http://bugs.winehq.org/show_bug.cgi?id=22797
Summary: BoxedApp sample apps fail on Wine Product: Wine Version: 1.1.44 Platform: x86 URL: http://www.boxedapp.com/boxedappsdk/download.html OS/Version: Linux Status: NEW Keywords: download Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: dank@kegel.com
BoxedApp is an SDK used by some debugging tools (dxprof in particular) to hook function calls and emulate filesystem operations. (It's a bit like Thinstall, which does work with Wine, thanks to Ge's efforts.)
I tried their four sample apps. Sample1_DLLEmbeddsamples crashing.exe crashes after you click the 'call function' button; evidently the LoadLibrary hooking didn't work. Samples 2 and 3 crash faster. Sample 4 seems to run (but might not do exactly what it should).
I'll attach a +relay,+seh log of sample 1 running. It seems to use mpr.dll as part of its magic.
http://bugs.winehq.org/show_bug.cgi?id=22797
--- Comment #1 from Dan Kegel dank@kegel.com 2010-05-20 16:36:13 --- Created an attachment (id=28139) --> (http://bugs.winehq.org/attachment.cgi?id=28139) rzipped +relay,+seh of wine Sample1_DLLEmbedding.exe
http://bugs.winehq.org/show_bug.cgi?id=22797
Dmitry Timoshkov dmitry@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|BoxedApp sample apps fail |BoxedApp sample apps fail |on Wine |
http://bugs.winehq.org/show_bug.cgi?id=22797
Andrew Nguyen arethusa26@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #28139|text/plain |application/octet-stream mime type| |
http://bugs.winehq.org/show_bug.cgi?id=22797
--- Comment #2 from Austin English austinenglish@gmail.com 2012-08-02 18:01:51 CDT --- Sample 1 no longer crashes, but does exit with status 13.
Sample 2 crashes.
Sample 3/4 get: fixme:process:WinExec Strange error set by CreateProcess: 193
then say 'Press Ctrl + C' to finish.
wine-1.5.10.
https://bugs.winehq.org/show_bug.cgi?id=22797
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation URL|http://www.boxedapp.com/box |http://www.download3k.ru/Do |edappsdk/download.html |wnloadLink1-BoxedApp-SDK.ht | |ml CC| |focht@gmx.net Summary|BoxedApp sample apps fail |BoxedApp (native API | |application virtualization | |scheme) SDK v3.3.x examples | |fail
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
'Sample1_DLLEmbedding.exe' suffers from bug 33236
The process examples might suffer from bug 23451
There are still many examples in the SDK .. so find an example that exhibits something new :)
Regards
https://bugs.winehq.org/show_bug.cgi?id=22797
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |ntdll
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, likely still present. Still needs singled out issue.
$ sha1sum boxedappsdk__demo__3_3_5_7.zip bfbdd0df4526cd34615a8d13a788a6cdc8713041 boxedappsdk__demo__3_3_5_7.zip
$ du -sh boxedappsdk__demo__3_3_5_7.zip 25M boxedappsdk__demo__3_3_5_7.zip
$ wine --version wine-5.7-170-gd1f858e03d
Regards
https://bugs.winehq.org/show_bug.cgi?id=22797
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Summary|BoxedApp (native API |'Sample1_DLLEmbedding' |application virtualization |example from BoxedApp SDK |scheme) SDK v3.3.x examples |v3.3.x (native API |fail |application virtualization | |scheme) crashes (needs | |hookable NtXXXSection API | |entries / NT syscalls) Fixed by SHA1| |75e616d52b452d37cc93f492d47 | |eba641f9741c1
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
reworking this meta-bug into something more useful.
Taking 'Sample1_DLLEmbedding.exe'.
--- snip --- ... 0009:Call KERNEL32.LoadLibraryA(00434704 "DLL1.dll") ret=0040120c warn:ntdll:NtQueryAttributesFile L"\??\Z:\home\focht\Downloads\DemoApplications\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\C:\windows\system32\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\C:\windows\system\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\C:\windows\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\Z:\home\focht\Downloads\DemoApplications\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\C:\windows\system32\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\C:\windows\DLL1.dll" not found (c0000034) warn:ntdll:NtQueryAttributesFile L"\??\C:\windows\system32\wbem\DLL1.dll" not found (c0000034) 0009:Ret KERNEL32.LoadLibraryA() retval=00000000 ret=0040120c 0009:Call KERNEL32.GetProcAddress(00000000,00434890 "Function") ret=0040121a 0009:Ret KERNEL32.GetProcAddress() retval=00000000 ret=0040121a trace:ntdll:NtQueryInformationProcess (0xffffffff,0x00000022,0x32eb60,0x00000004,(nil)) trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000 tid=0009 trace:seh:raise_exception info[0]=00000000 trace:seh:raise_exception info[1]=00000000 trace:seh:raise_exception eax=00000000 ebx=00000001 ecx=0032fd48 edx=c0000001 esi=00000000 edi=0032fd48 trace:seh:raise_exception ebp=0032eef0 esp=0032eedc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 trace:seh:call_vectored_handlers calling handler at 0x10013e10 code=c0000005 flags=0 trace:seh:call_vectored_handlers handler at 0x10013e10 returned 0 trace:seh:call_stack_handlers calling handler at 0x431851 code=c0000005 flags=0 --- snip ---
The sandbox scheme hooks a number of native API to virtualize filesystem, registry etc.
original:
--- snip --- <ntdll.LdrLoadDll>:
7BC56C30 8BFF MOV EDI,EDI 7BC56C32 55 PUSH EBP 7BC56C33 8BEC MOV EBP,ESP 7BC56C35 5D POP EBP 7BC56C36 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 7BC56C3A 83E4 F0 AND ESP,FFFFFFF0 ... --- snip ---
hooked:
--- snip --- <ntdll.LdrLoadDll>:
7BC56C30 E9 CB9348FF JMP 7B0E0000 7BC56C35 5D POP EBP 7BC56C36 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 7BC56C3A 83E4 F0 AND ESP,FFFFFFF0 7BC56C3D FF71 FC PUSH DWORD PTR DS:[ECX-4] 7BC56C40 89C8 MOV EAX,ECX 7BC56C42 55 PUSH EBP 7BC56C43 89E5 MOV EBP,ESP 7BC56C45 57 PUSH EDI 7BC56C46 56 PUSH ESI 7BC56C47 53 PUSH EBX 7BC56C48 E8 0390FCFF CALL ntdll.__x86.get_pc_thunk.bx ... 7B0E0000 E9 1B0AF394 JMP bxsdk32.10010A20 ... 7B0D0000 8BFF MOV EDI,EDI 7B0D0002 55 PUSH EBP 7B0D0003 8BEC MOV EBP,ESP 7B0D0005 E9 2B6CB800 JMP ntdll.7BC56C35 --- snip ---
--- snip --- 10010A20 55 PUSH EBP 10010A21 8BEC MOV EBP,ESP 10010A23 83E4 F8 AND ESP,FFFFFFF8 10010A26 83EC 4C SUB ESP,4C 10010A29 53 PUSH EBX 10010A2A 56 PUSH ESI 10010A2B 57 PUSH EDI 10010A2C FF15 54200C10 CALL DWORD PTR DS:[<&KERNEL32.GetLastError>] 10010A32 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10] 10010A35 894424 18 MOV DWORD PTR SS:[ESP+18],EAX 10010A39 A1 60EA0D10 MOV EAX,DWORD PTR DS:[100DEA60] 10010A3E 57 PUSH EDI 10010A3F 8D7424 40 LEA ESI,DWORD PTR SS:[ESP+40] 10010A43 894424 18 MOV DWORD PTR SS:[ESP+18],EAX 10010A47 E8 B405FFFF CALL bxsdk32.10001000 10010A4C 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14] 10010A4F 8B0D 60EA0D10 MOV ECX,DWORD PTR DS:[100DEA60] 10010A55 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C] 10010A58 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 10010A5B 8B81 840C0000 MOV EAX,DWORD PTR DS:[ECX+C84] 10010A61 83C4 04 ADD ESP,4 10010A64 56 PUSH ESI 10010A65 57 PUSH EDI 10010A66 81C1 840C0000 ADD ECX,0C84 10010A6C 53 PUSH EBX 10010A6D 52 PUSH EDX 10010A6E 8B50 24 MOV EDX,DWORD PTR DS:[EAX+24] 10010A71 FFD2 CALL EDX 10010A73 FFD0 CALL EAX ; org API entry continuation 7B0D0000 ... --- snip ---
Some 'NtXXXSection' native API entries involved in module loading sequence were not hot-patchable.
--- snip --- load_native_dll:
7BC54720 55 PUSH EBP 7BC54721 89E5 MOV EBP,ESP 7BC54723 57 PUSH EDI 7BC54724 89D7 MOV EDI,EDX 7BC54726 56 PUSH ESI 7BC54727 89CE MOV ESI,ECX 7BC54729 53 PUSH EBX 7BC5472A E8 21B5FCFF CALL ntdll.__x86.get_pc_thunk.bx 7BC5472F 81C3 D1380800 ADD EBX,838D1 7BC54735 81EC DC010000 SUB ESP,1DC 7BC5473B 8985 40FEFFFF MOV DWORD PTR SS:[EBP-1C0],EAX 7BC54741 C785 54FEFFFF 00 MOV DWORD PTR SS:[EBP-1AC],0 7BC5474B F683 30990000 08 TEST BYTE PTR DS:[EBX+9930],8 7BC54752 0F85 D8000000 JNZ ntdll.7BC54830 7BC54758 83EC 04 SUB ESP,4 7BC5475B 8D85 50FEFFFF LEA EAX,DWORD PTR SS:[EBP-1B0] 7BC54761 C785 60FEFFFF 00 MOV DWORD PTR SS:[EBP-1A0],0 7BC5476B 56 PUSH ESI 7BC5476C 8DB5 60FEFFFF LEA ESI,DWORD PTR SS:[EBP-1A0] 7BC54772 68 00000001 PUSH 1000000 7BC54777 6A 20 PUSH 20 7BC54779 56 PUSH ESI 7BC5477A 6A 00 PUSH 0 7BC5477C 68 0D000F00 PUSH 0F000D 7BC54781 50 PUSH EAX 7BC54782 C785 64FEFFFF 00 MOV DWORD PTR SS:[EBP-19C],0 7BC5478C E8 FF2F0400 CALL ntdll.NtCreateSection ; problem --- snip ---
Original:
--- snip --- <ntdll.NtCreateSection>:
7BC97790 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 7BC97794 83E4 F0 AND ESP,FFFFFFF0 7BC97797 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7BC9779A 55 PUSH EBP 7BC9779B 89E5 MOV EBP,ESP 7BC9779D 57 PUSH EDI 7BC9779E 56 PUSH ESI 7BC9779F 53 PUSH EBX 7BC977A0 E8 AB84F8FF CALL ntdll.__x86.get_pc_thunk.bx 7BC977A5 81C3 5B080400 ADD EBX,4085B --- snip ---
Hooked:
--- snip --- <ntdll.NtCreateSection>:
7BC97790 E9 6B88E5FF JMP 7BAF0000 7BC97795 E4 F0 IN AL,0F0 7BC97797 FF71 FC PUSH DWORD PTR DS:[ECX-4] 7BC9779A 55 PUSH EBP 7BC9779B 89E5 MOV EBP,ESP 7BC9779D 57 PUSH EDI 7BC9779E 56 PUSH ESI 7BC9779F 53 PUSH EBX 7BC977A0 E8 AB84F8FF CALL ntdll.__x86.get_pc_thunk.bx 7BC977A5 81C3 5B080400 ADD EBX,4085B 7BC977AB 51 PUSH ECX 7BC977AC 81EC A8000000 SUB ESP,0A8 --- snip ---
Starting with commit https://source.winehq.org/git/wine.git/commitdiff/e3e477e6a14fbcb153258b47d1... ("ntdll: Use syscall thunks for virtual memory functions.), these native API became hook-able. Part of Wine 5.13 release.
Also referenced in bug 33162 ("Acrobat Reader 11 crashes on start (native API application virtualization, NtProtectVirtualMemory removes execute page protection on its own code)").
--- snip --- 7BC0B710 B8 18000000 MOV EAX,18 7BC0B715 BA 00C0C07B MOV EDX,7BC0C000 7BC0B71A FFD2 CALL EDX 7BC0B71C C2 1C00 RETN 1C --- snip ---
--- snip --- 7BC0B710 E9 EB48EEFF JMP 7BAF0000 7BC0B715 BA 00C0C07B MOV EDX,7BC0C000 7BC0B71A FFD2 CALL EDX 7BC0B71C C2 1C00 RETN 1C --- snip ---
--- snip --- 7BAF0000 E9 2B78E384 JMP 00927830 --- snip ---
The example still crashed after this. There was a bug which got fixed with https://source.winehq.org/git/wine.git/commitdiff/75e616d52b452d37cc93f492d4... ("ntdll: Clear the syscall frame on return instead of popping the previous one."), part of Wine 5.16 release.
Thanks Alexandre.
After that, the example works as designed. Using that as resolution.
$ sha1sum boxedappsdk__demo__3_3_5_7.zip bfbdd0df4526cd34615a8d13a788a6cdc8713041 boxedappsdk__demo__3_3_5_7.zip
$ du -sh boxedappsdk__demo__3_3_5_7.zip 25M boxedappsdk__demo__3_3_5_7.zip
$ wine --version wine-5.20
Regards
https://bugs.winehq.org/show_bug.cgi?id=22797
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #6 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.21.
-
wine-bugs@winehq.org -
WineHQ Bugzilla