https://bugs.winehq.org/show_bug.cgi?id=37852
Bug ID: 37852 Summary: Sentinel HASP 'hardlock.sys' kernel driver custom imports resolver can't cope with many 'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to start) Product: Wine Version: 1.7.33 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 30220
No, we don't need to emulate I/O ... the opcode from crash https://bugs.winehq.org/show_bug.cgi?id=30220#c7 is actually an ASCII string.
The kernel driver is not only heavily obfuscated but also has an own imports resolver which fails to cope with Wine's forwards to 'ntdll.dll'.
--- snip --- ... 0054670E 68 18FA5A00 PUSH 005AFA18 ; UNICODE "\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt" 00546713 8D45 DC LEA EAX,[EBP-24] 00546716 50 PUSH EAX 00546717 C1EF 40 SHR EDI,40 0054671A FF15 28F65A00 CALL DWORD PTR DS:[5AF628] 00546720 8D36 LEA ESI,[ESI] ... --- snip ---
The driver's own IAT, dumped from memory:
--- snip --- ... 005AF3FC 00000000 005AF400 F761EC0C ; hal.KfAcquireSpinLock 005AF404 F761ED98 ; hal.KfReleaseSpinLock 005AF408 F761EE21 ; hal.HalGetBusData 005AF40C F761EFFA ; hal.KeGetCurrentIrql 005AF410 F761E928 ; hal.WRITE_PORT_UCHAR 005AF414 F761E820 ; hal.READ_PORT_UCHAR 005AF418 F761ED10 ; hal.KfRaiseIrql 005AF41C F761EC8C ; hal.KfLowerIrql 005AF420 F761E770 ; hal.KeStallExecutionProcessor 005AF424 00000000 005AF428 7ECE39B4 ; ntoskrnl_exe.KeBugCheck 005AF42C 7ECECD0C ; ntoskrnl_exe.IofCallDriver 005AF430 7ECE42A4 ; ntoskrnl_exe.KeReadStateEvent 005AF434 7ECE2070 ; ntoskrnl_exe.IoCancelIrp 005AF438 7ECE3AE8 ; ntoskrnl_exe.KeDelayExecutionThread 005AF43C 7ECECA85 ; ntoskrnl_exe.IoGetDeviceObjectPointer 005AF440 7ECEBED8 ; ntoskrnl_exe.IoBuildDeviceIoControlRequest 005AF444 7ED1073A ; ASCII "ntdll.RtlIntegerToUnicodeString" 005AF448 7ED0FE0F ; ASCII "ntdll.RtlAppendUnicodeStringToString" 005AF44C 7ECECE21 ; ntoskrnl_exe.IoGetConfigurationInformation 005AF450 7ECED88E ; ntoskrnl_exe.ExAllocatePoolWithTag 005AF454 7ED0FF5C ; ASCII "ntdll.RtlCompareMemory" 005AF458 7ECEDEB8 ; ntoskrnl_exe.KeInitializeEvent 005AF45C 7ED116CE ; ASCII "ntdll.ZwQueryInformationProcess" 005AF460 7ECEEBFD ; ntoskrnl_exe.MmMapIoSpace 005AF464 7ECE5BE8 ; ntoskrnl_exe.ObReferenceObjectByPointer 005AF468 7ECE25C4 ; ntoskrnl_exe.IoFileObjectType 005AF46C 7ECEC823 ; ntoskrnl_exe.IoCreateSymbolicLink 005AF470 7ECEC45A ; ntoskrnl_exe.IoCreateDevice 005AF474 7ECEF361 ; ntoskrnl_exe.PsGetVersion 005AF478 7ECEC6BE ; ntoskrnl_exe.IoDeleteDevice 005AF47C 7ECEC906 ; ntoskrnl_exe.IoDeleteSymbolicLink 005AF480 7ECEE15C ; ntoskrnl_exe.KeInitializeSpinLock 005AF484 7ECEDF3F ; ntoskrnl_exe.KeInitializeMutex 005AF488 7ED11DD4 ; ASCII "msvcrt.memmove" 005AF48C 7ED117DF ; ASCII "ntdll.ZwQueryValueKey" 005AF490 7ECED2CB ; ntoskrnl_exe.IoReportResourceUsage 005AF494 7ECEEFF2 ; ntoskrnl_exe.MmUnmapIoSpace 005AF498 7ED1134F ; ASCII "ntdll.ZwEnumerateValueKey" 005AF49C 7ED114DB ; ASCII "ntdll.ZwOpenKey" 005AF4A0 7ED119D9 ; ASCII "ntdll.ZwSetValueKey" 005AF4A4 7ECEF1F0 ; ntoskrnl_exe.ObfDereferenceObject 005AF4A8 7ECEDA29 ; ntoskrnl_exe.ExFreePool 005AF4AC 7ED1007D ; ASCII "ntdll.RtlCopyUnicodeString" 005AF4B0 7ED0FE34 ; ASCII "ntdll.RtlAppendUnicodeToString" 005AF4B4 7ED10B19 ; ASCII "ntdll.RtlQueryRegistryValues" 005AF4B8 7ED11DE3 ; ASCII "msvcrt.memset" 005AF4BC 7ED11E0A ; ASCII "msvcrt.sprintf" 005AF4C0 7ED11DC6 ; ASCII "msvcrt.memcpy" 005AF4C4 7ED0FDB0 ; ASCII "ntdll.RtlAnsiStringToUnicodeString" 005AF4C8 7ED1066D ; ASCII "ntdll.RtlInitAnsiString" 005AF4CC 7ECECDAC ; ntoskrnl_exe.IoGetRelatedDeviceObject 005AF4D0 7ECEF0D9 ; ntoskrnl_exe.ObReferenceObjectByHandle 005AF4D4 7ECEE3F4 ; ntoskrnl_exe.KeReleaseSemaphore 005AF4D8 7ECEBA2D ; ntoskrnl_exe.IoFreeIrp 005AF4DC 7ECEDE4C ; ntoskrnl_exe.KeGetCurrentThread 005AF4E0 7ECEB922 ; ntoskrnl_exe.IoAllocateIrp 005AF4E4 7ECEDB0D ; ntoskrnl_exe.ExInitializeResourceLite 005AF4E8 7ECE01AC ; ntoskrnl_exe.ExDeleteResourceLite 005AF4EC 7ECE4118 ; ntoskrnl_exe.KeLeaveCriticalRegion 005AF4F0 7ECDF184 ; ntoskrnl_exe.ExReleaseResourceLite 005AF4F4 7ECE3BC4 ; ntoskrnl_exe.KeEnterCriticalRegion 005AF4F8 7ECEB5A8 ; ntoskrnl_exe.IoReleaseCancelSpinLock 005AF4FC 7ECED768 ; ntoskrnl_exe.InterlockedExchange 005AF500 7ECEB538 ; ntoskrnl_exe.IoAcquireCancelSpinLock 005AF504 7ECE0020 ; ntoskrnl_exe.ExAcquireResourceExclusiveLite 005AF508 7ECEDDE0 ; ntoskrnl_exe.IoGetCurrentProcess 005AF50C 7ECE2A3C ; ntoskrnl_exe.IoIsSystemThread 005AF510 7ED11E5E ; ASCII "msvcrt.strlen" 005AF514 7ED111C1 ; ASCII "ntdll.ZwClose" 005AF518 7ECE2438 ; ntoskrnl_exe.IoDetachDevice 005AF51C 7ECEBD2A ; ntoskrnl_exe.IoFreeMdl 005AF520 7ECEEF82 ; ntoskrnl_exe.MmUnlockPages 005AF524 7ECE55E4 ; ntoskrnl_exe.MmUnmapLockedPages 005AF528 7ECE521C ; ntoskrnl_exe.MmMapLockedPages 005AF52C 7ECEEE8B ; ntoskrnl_exe.MmProbeAndLockPages 005AF530 7ECEBB3B ; ntoskrnl_exe.IoAllocateMdl 005AF534 7ED11BED ; ASCII "msvcrt._local_unwind2" 005AF538 7ED11BA4 ; ASCII "msvcrt._except_handler3" 005AF53C 7ECE4DFC ; ntoskrnl_exe.MmBuildMdlForNonPagedPool 005AF540 7ED10685 ; ASCII "ntdll.RtlInitString" 005AF544 7ED1168F ; ASCII "ntdll.ZwQueryInformationFile" 005AF548 7ECE4354 ; ntoskrnl_exe.KeReadStateSemaphore 005AF54C 7ECE067C ; ntoskrnl_exe.ExQueueWorkItem 005AF550 7ECEE0DE ; ntoskrnl_exe.KeInitializeSemaphore 005AF554 7ECEF2E3 ; ntoskrnl_exe.PsGetCurrentProcessId 005AF558 7ED11A69 ; ASCII "ntdll.ZwUnmapViewOfSection" 005AF55C 7ECE49DC ; ntoskrnl_exe.KeWaitForMultipleObjects 005AF560 7ECE0700 ; ntoskrnl_exe.ExRaiseException 005AF564 7ECEED07 ; ntoskrnl_exe.MmMapLockedPagesSpecifyCache 005AF568 7ED104B3 ; ASCII "ntdll.RtlFreeAnsiString" 005AF56C 7ED10DCC ; ASCII "ntdll.RtlUnicodeStringToAnsiString" 005AF570 7ECEEB67 ; ntoskrnl_exe.MmIsAddressValid 005AF574 7ECE5FDC ; ntoskrnl_exe.ProbeForRead 005AF578 7ED102B3 ; ASCII "ntdll.RtlEqualUnicodeString" 005AF57C 7ECE5B90 ; ntoskrnl_exe.ObOpenObjectByPointer 005AF580 7ED0F6FF ; ASCII "ntdll.DbgPrint" 005AF584 7ECE32D4 ; ntoskrnl_exe.IoSynchronousPageWrite 005AF588 7ECE2960 ; ntoskrnl_exe.IoGetTopLevelIrp 005AF58C 7ECEF478 ; ntoskrnl_exe.PsSetCreateProcessNotifyRoutine 005AF590 7ED11023 ; ASCII "ntdll.RtlWriteRegistryValue" 005AF594 7ECE6E20 ; ntoskrnl_exe.RtlCreateRegistryKey 005AF598 7ED0FF19 ; ASCII "ntdll.RtlCheckRegistryKey" 005AF59C 7ECE1F94 ; ntoskrnl_exe.IoAttachDeviceByPointer 005AF5A0 7ECE24BC ; ntoskrnl_exe.IoDeviceObjectType 005AF5A4 7ECEF268 ; ntoskrnl_exe.PsCreateSystemThread 005AF5A8 7ECE004C ; ntoskrnl_exe.ExAcquireResourceSharedLite 005AF5AC 7ECE68CC ; ntoskrnl_exe.PsProcessType 005AF5B0 7ECE6C68 ; ntoskrnl_exe.PsThreadType 005AF5B4 7ED113CD ; ASCII "ntdll.ZwFsControlFile" 005AF5B8 7ECE327C ; ntoskrnl_exe.IoStopTimer 005AF5BC 7ED104F4 ; ASCII "ntdll.RtlFreeUnicodeString" 005AF5C0 7ED11416 ; ASCII "ntdll.ZwLoadDriver" 005AF5C4 7ED11ABF ; ASCII "ntdll.ZwWriteFile" 005AF5C8 7ED11E50 ; ASCII "msvcrt.strcpy" 005AF5CC 7ED11E8A ; ASCII "msvcrt.strncpy" 005AF5D0 7ED11B30 ; ASCII "ntdll._alldiv" 005AF5D4 7ECDF33C ; ntoskrnl_exe.ExfInterlockedInsertTailList 005AF5D8 7ED11818 ; ASCII "ntdll.ZwReadFile" 005AF5DC 7ED102CF ; ASCII "ntdll.RtlExtendedIntegerMultiply" 005AF5E0 7ED10851 ; ASCII "ntdll.RtlLargeIntegerDivide" 005AF5E4 7ECDF3C0 ; ntoskrnl_exe.ExfInterlockedRemoveHeadList 005AF5E8 7ECEF572 ; ntoskrnl_exe.PsTerminateSystemThread 005AF5EC 7ECEE592 ; ntoskrnl_exe.KeSetPriorityThread 005AF5F0 7ECEE487 ; ntoskrnl_exe.KeQueryTimeIncrement 005AF5F4 7ED12FE8 ; OFFSET ntoskrnl_exe.KeTickCount 005AF5F8 7ED117C0 ; ASCII "ntdll.ZwQuerySystemInformation" 005AF5FC 7ECED800 ; ntoskrnl_exe.ExAllocatePool 005AF600 7ED112D9 ; ASCII "ntdll.ZwDeviceIoControlFile" 005AF604 7ED11215 ; ASCII "ntdll.ZwCreateFile" 005AF608 7ECEE506 ; ntoskrnl_exe.KeSetEvent 005AF60C 7ECEE67C ; ntoskrnl_exe.KeWaitForSingleObject 005AF610 7ECEE059 ; ntoskrnl_exe.KeReleaseMutex 005AF614 7ECEBAB6 ; ntoskrnl_exe.IoAllocateErrorLogEntry 005AF618 7ECE36C8 ; ntoskrnl_exe.IoWriteErrorLogEntry 005AF61C 7ECED650 ; ntoskrnl_exe.IofCompleteRequest 005AF620 7ED0FFA6 ; ASCII "ntdll.RtlCompareUnicodeString" 005AF624 7ED13000 ; OFFSET ntoskrnl_exe.KeServiceDescriptorTable 005AF628 7ED10699 ; ASCII "ntdll.RtlInitUnicodeString" 005AF62C 00000000 --- snip ---
Everything tagged 'ASCII' is an unresolved forwarded import.
The crash is due to 'ntdll.RtlInitUnicodeString' not being resolved.
$ sha1sum MTBen1610su.exe f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe
$ du -sh MTBen1610su.exe 93M MTBen1610su.exe
$ wine --version wine-1.7.33-146-g102d893
Regards
https://bugs.winehq.org/show_bug.cgi?id=37852
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, hardware, | |obfuscation URL| |http://www.mesacg.com/Downl | |oads/MTBen1610su.exe
https://bugs.winehq.org/show_bug.cgi?id=37852
--- Comment #1 from Stefan Leichter Stefan.Leichter@camLine.com --- Created attachment 52591 --> https://bugs.winehq.org/attachment.cgi?id=52591 Use wrapper functions to forward several functions to ntdll
Hello Anastasius,
is this approach correct? The relay trace of the winedevice after applying the patch is not significant long as before. I know several function of the msvcrt dll needs to be handled too.
https://bugs.winehq.org/show_bug.cgi?id=37852
super_man@post.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net, | |super_man@post.com
https://bugs.winehq.org/show_bug.cgi?id=37852
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.winehq.org/sho | |w_bug.cgi?id=44496
https://bugs.winehq.org/show_bug.cgi?id=37852
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
obviously still present.
BattlEye 'BEDaisy' kernel driver also suffers from the general problem of forwards in 'ntoskrnl.exe'.
* bug 44496 ("BattlEye 'BEDaisy' kernel service custom imports resolved can't cope with 'ntoskrnl.exe' low-level (wc)string/copy helpers being forwarded to 'msvcrt.dll'") -> covers 'msvcrt' part
$ wine --version wine-3.1-193-g354fa7eb79
Regards
https://bugs.winehq.org/show_bug.cgi?id=37852
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch
https://bugs.winehq.org/show_bug.cgi?id=37852
--- Comment #3 from Stefan Leichter Stefan.Leichter@camLine.com --- https://source.winehq.org/git/wine.git/commitdiff/bf35c2612c3c2a166e540fb062... looks related
https://bugs.winehq.org/show_bug.cgi?id=37852
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |bf35c2612c3c2a166e540fb062b | |96e9f062131e1
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/bf35c2612c3c2a166e540fb062...
Thanks Alexandre.
--- snip --- $ pwd /home/focht/.wine/drive_c/Program Files/Minitab/Minitab 16
$ WINEDEBUG=+seh,+relay,+winedevice,+ntoskrnl wine ./Mtb.exe >>log.txt 2>&1 ... 0019:Call ntoskrnl.exe.RtlInitUnicodeString(0065fc74,007efa18 L"\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt") ret=00786720 0019:Call ntdll.RtlInitUnicodeString(0065fc74,007efa18 L"\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt") ret=7bc7e247 0019:Ret ntdll.RtlInitUnicodeString() retval=0065fc74 ret=7bc7e247 0019:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0065fc74 ret=00786720 0019:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000084,36346b48) ret=00786748 0019:Call ntdll.RtlAllocateHeap(00110000,00000000,00000084) ret=7ecce269 0019:Ret ntdll.RtlAllocateHeap() retval=0011cd08 ret=7ecce269 0019:trace:ntoskrnl:ExAllocatePoolWithTag 132 pool 1 -> 0x11cd08 0019:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011cd08 ret=00786748 0019:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000148,34356b48) ret=007879d7 0019:Call ntdll.RtlAllocateHeap(00110000,00000000,00000148) ret=7ecce269 0019:Ret ntdll.RtlAllocateHeap() retval=0011d2e8 ret=7ecce269 0019:trace:ntoskrnl:ExAllocatePoolWithTag 328 pool 1 -> 0x11d2e8 0019:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011d2e8 ret=007879d7 0019:Call ntoskrnl.exe.RtlInitUnicodeString(0011d2e8,00000000) ret=00787a0f 0019:Call ntdll.RtlInitUnicodeString(0011d2e8,00000000) ret=7bc7e247 0019:Ret ntdll.RtlInitUnicodeString() retval=0011d2e8 ret=7bc7e247 0019:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0011d2e8 ret=00787a0f ... --- snip ---
The driver still crashes but that's a different problem, actually another variant of bug 30220 (different register operand in opcode).
$ wine --version wine-3.2-293-g0a72708126
Regards
https://bugs.winehq.org/show_bug.cgi?id=37852
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.3.
https://bugs.winehq.org/show_bug.cgi?id=37852
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |3.0.x
https://bugs.winehq.org/show_bug.cgi?id=37852
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|3.0.x |---
--- Comment #6 from Michael Stefaniuc mstefani@winehq.org --- Removing the 3.0.x milestone from bugs included in 3.0.1.
https://bugs.winehq.org/show_bug.cgi?id=37852
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.mesacg.com/Downl |https://web.archive.org/web |oads/MTBen1610su.exe |/20210318190949/http://www. | |mesacg.com/Downloads/MTBen1 | |610su.exe
--- Comment #7 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download link via Internet Archive for documentation.
https://web.archive.org/web/20210318190949/http://www.mesacg.com/Downloads/M...
https://www.virustotal.com/gui/file/746d1df6609d0db8b9521861225baf3dfa8ea11e...
$ sha1sum MTBen1610su.exe f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe
$ du -sh MTBen1610su.exe 93M MTBen1610su.exe
Regards