https://bugs.winehq.org/show_bug.cgi?id=47062

Bug ID: 47062 Summary: Multiple E-Banking applications by KOBIL Systems GmbH crash on startup due to ntdll.NtQueryDirectoryObject '\KnownDlls' failure (MigrosBank EBanking 8.2.x, Sparda Bank SecureApp 1.x) Product: Wine Version: 4.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 47061

Stable links for current installers:

Sparda Bank SecureApp:

https://web.archive.org/web/20190422125056/https://www.sparda.de/secureapp-p...

Corresponding VirusTotal scan:

https://www.virustotal.com/gui/file/444c501236d5704e43ff5238a03b2c66a08eeba0...

---

MigrosBank EBanking app:

https://web.archive.org/web/20190422124354/https://download.migrosbank.ch/mi...

Corresponding VirusTotal scan:

https://www.virustotal.com/gui/file/9cd93cc70c6a8b24dbf47a3d20c9a1ed5f634140...

---

Trace log:

--- snip --- $ pwd /home/focht/.wine/drive_c/users/focht/Application Data/Sparda/AST-Client

$ WINEDEBUG=+seh,+relay wine ./SpardaSecureApp.exe >>log.txt 2>&1 ... 002b:Call TLS callback (proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0) 002b:Call KERNEL32.VirtualAlloc(00000000,00000006,00003000,00000004) ret=2001256a 002b:Ret KERNEL32.VirtualAlloc() retval=00340000 ret=2001256a 002b:Call KERNEL32.VirtualAlloc(00000000,00000017,00003000,00000004) ret=2001258d 002b:Ret KERNEL32.VirtualAlloc() retval=00350000 ret=2001258d 002b:Call KERNEL32.GetModuleHandleA(00340000 "ntdll") ret=20012652 002b:Ret KERNEL32.GetModuleHandleA() retval=7bc10000 ret=20012652 002b:Call KERNEL32.GetProcAddress(7bc10000,00350000 "NtSetInformationThread") ret=20012659 002b:Ret KERNEL32.GetProcAddress() retval=7bc24870 ret=20012659 ... 002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20010706 002b:Ret TLS callback (proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0) 002b:Starting process L"C:\users\focht\Application Data\Sparda\AST-Client\SpardaSecureApp.exe" (entryproc=0x2002954a) ... 002b:Call KERNEL32.LoadLibraryExW(20061890 L"api-ms-win-core-synch-l1-2-0",00000000,00000800) ret=2002e36c 002b:trace:ntdll:FILE_CreateFile handle=0x33f860 access=80100000 name=L"\??\C:\windows\system32\api-ms-win-core-synch-l1-2-0.dll" objattr=00000040 root=(nil) sec=(nil) io=0x33f870 alloc_size=(nil) attr=00000000 sharing=00000005 disp=1 options=00000060 ea=(nil).0x00000000 002b:Call LDR notification callback (proc=0x20010d80,reason=1,data=0x33fc5c,context=(nil)) 002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004) ret=20015ced 002b:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=20015ced 002b:Call ntdll.RtlInitUnicodeString(0033fb30,00380112 L"\KnownDlls") ret=20015db1 002b:Ret ntdll.RtlInitUnicodeString() retval=00000016 ret=20015db1 002b:Call ntdll.NtOpenDirectoryObject(0033fba8,00000003,0033fb64) ret=20015e36 002b:trace:ntdll:NtOpenDirectoryObject (0x33fba8,0x00000003,{name=L"\KnownDlls", attr=0x00000040, hRoot=(nil), sd=(nil)} ) 002b:Ret ntdll.NtOpenDirectoryObject() retval=c0000034 ret=20015e36 002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20015e48 002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20015e48 002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004) ret=20015ced 002b:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=20015ced 002b:Call ntdll.RtlInitUnicodeString(0033fae8,00380112 L"\KnownDlls") ret=20015db1 002b:Ret ntdll.RtlInitUnicodeString() retval=00000016 ret=20015db1 002b:Call ntdll.NtOpenDirectoryObject(0033fb60,00000003,0033fb1c) ret=20015e36 002b:trace:ntdll:NtOpenDirectoryObject (0x33fb60,0x00000003,{name=L"\KnownDlls", attr=0x00000040, hRoot=(nil), sd=(nil)} ) 002b:Ret ntdll.NtOpenDirectoryObject() retval=c0000034 ret=20015e36 002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20015e48 002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20015e48 002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004) ret=20016641 002b:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=20016641 002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20016756 002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20016756 002b:Call ntdll.wcslen(00000000) ret=2001675d 002b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bcb7c66 ip=7bcb7c66 tid=002b 002b:trace:seh:raise_exception info[0]=00000000 002b:trace:seh:raise_exception info[1]=00000000 002b:trace:seh:raise_exception eax=7bcb7c60 ebx=7bc2c030 ecx=00000000 edx=00000000 esi=0033fbb8 edi=0033fb84 002b:trace:seh:raise_exception ebp=0033fb78 esp=0033fb78 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010246 002b:trace:seh:call_stack_handlers calling handler at 0x2002e0e0 code=c0000005 flags=0 002b:trace:seh:call_stack_handlers handler at 0x2002e0e0 returned 1 002b:trace:seh:call_stack_handlers calling handler at 0x7b4a0c30 code=c0000005 flags=0 ... Unhandled exception: page fault on read access to 0x00000000 in 32-bit code (0x7bcb7c66). ... Backtrace: =>0 0x7bcb7c66 NTDLL_wcslen+0x6(str=0x0(nil)) [/home/focht/projects/wine/mainline-src/include/wine/unicode.h:201] in ntdll (0x0033fb78) 1 0x7bc7ef34 relay_call+0x43() in ntdll (0x0033fba0) 2 0x7bc2c04a __wine_stub__fltused+0x97c1() in ntdll (0x0033fc08) 3 0x2001675d EntryPoint+0xffffffff() in spardasecureapp (0x0033fc08) 4 0x20010d9d EntryPoint+0xffffffff() in spardasecureapp (0x0033fc18) 5 0x7bc5b5c4 call_ldr_notifications+0x83(reason=0x1, module=<is not available>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:371] in ntdll (0x0033fc88) 6 0x7bc6078f process_attach.part+0x10e() in ntdll (0x0033fcc8) 7 0x7bc65777 LdrLoadDll+0x81(path_name=<couldn't compute location>, flags=<couldn't compute location>, libname=<couldn't compute location>, hModule=<couldn't compute location>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:1288] in ntdll (0x0033fd08) 8 0x7b4689cc load_library+0xdb(libname=0x33fda8, flags=0x800) [/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:975] in kernel32 (0x0033fd88) 9 0x7b4690e1 LoadLibraryExW+0xdb() [/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:1035] in kernel32 (0x0033fdc8) 10 0x7bc7ef34 relay_call+0x43() in ntdll (0x0033fdfc) 11 0x7b429d56 __wine_stub___wine_call_from_16_regs+0x6515() in kernel32 (0x0033fe28) 12 0x2002e36c in spardasecureapp (+0x2e36b) (0x0033fe28) 13 0x2002e2d5 in spardasecureapp (+0x2e2d4) (0x0033fe40) 14 0x2002e4b4 in spardasecureapp (+0x2e4b3) (0x0033fe5c) 15 0x2002e894 in spardasecureapp (+0x2e893) (0x0033fe80) 16 0x200293f5 EntryPoint+0xffffffff() in spardasecureapp (0x0033fec0) 17 0x7b4729f2 call_process_entry+0x11() in kernel32 (0x0033fed8) 18 0x7b47531a start_process+0x149(entry=<couldn't compute location>, peb=<couldn't compute location>) [/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1256] in kernel32 (0x0033ffd8) 19 0x7b4729fe start_process_wrapper+0x9() in kernel32 (0x0033ffec) 0x7bcb7c66 NTDLL_wcslen+0x6 [/home/focht/projects/wine/mainline-src/include/wine/unicode.h:201] in ntdll: cmpw $0,0x0(%edx) 201 while (*s) s++; Modules: Module Address Debug info Name (20 modules) PE 20000000-200d8000 Export spardasecureapp ELF 7b400000-7b830000 Dwarf kernel32<elf> -PE 7b420000-7b830000 \ kernel32 ELF 7bc00000-7bd2a000 Dwarf ntdll<elf> -PE 7bc10000-7bd2a000 \ ntdll ELF 7c000000-7c004000 Deferred <wine-loader> ... Threads: process tid prio (all id:s are in hex) ... 0000002a (D) C:\users\focht\Application Data\Sparda\AST-Client\SpardaSecureApp.exe 0000002b 0 <== --- snip ---

Some prerequisite info: https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dll...

Apparently the protection code wants to look at '\KnownDlls' directory object using 'ntdll.NtQueryDirectoryObject' to enumerate entries (OBJECT_DIRECTORY_INFORMATION) which obviously fails under Wine.

$ sha1sum spardasecureapp_p.exe d579216a3a61555c68a75636893216b8a4233737 spardasecureapp_p.exe

$ du -sh spardasecureapp_p.exe 9.6M spardasecureapp_p.exe

$ wine --version wine-4.6-108-g9d7d68747b

Regards