New subject: [Bug 37852] Sentinel HASP 'hardlock.sys' kernel driver custom imports resolver can't cope with many 'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to start)

5 Jan 2015


      https://bugs.winehq.org/show_bug.cgi?id=37852
Bug ID: 37852
           Summary: Sentinel HASP 'hardlock.sys' kernel driver custom
                    imports resolver can't cope with many 'ntoskrnl.exe'
                    functions being fowarded to 'ntdll.dll' (Minitab 16
                    fails to start)
           Product: Wine
           Version: 1.7.33
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
continuation of bug 30220
No, we don't need to emulate I/O ... the opcode from crash
https://bugs.winehq.org/show_bug.cgi?id=30220#c7 is actually an ASCII string.
The kernel driver is not only heavily obfuscated but also has an own imports
resolver which fails to cope with Wine's forwards to 'ntdll.dll'.
--- snip ---
...
0054670E  68 18FA5A00     PUSH 005AFA18 ; UNICODE
"\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt"
00546713  8D45 DC         LEA EAX,[EBP-24]
00546716  50              PUSH EAX
00546717  C1EF 40         SHR EDI,40
0054671A  FF15 28F65A00   CALL DWORD PTR DS:[5AF628]
00546720  8D36            LEA ESI,[ESI]
...
--- snip ---
The driver's own IAT, dumped from memory:
--- snip ---
...
005AF3FC   00000000
005AF400   F761EC0C  ; hal.KfAcquireSpinLock
005AF404   F761ED98  ; hal.KfReleaseSpinLock
005AF408   F761EE21  ; hal.HalGetBusData
005AF40C   F761EFFA  ; hal.KeGetCurrentIrql
005AF410   F761E928  ; hal.WRITE_PORT_UCHAR
005AF414   F761E820  ; hal.READ_PORT_UCHAR
005AF418   F761ED10  ; hal.KfRaiseIrql
005AF41C   F761EC8C  ; hal.KfLowerIrql
005AF420   F761E770  ; hal.KeStallExecutionProcessor
005AF424   00000000
005AF428   7ECE39B4  ; ntoskrnl_exe.KeBugCheck
005AF42C   7ECECD0C  ; ntoskrnl_exe.IofCallDriver
005AF430   7ECE42A4  ; ntoskrnl_exe.KeReadStateEvent
005AF434   7ECE2070  ; ntoskrnl_exe.IoCancelIrp
005AF438   7ECE3AE8  ; ntoskrnl_exe.KeDelayExecutionThread
005AF43C   7ECECA85  ; ntoskrnl_exe.IoGetDeviceObjectPointer
005AF440   7ECEBED8  ; ntoskrnl_exe.IoBuildDeviceIoControlRequest
005AF444   7ED1073A  ; ASCII "ntdll.RtlIntegerToUnicodeString"
005AF448   7ED0FE0F  ; ASCII "ntdll.RtlAppendUnicodeStringToString"
005AF44C   7ECECE21  ; ntoskrnl_exe.IoGetConfigurationInformation
005AF450   7ECED88E  ; ntoskrnl_exe.ExAllocatePoolWithTag
005AF454   7ED0FF5C  ; ASCII "ntdll.RtlCompareMemory"
005AF458   7ECEDEB8  ; ntoskrnl_exe.KeInitializeEvent
005AF45C   7ED116CE  ; ASCII "ntdll.ZwQueryInformationProcess"
005AF460   7ECEEBFD  ; ntoskrnl_exe.MmMapIoSpace
005AF464   7ECE5BE8  ; ntoskrnl_exe.ObReferenceObjectByPointer
005AF468   7ECE25C4  ; ntoskrnl_exe.IoFileObjectType
005AF46C   7ECEC823  ; ntoskrnl_exe.IoCreateSymbolicLink
005AF470   7ECEC45A  ; ntoskrnl_exe.IoCreateDevice
005AF474   7ECEF361  ; ntoskrnl_exe.PsGetVersion
005AF478   7ECEC6BE  ; ntoskrnl_exe.IoDeleteDevice
005AF47C   7ECEC906  ; ntoskrnl_exe.IoDeleteSymbolicLink
005AF480   7ECEE15C  ; ntoskrnl_exe.KeInitializeSpinLock
005AF484   7ECEDF3F  ; ntoskrnl_exe.KeInitializeMutex
005AF488   7ED11DD4  ; ASCII "msvcrt.memmove"
005AF48C   7ED117DF  ; ASCII "ntdll.ZwQueryValueKey"
005AF490   7ECED2CB  ; ntoskrnl_exe.IoReportResourceUsage
005AF494   7ECEEFF2  ; ntoskrnl_exe.MmUnmapIoSpace
005AF498   7ED1134F  ; ASCII "ntdll.ZwEnumerateValueKey"
005AF49C   7ED114DB  ; ASCII "ntdll.ZwOpenKey"
005AF4A0   7ED119D9  ; ASCII "ntdll.ZwSetValueKey"
005AF4A4   7ECEF1F0  ; ntoskrnl_exe.ObfDereferenceObject
005AF4A8   7ECEDA29  ; ntoskrnl_exe.ExFreePool
005AF4AC   7ED1007D  ; ASCII "ntdll.RtlCopyUnicodeString"
005AF4B0   7ED0FE34  ; ASCII "ntdll.RtlAppendUnicodeToString"
005AF4B4   7ED10B19  ; ASCII "ntdll.RtlQueryRegistryValues"
005AF4B8   7ED11DE3  ; ASCII "msvcrt.memset"
005AF4BC   7ED11E0A  ; ASCII "msvcrt.sprintf"
005AF4C0   7ED11DC6  ; ASCII "msvcrt.memcpy"
005AF4C4   7ED0FDB0  ; ASCII "ntdll.RtlAnsiStringToUnicodeString"
005AF4C8   7ED1066D  ; ASCII "ntdll.RtlInitAnsiString"
005AF4CC   7ECECDAC  ; ntoskrnl_exe.IoGetRelatedDeviceObject
005AF4D0   7ECEF0D9  ; ntoskrnl_exe.ObReferenceObjectByHandle
005AF4D4   7ECEE3F4  ; ntoskrnl_exe.KeReleaseSemaphore
005AF4D8   7ECEBA2D  ; ntoskrnl_exe.IoFreeIrp
005AF4DC   7ECEDE4C  ; ntoskrnl_exe.KeGetCurrentThread
005AF4E0   7ECEB922  ; ntoskrnl_exe.IoAllocateIrp
005AF4E4   7ECEDB0D  ; ntoskrnl_exe.ExInitializeResourceLite
005AF4E8   7ECE01AC  ; ntoskrnl_exe.ExDeleteResourceLite
005AF4EC   7ECE4118  ; ntoskrnl_exe.KeLeaveCriticalRegion
005AF4F0   7ECDF184  ; ntoskrnl_exe.ExReleaseResourceLite
005AF4F4   7ECE3BC4  ; ntoskrnl_exe.KeEnterCriticalRegion
005AF4F8   7ECEB5A8  ; ntoskrnl_exe.IoReleaseCancelSpinLock
005AF4FC   7ECED768  ; ntoskrnl_exe.InterlockedExchange
005AF500   7ECEB538  ; ntoskrnl_exe.IoAcquireCancelSpinLock
005AF504   7ECE0020  ; ntoskrnl_exe.ExAcquireResourceExclusiveLite
005AF508   7ECEDDE0  ; ntoskrnl_exe.IoGetCurrentProcess
005AF50C   7ECE2A3C  ; ntoskrnl_exe.IoIsSystemThread
005AF510   7ED11E5E  ; ASCII "msvcrt.strlen"
005AF514   7ED111C1  ; ASCII "ntdll.ZwClose"
005AF518   7ECE2438  ; ntoskrnl_exe.IoDetachDevice
005AF51C   7ECEBD2A  ; ntoskrnl_exe.IoFreeMdl
005AF520   7ECEEF82  ; ntoskrnl_exe.MmUnlockPages
005AF524   7ECE55E4  ; ntoskrnl_exe.MmUnmapLockedPages
005AF528   7ECE521C  ; ntoskrnl_exe.MmMapLockedPages
005AF52C   7ECEEE8B  ; ntoskrnl_exe.MmProbeAndLockPages
005AF530   7ECEBB3B  ; ntoskrnl_exe.IoAllocateMdl
005AF534   7ED11BED  ; ASCII "msvcrt._local_unwind2"
005AF538   7ED11BA4  ; ASCII "msvcrt._except_handler3"
005AF53C   7ECE4DFC  ; ntoskrnl_exe.MmBuildMdlForNonPagedPool
005AF540   7ED10685  ; ASCII "ntdll.RtlInitString"
005AF544   7ED1168F  ; ASCII "ntdll.ZwQueryInformationFile"
005AF548   7ECE4354  ; ntoskrnl_exe.KeReadStateSemaphore
005AF54C   7ECE067C  ; ntoskrnl_exe.ExQueueWorkItem
005AF550   7ECEE0DE  ; ntoskrnl_exe.KeInitializeSemaphore
005AF554   7ECEF2E3  ; ntoskrnl_exe.PsGetCurrentProcessId
005AF558   7ED11A69  ; ASCII "ntdll.ZwUnmapViewOfSection"
005AF55C   7ECE49DC  ; ntoskrnl_exe.KeWaitForMultipleObjects
005AF560   7ECE0700  ; ntoskrnl_exe.ExRaiseException
005AF564   7ECEED07  ; ntoskrnl_exe.MmMapLockedPagesSpecifyCache
005AF568   7ED104B3  ; ASCII "ntdll.RtlFreeAnsiString"
005AF56C   7ED10DCC  ; ASCII "ntdll.RtlUnicodeStringToAnsiString"
005AF570   7ECEEB67  ; ntoskrnl_exe.MmIsAddressValid
005AF574   7ECE5FDC  ; ntoskrnl_exe.ProbeForRead
005AF578   7ED102B3  ; ASCII "ntdll.RtlEqualUnicodeString"
005AF57C   7ECE5B90  ; ntoskrnl_exe.ObOpenObjectByPointer
005AF580   7ED0F6FF  ; ASCII "ntdll.DbgPrint"
005AF584   7ECE32D4  ; ntoskrnl_exe.IoSynchronousPageWrite
005AF588   7ECE2960  ; ntoskrnl_exe.IoGetTopLevelIrp
005AF58C   7ECEF478  ; ntoskrnl_exe.PsSetCreateProcessNotifyRoutine
005AF590   7ED11023  ; ASCII "ntdll.RtlWriteRegistryValue"
005AF594   7ECE6E20  ; ntoskrnl_exe.RtlCreateRegistryKey
005AF598   7ED0FF19  ; ASCII "ntdll.RtlCheckRegistryKey"
005AF59C   7ECE1F94  ; ntoskrnl_exe.IoAttachDeviceByPointer
005AF5A0   7ECE24BC  ; ntoskrnl_exe.IoDeviceObjectType
005AF5A4   7ECEF268  ; ntoskrnl_exe.PsCreateSystemThread
005AF5A8   7ECE004C  ; ntoskrnl_exe.ExAcquireResourceSharedLite
005AF5AC   7ECE68CC  ; ntoskrnl_exe.PsProcessType
005AF5B0   7ECE6C68  ; ntoskrnl_exe.PsThreadType
005AF5B4   7ED113CD  ; ASCII "ntdll.ZwFsControlFile"
005AF5B8   7ECE327C  ; ntoskrnl_exe.IoStopTimer
005AF5BC   7ED104F4  ; ASCII "ntdll.RtlFreeUnicodeString"
005AF5C0   7ED11416  ; ASCII "ntdll.ZwLoadDriver"
005AF5C4   7ED11ABF  ; ASCII "ntdll.ZwWriteFile"
005AF5C8   7ED11E50  ; ASCII "msvcrt.strcpy"
005AF5CC   7ED11E8A  ; ASCII "msvcrt.strncpy"
005AF5D0   7ED11B30  ; ASCII "ntdll._alldiv"
005AF5D4   7ECDF33C  ; ntoskrnl_exe.ExfInterlockedInsertTailList
005AF5D8   7ED11818  ; ASCII "ntdll.ZwReadFile"
005AF5DC   7ED102CF  ; ASCII "ntdll.RtlExtendedIntegerMultiply"
005AF5E0   7ED10851  ; ASCII "ntdll.RtlLargeIntegerDivide"
005AF5E4   7ECDF3C0  ; ntoskrnl_exe.ExfInterlockedRemoveHeadList
005AF5E8   7ECEF572  ; ntoskrnl_exe.PsTerminateSystemThread
005AF5EC   7ECEE592  ; ntoskrnl_exe.KeSetPriorityThread
005AF5F0   7ECEE487  ; ntoskrnl_exe.KeQueryTimeIncrement
005AF5F4   7ED12FE8  ; OFFSET ntoskrnl_exe.KeTickCount
005AF5F8   7ED117C0  ; ASCII "ntdll.ZwQuerySystemInformation"
005AF5FC   7ECED800  ; ntoskrnl_exe.ExAllocatePool
005AF600   7ED112D9  ; ASCII "ntdll.ZwDeviceIoControlFile"
005AF604   7ED11215  ; ASCII "ntdll.ZwCreateFile"
005AF608   7ECEE506  ; ntoskrnl_exe.KeSetEvent
005AF60C   7ECEE67C  ; ntoskrnl_exe.KeWaitForSingleObject
005AF610   7ECEE059  ; ntoskrnl_exe.KeReleaseMutex
005AF614   7ECEBAB6  ; ntoskrnl_exe.IoAllocateErrorLogEntry
005AF618   7ECE36C8  ; ntoskrnl_exe.IoWriteErrorLogEntry
005AF61C   7ECED650  ; ntoskrnl_exe.IofCompleteRequest
005AF620   7ED0FFA6  ; ASCII "ntdll.RtlCompareUnicodeString"
005AF624   7ED13000  ; OFFSET ntoskrnl_exe.KeServiceDescriptorTable
005AF628   7ED10699  ; ASCII "ntdll.RtlInitUnicodeString"
005AF62C   00000000
--- snip ---
Everything tagged 'ASCII' is an unresolved forwarded import.
The crash is due to 'ntdll.RtlInitUnicodeString' not being resolved.
$ sha1sum MTBen1610su.exe 
f457d13475a783a0d2fff5566c0279640ba26bc6  MTBen1610su.exe
$ du -sh MTBen1610su.exe 
93M    MTBen1610su.exe
$ wine --version
wine-1.7.33-146-g102d893
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 37852] New: Sentinel HASP 'hardlock.sys' kernel driver custom imports resolver can't cope with many 'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to start)