[Bug 45521] New: 64-bit Sentinel HASP hardlock.sys kernel driver crashes due ntoskrnl emulate_instruction not handling 'cli' and 'sti'

27 Jul 2018


      https://bugs.winehq.org/show_bug.cgi?id=45521
Bug ID: 45521
           Summary: 64-bit Sentinel HASP hardlock.sys kernel driver
                    crashes due ntoskrnl emulate_instruction not handling
                    'cli' and 'sti'
           Product: Wine
           Version: 3.13
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
originally reported in bug 45510 (which now covers a different issue) and
extracted here.
Prerequisite:
* 64-bit WINEPREFIX (otherwise you run into bug 45510)
Download:
https://www.uwerk.de/en/images/UWerkDownLoads/HASP/GUI/HASPUserSetup.zip
--- snip ---
...
0051:Call ntoskrnl.exe.RtlAppendUnicodeToString(0002a240,006bfc98
L"\Parameters") ret=006c6b88
0051:Call ntdll.RtlAppendUnicodeToString(0002a240,006bfc98 L"\Parameters")
ret=7bcfdc7b
0051:Ret  ntdll.RtlAppendUnicodeToString() retval=00000000 ret=7bcfdc7b
0051:Ret  ntoskrnl.exe.RtlAppendUnicodeToString() retval=00000000 ret=006c6b88
0051:Call
ntoskrnl.exe.RtlQueryRegistryValues(80000000,0002a250,0055f5e0,00000000,00000000)
ret=006c6bec
0051:Call
ntdll.RtlQueryRegistryValues(80000000,0002a250,0055f5e0,00000000,00000000)
ret=7bcfdc7b
0051:Ret  ntdll.RtlQueryRegistryValues() retval=c0000034 ret=7bcfdc7b
0051:Ret  ntoskrnl.exe.RtlQueryRegistryValues() retval=c0000034 ret=006c6bec
0051:Call ntoskrnl.exe.ExFreePoolWithTag(0002a240,00000000) ret=006c6bfe
0051:trace:ntoskrnl:ExFreePoolWithTag 0x2a240
0051:Call ntdll.RtlFreeHeap(00010000,00000000,0002a240) ret=7faa2ee4dfb1
0051:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7faa2ee4dfb1
0051:Ret  ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=006c6bfe
0051:trace:seh:NtRaiseException code=c0000096 flags=0 addr=0x6cc5f6 ip=6cc5f6
tid=0051
0051:trace:seh:NtRaiseException  rax=0000000000000000 rbx=0000000000027ca8
rcx=000000000055f6b4 rdx=000000000055f6b0
0051:trace:seh:NtRaiseException  rsi=0000000000026ee0 rdi=0000000000027d58
rbp=0000000000027d04 rsp=000000000055f660
0051:trace:seh:NtRaiseException   r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
0051:trace:seh:NtRaiseException  r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00000000000271b0
0051:trace:seh:call_vectored_handlers calling handler at 0x7faa2ee458d8
code=c0000096 flags=0
0051:trace:seh:call_vectored_handlers handler at 0x7faa2ee458d8 returned 0 
...
0051:trace:seh:dwarf_virtual_unwind next function rip=0000000000000000
0051:trace:seh:dwarf_virtual_unwind   rax=0000000000000000 rbx=0000000000000000
rcx=00007faa2ee80fa0 rdx=00000000000c0155
0051:trace:seh:dwarf_virtual_unwind   rsi=0000000000000000 rdi=0000000000000000
rbp=0000000000000000 rsp=000000000055ffe0
0051:trace:seh:dwarf_virtual_unwind    r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
0051:trace:seh:dwarf_virtual_unwind   r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00007faa2ee30000
0051:trace:seh:call_stack_handlers found wine frame 0x55fe00 rsp 55ffe0 handler
0x7bd57b2b
0051:trace:seh:call_teb_handler calling TEB handler 0x7bd57b2b (rec=0x55f520,
frame=0x55fe00 context=0x55e7c0, dispatch=0x55ec90)
0051:Call KERNEL32.UnhandledExceptionFilter(0055e700) ret=7bd57b85
wine: Unhandled privileged instruction at address 0x6cc5f6 (thread 0051),
starting debugger... 
--- snip ---
Disassembly after decryption of 64-bit driver:
--- snip ---
...
00000000006CC5B3 | E8 38 A5 FF FF       | call    hardlock.6C6AF0 
00000000006CC5B8 | 84 C0                | test    al, al            
00000000006CC5BA | 74 04                | je      hardlock.6CC5C0   
00000000006CC5BC | 83 4B 58 01          | or      dword ptr ds:[rbx+58], 1      
00000000006CC5C0 | 4C 8D 44 24 4C       | lea     r8, qword ptr ss:[rsp+4C]     
00000000006CC5C5 | 48 8D 15 94 35 FF FF | lea     rdx, qword ptr ds:[6BFB60]
00000000006CC5CC | 49 8B CF             | mov     rcx, r15 
00000000006CC5CF | E8 1C A5 FF FF       | call    hardlock.6C6AF0   
00000000006CC5D4 | 84 C0                | test    al, al            
00000000006CC5D6 | 74 0E                | je      hardlock.6CC5E6   
00000000006CC5D8 | 44 39 6C 24 4C       | cmp     dword ptr ss:[rsp+4C], r13d   
00000000006CC5DD | 74 07                | je      hardlock.6CC5E6   
00000000006CC5DF | 81 4B 58 80 00 00 00 | or      dword ptr ds:[rbx+58], 80     
00000000006CC5E6 | 48 8D 54 24 50       | lea     rdx, qword ptr ss:[rsp+50]    
00000000006CC5EB | 48 8D 4C 24 54       | lea     rcx, qword ptr ss:[rsp+54]    
00000000006CC5F0 | 45 33 C9             | xor     r9d, r9d          
00000000006CC5F3 | 45 33 C0             | xor     r8d, r8d          
00000000006CC5F6 | FB                   | sti                      ; problem!   
00000000006CC5F7 | E8 6A E4 FE FF       | call    hardlock.6BAA66   
00000000006CC5FC | 44 8B 5C 24 54       | mov     r11d, dword ptr ss:[rsp+54]   
00000000006CC601 | 41 C1 E3 08          | shl     r11d, 8           
00000000006CC605 | 44 03 5C 24 50       | add     r11d, dword ptr ss:[rsp+50]   
...
--- snip ---
'cli' and 'sti' are handled in 32-bit case:
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#...
--- snip ---
 266 /***********************************************************************
 267  *           emulate_instruction
 268  *
 269  * Emulate a privileged instruction.
 270  * Returns exception continuation status.
 271  */
 272 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
 273 {
...
 437 
 438     case 0xfa: /* cli */
 439     case 0xfb: /* sti */
 440         context->Eip += prefixlen + 1;
 441         return ExceptionContinueExecution;
 442     }
 443     return ExceptionContinueSearch;  /* Unable to emulate it */
 444 }
--- snip ---
but not in 64-bit:
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#...
--- snip ---
 588 
 589 /***********************************************************************
 590  *           emulate_instruction
 591  *
 592  * Emulate a privileged instruction.
 593  * Returns exception continuation status.
 594  */
 595 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
 596 {
...
 802     case 0xa0: /* mov Ob, AL */
 803     case 0xa1: /* mov Ovqp, rAX */
...
 818     }
 819     return ExceptionContinueSearch;  /* Unable to emulate it */
 820 }
--- snip ---
ProtectionID scan for documentation:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Scanning -> Z:\home\focht\Downloads\HASPUserSetup.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 14533512 (0DDC388h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x4B96E621 -> Wed 10th Mar 2010 00:21:53 (GMT)
[!] Digital Signature signed by a known DRM provider -> SafeNet, Inc.
[TimeStamp] 0x4B96E621 -> Wed 10th Mar 2010 00:21:53 (GMT) | PE Header | - |
Offset: 0x000000F8 | VA: 0x004000F8 | -
[TimeStamp] 0x4B96E620 -> Wed 10th Mar 2010 00:21:52 (GMT) | Export | - |
Offset: 0x00012ED4 | VA: 0x004146D4 | -
-> File Appears to be Digitally Signed @ Offset 0DDAA00h, size : 01988h / 06536
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (3 calculated 3 recorded... 0 invalid
addresses) 
[LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0
| Reserved 0x0
[LoadConfig] GuardAddressTakenIatEntryTable 0x0 | Count 0x0 (0)
[LoadConfig] GuardLongJumpTargetTable 0xFFFFFFFE | Count 0x0 (0)
[LoadConfig] HybridMetadataPointer 0xFFFFFF88 | DynamicValueRelocTable 0x0
[LoadConfig] FailFastIndirectProc 0xFFFFFFFE | FailFastPointer 0x407A0A
[LoadConfig] UnknownZero1 0x407A0E
[File Heuristics] -> Flag #1 : 00000000000001001100000100000100 (0x0004C104)
[Entrypoint Section Entropy] : 6.53 (section #0) ".text   " | Size : 0xF208
(61960) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 5 (0x5) | ImageSize 0xDEF000 (14610432) byte(s)
[Export] 100% of function(s) (6 of 6) are in file | 0 are forwarded | 6 code |
0 data | 0 uninit data | 0 unknown | 
[VersionInfo] Company Name : SafeNet Inc.
[VersionInfo] File Description : Sentinel Runtime
[VersionInfo] File Version : 6.60.1.36770
[VersionInfo] Legal Copyrights : SafeNet Inc.
[ModuleReport] [IAT] Modules -> WSOCK32.dll | VERSION.dll | KERNEL32.dll |
USER32.dll | GDI32.dll | ADVAPI32.dll | SHELL32.dll
[CdKeySerial] found "Evaluation period" @ VA: 0x00D99B54 / Offset: 0x00D85B54
[CdKeySerial] found "Evaluation period" @ VA: 0x00D99BEC / Offset: 0x00D85BEC
[CdKeySerial] found "Evaluation version" @ VA: 0x00DCE8DC / Offset: 0x00DBA8DC
[CdKeySerial] found "Serial Number" @ VA: 0x00DCF3C9 / Offset: 0x00DBB3C9
[CompilerDetect] -> Visual C++ 9.0 (Visual Studio 2008)
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 2.518 Second(s) [0000009B2h (2482) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
--- snip ---
Scanning -> Z:\home\focht\Downloads\hardlock.sys
File Type : 64-Bit Driver (good checksum) (Subsystem : Native / 1), Size :
331328 (050E40h) Byte(s) | Machine: 0x8664 (AMD64)
Compilation TimeStamp : 0x51A349DA -> Mon 27th May 2013 11:56:10 (GMT)
[!] Digital Signature signed by a known DRM provider -> SafeNet, Inc.
[TimeStamp] 0x51A349DA -> Mon 27th May 2013 11:56:10 (GMT) | PE Header | - |
Offset: 0x00000000:000000E8 | VA: 0x00000000:000100E8 | -
-> File Appears to be Digitally Signed @ Offset 04F600h, size : 01840h / 06208
byte(s)
[LoadConfig] CodeIntegrity -> Flags 0xAA60 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46AB40
[LoadConfig] GuardAddressTakenIatEntryTable 0x46AC88:02000011 | Count
0x46AE9C02000011 (463222033554449)
[LoadConfig] GuardLongJumpTargetTable 0x46AF38:08000011 | Count
0x46AFE008000011 (4632544134217745)
[LoadConfig] HybridMetadataPointer 0x46A66C:08000011 | DynamicValueRelocTable
0x8000011:0046B0A8
[LoadConfig] FailFastIndirectProc 0x8000011:0046B264 | FailFastPointer
0x8000011:0046B2FC
[LoadConfig] UnknownZero1 0x8000011  46B448
[File Heuristics] -> Flag #1 : 00000000000000011100000000010111 (0x0001C017)
[Entrypoint Section Entropy] : 4.38 (section #7) ".init   " | Size : 0x1600
(5632) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 8 (0x8) | ImageSize 0x4F600 (325120) byte(s)
[VersionInfo] Company Name : SafeNet Inc.
[VersionInfo] Product Name : Sentinel Hardlock Device Driver for Windows x64
[VersionInfo] Product Version : 3.83
[VersionInfo] File Description : Sentinel Hardlock Device Driver for Windows
x64
[VersionInfo] File Version : 3.83
[VersionInfo] Original FileName : hardlock.sys
[VersionInfo] Internal Name : hardlock.sys
[VersionInfo] Legal Copyrights : © 2013 SafeNet. Inc. All rights reserved.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.321 Second(s) [000000141h (321) tick(s)] [134 of 580 scan(s)
done]
--- snip ---
With that fix in place the driver loads successfully (at least it doesn't
crash) but the HASP installer runs into next problem with another 64-bit kernel
driver.
$ sha1sum HASPUserSetup.*
fa5f85d8dfbef3188087f1b6fb0ec81a16e6a26d  HASPUserSetup.exe
d486f63c0444e3a42b81a74ab52f99c45432e9e1  HASPUserSetup.zip
$ du -sh HASPUserSetup.*
14M    HASPUserSetup.exe
14M    HASPUserSetup.zip
$ wine --version
wine-3.13
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 45521] New: 64-bit Sentinel HASP hardlock.sys kernel driver crashes due ntoskrnl emulate_instruction not handling 'cli' and 'sti'