
$ wine --version wine-1.7.23-33-gc654b7b
Regards