New subject: [Bug 38956] Creo Elements/Direct Modeling Express 6.0 .NET based licensing tool fails with .NET Framework error (Xenocode registry virtualization fails to intercept Wine's root key handles)

20 Jul 2015


      https://bugs.winehq.org/show_bug.cgi?id=38956
Bug ID: 38956
           Summary: Creo Elements/Direct Modeling Express 6.0 .NET based
                    licensing tool fails with .NET Framework error
                    (Xenocode registry virtualization fails to intercept
                    Wine's root key handles)
           Product: Wine
           Version: 1.7.47
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: advapi32
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
continuation of bug 38950
(avoid relay thunks, they interfere with Xenocode hooks).
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/PTC/Creo Elements/Direct Modeling
Express 6.0/binNT/OLAPE
$ WINEDEBUG=+tid,+seh,+loaddll,+process,+reg,+msgbox wine ./OLAPEP.exe
...
...
log.txt 2>&1
...
002c:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\mscoree.dll"
at 0x79000000: native
002c:trace:loaddll:load_native_dll Loaded L"C:\Program Files\PTC\Creo
Elements\Direct Modeling Express 6.0\binNT\OLAPE\OLAPEPP.exe" at 0x400000:
native
002c:trace:reg:GetSystemInfo si=0x0x2142f9d8
002c:trace:reg:GetSystemInfo si=0x0x2142f73c
002c:trace:reg:NtOpenKey
(0x20,L"System\CurrentControlSet\Control\Video\{f996be7c-6eca-46cd-96df-3524ac767421}\0000",2000000,0x2142eff0)
002c:trace:reg:NtOpenKey <- 0x24c
002c:trace:reg:RegQueryValueExW
(0x24c,L"GraphicsDriver",(nil),(nil),0x2142f348,0x2142f550=520)
002c:trace:reg:NtQueryValueKey (0x24c,L"GraphicsDriver",2,0x2142f11c,256)
002c:trace:loaddll:load_builtin_dll Loaded
L"C:\windows\system32\winex11.drv" at 0x7e280000: builtin
002c:trace:reg:NtOpenKey (0x24,L"Software\Wine\X11
Driver",2000000,0x2142e6e0)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x24,L"Software\Wine\AppDefaults",2000000,0x2142e6e0)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtCreateKey (0x24,L"Keyboard
Layout\Preload",(null),0,f003f,0x2142e57c)
002c:trace:reg:NtCreateKey <- 0x25c
002c:trace:reg:RegQueryValueExW (0x25c,L"1",(nil),(nil),(nil),(nil)=0)
002c:trace:reg:NtQueryValueKey (0x25c,L"1",2,0x2142e6dc,12)
002c:trace:reg:NtOpenKey (0x2c,L"Software\Fonts",2000000,0x2142ebe0)
002c:trace:reg:NtOpenKey <- 0x24c
002c:trace:reg:RegQueryValueExW
(0x24c,L"LogPixels",(nil),0x2142ee94,0x2142ee8c,0x2142ee90=4)
002c:trace:reg:NtQueryValueKey (0x24c,L"LogPixels",2,0x2142ed0c,16)
002c:trace:reg:NtOpenKey
(0x20,L"System\CurrentControlSet\Control\FontAssoc\Associated
Charset",2000000,0x2142eb40)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\Microsoft\.NETFramework",20019,0x2142ebc0)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\Microsoft\.NETFramework",20019,0x2142d090)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\Microsoft\.NETFramework",20019,0x2142d440)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\Microsoft\.NETFramework",20019,0x2142cb70)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x24,L"Software\Microsoft\.NETFramework\Policy\Upgrades",20019,0x2142d440)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\Microsoft\.NETFramework\Policy\Upgrades",20019,0x2142d440)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtOpenKey
(0x20,L"Software\Microsoft\.NETFramework",20019,0x2142cb70)
002c:trace:reg:NtOpenKey <- (nil)
002c:trace:reg:NtCreateKey (0x24,L"Control
Panel\Desktop\WindowMetrics",(null),0,2000000,0x2142d82c)
002c:trace:reg:NtCreateKey <- 0x25c
...
002c:trace:msgbox:MSGBOX_OnInit L"A fatal error occurred. However, mscorees.dll
could not be loaded to display the appropriate error message.\n\nPlease
reinstall the .NET Framework."
--- snip ---
The call in question from virtualized/sandboxed .NET Framework (unwrapped in
memory):
--- snip ---
4252EDFC  79003ECE  CALL to RegOpenKeyExW from mscoree.79003EC8
4252EE00  80000002  hKey = HKEY_LOCAL_MACHINE
4252EE04  79004010  Subkey = "Software\Microsoft.NETFramework"
4252EE08  00000000  Reserved = 0
4252EE0C  00020019  Access = KEY_READ
4252EE10  4252EE44  pHandle = 4252EE44
4252EE14  00000000
4252EE18  4252EE48
4252EE1C  790063FD  RETURN to mscoree.790063FD from mscoree.79003EA4
4252EE20  80000002
4252EE24  79004010  UNICODE "Software\Microsoft.NETFramework"
4252EE28  00000000
...
--- snip ---
Here: NtOpenKey -> lookup predefined handle for HKEY_LOCAL_MACHINE -> 0x20
(internally cached)
Initial: get_special_root_hkey -> create_special_root_hkey -> create_key ->
NtCreateKey
Xenocode VM uses a handle tracker for objects of interest which includes
registry handles.
It intercepts various native API calls and injects/translates to its own data
as needed.
The problem here is the interception of the special registry root directory
key(s).
Although 'NtOpenKey' API is hooked, Xenocode fails to translate the parent key
(= special root key handle), falling back by calling Wine implementation.
Since .NET Framework is not installed, the .NET registry keys and values are
not present in the "real" registry, leading to failure.
The native API interception logic is set up after the main executable got
unwrapped and mapped with imports resolved by Xenocode loader.
Unfortunately the special root key handles were already created as part of
original startup code by Wine hence the creation of those parent handles (out
parameter) is never seen by the Xenocode handle tracker.
---
For completeness the native registry API that can be potentially hooked:
--- snip ---
423F0B66  68 0C754042   PUSH OLAPEP.4240750C     ; "NtCompactKeys"
423F0B7F  68 1C754042   PUSH OLAPEP.4240751C     ; "NtCompressKey"
423F0B98  68 2C754042   PUSH OLAPEP.4240752C     ; "NtCreateKey"
423F0BB1  68 38754042   PUSH OLAPEP.42407538     ; "NtDeleteKey"
423F0BCA  68 44754042   PUSH OLAPEP.42407544     ; "NtDeleteValueKey"
423F0BE3  68 58754042   PUSH OLAPEP.42407558     ; "NtEnumerateKey"
423F0BFC  68 68754042   PUSH OLAPEP.42407568     ; "NtEnumerateValueKey"
423F0C15  68 7C754042   PUSH OLAPEP.4240757C     ; "NtFlushKey"
423F0C31  68 88754042   PUSH OLAPEP.42407588     ; "NtLoadKey"
423F0C4A  68 94754042   PUSH OLAPEP.42407594     ; "NtLoadKey2"
423F0C63  68 A0754042   PUSH OLAPEP.424075A0     ; "NtLoadKeyEx"
423F0C7C  68 AC754042   PUSH OLAPEP.424075AC     ; "NtLockRegistryKey"
423F0C95  68 C0754042   PUSH OLAPEP.424075C0     ; "NtNotifyChangeKey"
423F0CAE  68 D4754042   PUSH OLAPEP.424075D4     ; "NtNotifyChangeMultipleKeys"
423F0CC7  68 F0754042   PUSH OLAPEP.424075F0     ; "NtOpenKey"
423F0CE0  68 FC754042   PUSH OLAPEP.424075FC     ; "NtQueryKey"
423F0CFC  68 08764042   PUSH OLAPEP.42407608     ; "NtQueryMultipleValueKey"
423F0D15  68 20764042   PUSH OLAPEP.42407620     ; "NtQueryOpenSubKeys"
423F0D2E  68 34764042   PUSH OLAPEP.42407634     ; "NtQueryOpenSubKeysEx"
423F0D47  68 4C764042   PUSH OLAPEP.4240764C     ; "NtQueryValueKey"
423F0D60  68 5C764042   PUSH OLAPEP.4240765C     ; "NtRenameKey"
423F0D79  68 68764042   PUSH OLAPEP.42407668     ; "NtReplaceKey"
423F0D92  68 78764042   PUSH OLAPEP.42407678     ; "NtRestoreKey"
423F0DAB  68 88764042   PUSH OLAPEP.42407688     ; "NtSaveKey"
423F0DC7  68 94764042   PUSH OLAPEP.42407694     ; "NtSaveKeyEx"
423F0DE0  68 A0764042   PUSH OLAPEP.424076A0     ; "NtSaveMergedKeys"
423F0DF9  68 B4764042   PUSH OLAPEP.424076B4     ; "NtSetInformationKey"
423F0E12  68 C8764042   PUSH OLAPEP.424076C8     ; "NtSetValueKey"
423F0E2B  68 D8764042   PUSH OLAPEP.424076D8     ; "NtUnloadKey"
423F0E44  68 E4764042   PUSH OLAPEP.424076E4     ; "NtUnloadKey2"
423F0E5D  68 F4764042   PUSH OLAPEP.424076F4     ; "NtUnloadKeyEx"
--- snip ---
$ sha1sum ModelingPE__setup_EN.exe 
333736c553c2eb985436e63f20bfcbb59932b6fb  ModelingPE__setup_EN.exe
$ du -sh ModelingPE__setup_EN.exe 
207M    ModelingPE__setup_EN.exe
$ wine --version
wine-1.7.47-162-g0f9a0aa
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 38956] New: Creo Elements/Direct Modeling Express 6.0 .NET based licensing tool fails with .NET Framework error (Xenocode registry virtualization fails to intercept Wine's root key handles)