[Bug 46969] New: Multiple 64-bit WDM kernel drivers want Windows 8+ ' ntdll.RtlQueryRegistryValuesEx' (WIBUKEY)

https://bugs.winehq.org/show_bug.cgi?id=46969

Bug ID: 46969 Summary: Multiple 64-bit WDM kernel drivers want Windows 8+ 'ntdll.RtlQueryRegistryValuesEx' (WIBUKEY) Product: Wine Version: 4.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

as it says. It's not critical as most kernel drivers fall back to 'ntdll.RtlQueryRegistryValues' if the entry point can't be resolved.

It still produces considerable 'fixme:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" not found' spam in some cases for every registry value read. Additionally it might lead people to draw incorrect conclusions as the fallback can't be seen without additional debug channels.

--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wineboot >>log.txt 2>&1 ... 0025:trace:ntoskrnl:open_driver opened service for driver L"\Registry\Machine\System\CurrentControlSet\Services\WIBUKEY" ... 0025:trace:ntoskrnl:load_driver loading driver L"SYSTEM32\DRIVERS\WibuKey64.sys" 0025:Call KERNEL32.LoadLibraryW(00026460 L"SYSTEM32\DRIVERS\WibuKey64.sys") ret=7f0a3ebbbe25 ... 0025:Call driver init 0x10004ee0 (obj=0x27980,str=L"\Registry\Machine\System\CurrentControlSet\Services\WIBUKEY") ... 0025:Call ntoskrnl.exe.RtlInitUnicodeString(0032f260,10012210 L"RtlQueryRegistryValuesEx") ret=10005f5f 0025:Call ntdll.RtlInitUnicodeString(0032f260,10012210 L"RtlQueryRegistryValuesEx") ret=7bd10e87 0025:Ret ntdll.RtlInitUnicodeString() retval=0032f260 ret=7bd10e87 0025:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0032f260 ret=10005f5f 0025:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0032f260) ret=10005f6a 0025:Call ntdll.RtlUnicodeStringToAnsiString(0032f0a0,0032f260,00000001) ret=7f0a3ebb9187 0025:Ret ntdll.RtlUnicodeStringToAnsiString() retval=00000000 ret=7f0a3ebb9187 0025:Call KERNEL32.GetModuleHandleW(7f0a3ebcd1e0 L"ntoskrnl.exe") ret=7f0a3ebb91a5 0025:Ret KERNEL32.GetModuleHandleW() retval=7f0a3eb90000 ret=7f0a3ebb91a5 0025:Call KERNEL32.GetProcAddress(7f0a3eb90000,00026460 "RtlQueryRegistryValuesEx") ret=7f0a3ebb91c3 0025:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7f0a3ebb91c3 0025:Call KERNEL32.GetModuleHandleW(7f0a3ebcd200 L"hal.dll") ret=7f0a3ebb91e6 0025:Ret KERNEL32.GetModuleHandleW() retval=7f0a4cf80000 ret=7f0a3ebb91e6 0025:Call KERNEL32.GetProcAddress(7f0a4cf80000,00026460 "RtlQueryRegistryValuesEx") ret=7f0a3ebb920c 0025:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7f0a3ebb920c ... 0025:fixme:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" not found 0025:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=10005f6a 0025:Call ntoskrnl.exe.RtlQueryRegistryValues(00000000,100122e0,000266f0,00000000,00000000) ret=10005f87 0025:Call ntdll.RtlQueryRegistryValues(00000000,100122e0,000266f0,00000000,00000000) ret=7bd10e87 0025:Ret ntdll.RtlQueryRegistryValues() retval=c0000034 ret=7bd10e87 0025:Ret ntoskrnl.exe.RtlQueryRegistryValues() retval=c0000034 ret=10005f87 ... <repeated dozen times> ... 0025:Ret driver init 0x10004ee0 (obj=0x27980,str=L"\Registry\Machine\System\CurrentControlSet\Services\WIBUKEY") retval=00000000 0025:Call KERNEL32.IsBadStringPtrW(00027918,ffffffffffffffff) ret=7f0a3ebaa4a8 0025:Ret KERNEL32.IsBadStringPtrW() retval=00000000 ret=7f0a3ebaa4a8 0025:trace:ntoskrnl:init_driver init done for L"WIBUKEY" obj 0x27980 0025:trace:ntoskrnl:init_driver - DriverInit = 0x10004ee0 0025:trace:ntoskrnl:init_driver - DriverStartIo = (nil) 0025:trace:ntoskrnl:init_driver - DriverUnload = 0x10005110 0025:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x10005170 0025:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x10005170 0025:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x10005170 0025:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f0a3ebb04dd --- snip ---

The prototype seems to be the same as 'ntdll.RtlQueryRegistryValues'

https://github.com/Gbps/gbhv/blob/master/gbhv/phnt/ntrtl.h#L6903

--- snip --- NTSYSAPI NTSTATUS NTAPI RtlQueryRegistryValues( _In_ ULONG RelativeTo, _In_ PWSTR Path, _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, _In_ PVOID Context, _In_opt_ PVOID Environment );

// rev NTSYSAPI NTSTATUS NTAPI RtlQueryRegistryValuesEx( _In_ ULONG RelativeTo, _In_ PWSTR Path, _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, _In_ PVOID Context, _In_opt_ PVOID Environment ); --- snip ---

https://www.geoffchappell.com/studies/windows/win32/ntdll/api/index.htm

https://www.geoffchappell.com/studies/windows/win32/ntdll/history/names62.ht...

--- quote --- RtlQueryRegistryValuesEx 6.2 and higher --- quote ---

The purpose of this function is mentioned here (which also explains why the prototype is the same):

http://www.powerofcommunity.net/poc2012/mj0011.pdf ("Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement")

Slide 15 "Windows8 Kernel Security Improvements":

--- quote --- Kernel Security Improvements on Windows 8: ... Introducingthe new RtlQueryRegistryValuesEx function.

Windows 8 drivers use this new function as much as possible. If driver calls new function and the registy key is untrusted, it would cause BugCheck = KERNEL_SECURITY_CHECK_FAILURE. --- quote ---

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntdll/reg.c#l1218

--- snip --- 1218 /************************************************************************* 1219 * RtlQueryRegistryValues [NTDLL.@] 1220 * 1221 * Query multiple registry values with a single call. 1222 * 1223 * PARAMS 1224 * RelativeTo [I] Registry path that Path refers to 1225 * Path [I] Path to key 1226 * QueryTable [I] Table of key values to query 1227 * Context [I] Parameter to pass to the application defined QueryRoutine function 1228 * Environment [I] Optional parameter to use when performing expansion 1229 * 1230 * RETURNS 1231 * STATUS_SUCCESS or an appropriate NTSTATUS error code. 1232 */ 1233 NTSTATUS WINAPI RtlQueryRegistryValues(IN ULONG RelativeTo, IN PCWSTR Path, 1234 IN PRTL_QUERY_REGISTRY_TABLE QueryTable, IN PVOID Context, 1235 IN PVOID Environment OPTIONAL) 1236 { ... --- snip --- $ sha1sum ARCHICAD-22-USA-3006-1.4.exe 981ffe19e9b03b2736dddc335c9dfc8a7cfe0750 ARCHICAD-22-USA-3006-1.4.exe

$ du -sh ARCHICAD-22-USA-3006-1.4.exe 1.9G ARCHICAD-22-USA-3006-1.4.exe

$ wine --version wine-4.5-227-g6552b7144e

Regards