https://bugs.winehq.org/show_bug.cgi?id=50431
Bug ID: 50431 Summary: SCM erroneously tries to start 64-bit kernel drivers as 32-bit service when 'ImagePath' contains '\SystemRoot\system32\drivers' and 'WOW64=1' Product: Wine Version: 6.0-rc4 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: programs Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. Bug 47175 (https://bugs.winehq.org/show_bug.cgi?id=47175#c4) is kinda related but the mistake is not in the service creation part.
Norton AntiVirus 2010 installer creates several 32-bit and 64-bit services. The kernel driver services are 64-bit by design (64-bit WINEPREFIX).
The registry entries for these services contain a mix of different styles. 'WOW64' is always set because the services were created by a 32-bit installer process. Wine uses this flag only in case of failure to determine the binary type. 64-bit kernel drivers should be always started as 64-bit.
Registry:
--- snip --- ...
[System\CurrentControlSet\Services\BHDrvx64] 1609425565 "Description"="SONAR Engine Driver" "DisplayName"="BHDrvx64" "ErrorControl"=dword:00000001 "ImagePath"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20090829.001\BHDrvx64.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000003 "Type"=dword:00000001 "WOW64"=dword:00000001
...
[System\CurrentControlSet\Services\IDSVia64] 1609419518 "Description"="Symantec Intrusion Prevention Driver" "DisplayName"="IDSVia64" "ErrorControl"=dword:00000001 "ImagePath"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20090828.002\IDSVia64.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000001 "Type"=dword:00000001 "WOW64"=dword:00000001
...
[System\CurrentControlSet\Services\ccHP] 1609437834 #time=1d6df9f4d82eda4 "DisplayName"="Symantec Hash Provider" "ErrorControl"=dword:00000001 "ImagePath"="\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys" "ObjectName"="LocalSystem" "PreshutdownTimeout"=dword:0002bf20 "Start"=dword:00000001 "Type"=dword:00000001 "WOW64"=dword:00000001
... --- snip ---
'ccHP' kernel service doesn't work here. SCM erroneously starts 'winedevice' hosting process as 32-bit hence loading the 64-bit kernel driver binary will obviously fail.
--- snip --- $ pwd /home/focht/.wine/drive_c/windows/system32/drivers/NAVx64/1100000.088
$ file *
cchpx64.cat: data ccHPx64.inf: Windows setup INFormation ccHPx64.sys: PE32+ executable (native) x86-64, for MS Windows iron.cat: data Iron.inf: Windows setup INFormation Ironx64.sys: PE32+ executable (native) x86-64, for MS Windows isolate.ini: Little-endian UTF-16 Unicode text, with CRLF line terminators srtsp64.cat: data srtsp64.inf: Windows setup INFormation srtsp64.sys: PE32+ executable (native) x86-64, for MS Windows srtspx64.cat: data srtspx64.inf: Windows setup INFormation srtspx64.sys: PE32+ executable (native) x86-64, for MS Windows SymDS64.cat: data SymDS64.sys: PE32+ executable (native) x86-64, for MS Windows SymDS.inf: Windows setup INFormation SymEFA64.cat: data SymEFA64.sys: PE32+ executable (native) x86-64, for MS Windows SymEFA.inf: Windows setup INFormation symnet64.cat: data SymNet.inf: Windows setup INFormation symnetv64.cat: data SymNetV.inf: Windows setup INFormation symtdiv.sys: PE32+ executable (native) x86-64, for MS Windows --- snip ---
Trace log:
--- snip --- $ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl,+ntdll,+server,+service wineboot
log.txt 2>&1
... 003c:trace:service:load_service_config Image path = L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys" 003c:trace:service:load_service_config Group = (null) ... 003c:trace:service:load_service_config Service account name = L"LocalSystem" ... 003c:trace:service:load_service_config Display name = L"Symantec Hash Provider" 003c:trace:service:load_service_config Service dependencies : (none) 003c:trace:service:load_service_config Group dependencies : (none) ... 003c:Call KERNEL32.ExpandEnvironmentStringsW(0003b9d0 L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys",000439c0,0000003c) ret=1400062de 003c:Call kernelbase.ExpandEnvironmentStringsW(0003b9d0 L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys",000439c0,0000003c) ret=7bc4429f 003c:Call ntdll.RtlInitUnicodeString(0021f628,0003b9d0 L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys") ret=7b042c06 003c:Ret ntdll.RtlInitUnicodeString() retval=00000078 ret=7b042c06 003c:Call ntdll.RtlExpandEnvironmentStrings_U(00000000,0021f628,0021f618,0021f614) ret=7b042c47 003c:Ret ntdll.RtlExpandEnvironmentStrings_U() retval=00000000 ret=7b042c47 003c:Ret kernelbase.ExpandEnvironmentStringsW() retval=0000003c ret=7bc4429f 003c:Ret KERNEL32.ExpandEnvironmentStringsW() retval=0000003c ret=1400062de 003c:Call KERNEL32.GetBinaryTypeW(000439c0 L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys",0021f7c0) ret=140006473 003c:Call kernelbase.CreateFileW(000439c0 L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys",80000000,00000001,00000000,7fd700000003,00000000,00000000) ret=7b61b63d ... 003c:Call ntdll.RtlDosPathNameToNtPathName_U(000439c0 L"\SystemRoot\system32\drivers\NAVx64\1100000.088\ccHPx64.sys",0021f458,00000000,00000000) ret=7b0160a0 003c:Ret ntdll.RtlDosPathNameToNtPathName_U() retval=00000001 ret=7b0160a0 003c:Call ntdll.NtCreateFile(0021f3e8,80100080,0021f428,0021f418,00000000,00000000,00000001,00000001,00000060,00000000,00000000) ret=7b01623a 003c:Ret ntdll.NtCreateFile() retval=c000003a ret=7b01623a 003c:Call ntdll.RtlNtStatusToDosError(c000003a) ret=7b01633c 003c:Ret ntdll.RtlNtStatusToDosError() retval=00000003 ret=7b01633c ... 003c:Ret kernelbase.CreateFileW() retval=ffffffffffffffff ret=7b61b63d 003c:Ret KERNEL32.GetBinaryTypeW() retval=00000000 ret=140006473 ... 0054:trace:ntoskrnl:load_driver loading driver L"C:\windows\system32\drivers\NAVx64\1100000.088\ccHPx64.sys" ... 0054:Call KERNEL32.LoadLibraryW(0012d578 L"C:\windows\system32\drivers\NAVx64\1100000.088\ccHPx64.sys") ret=0036490e 0054:Call kernelbase.LoadLibraryW(0012d578 L"C:\windows\system32\drivers\NAVx64\1100000.088\ccHPx64.sys") ret=7bc3ab84 ... 0054:Call ntdll.LdrGetDllPath(0012d578 L"C:\windows\system32\drivers\NAVx64\1100000.088\ccHPx64.sys",00000000,00d5faf0,00d5fae8) ret=7b01bc26 0054:Ret ntdll.LdrGetDllPath() retval=00000000 ret=7b01bc26 ... 0054:Call ntdll.LdrLoadDll(0012d958 L"C:\windows\syswow64;C:\windows\system32;C:\windows\system;C:\windows;.;C:\windows\system32;C:\windows;C:\windows\system32\wbem;C:\windows\system32\WindowsPowershell\v1.0",00000000,00d5fb10,00d5faf8) ret=7b01bdfc ... 0054: create_file( access=80100000, sharing=00000005, create=1, options=00000060, attrs=00000000, objattr={rootdir=0000,attributes=00000000,sd={},name=L""}, filename="/home/focht/projects/wine/mainline-install-x86_64/lib/wine/cchpx64.sys" ) ... 0054: create_file() = NO_SUCH_FILE { handle=0000 } ... 0054:Ret ntdll.LdrLoadDll() retval=c0000135 ret=7b01bdfc ... 0054:Ret kernelbase.LoadLibraryW() retval=00000000 ret=7bc3ab84 ... 0054:err:ntoskrnl:ZwLoadDriver failed to create driver L"\Registry\Machine\System\CurrentControlSet\Services\ccHP": c0000142 --- snip ---
'\SystemRoot\system32\drivers' is a valid path for REG_EXPAND_SZ type 'ImagePath' as well. It doesn't need to be '%SystemRoot%\xxx'.
Due to 'GetBinaryTypeW' failure, the "else" path is taken which uses 'WOW64' flag. All services created by 32-bit installer have 'WOW64' set by design, including the 64-bit services which leads to the incorrect "fallback" choice.
Wine source:
https://source.winehq.org/git/wine.git/blob/784cb2060ab63076adc349dcb1d15a6c...
--- snip --- 856 static DWORD get_winedevice_binary_path(struct service_entry *service_entry, WCHAR **path, BOOL *is_wow64) 857 { 858 static const WCHAR winedeviceW[] = {'\','w','i','n','e','d','e','v','i','c','e','.','e','x','e',0}; 859 WCHAR system_dir[MAX_PATH]; 860 DWORD type; 861 862 if (!is_win64) 863 *is_wow64 = FALSE; 864 else if (GetBinaryTypeW(*path, &type)) 865 *is_wow64 = (type == SCS_32BIT_BINARY); 866 else 867 *is_wow64 = service_entry->is_wow64; 868 869 GetSystemDirectoryW(system_dir, MAX_PATH); 870 HeapFree(GetProcessHeap(), 0, *path); 871 if (!(*path = HeapAlloc(GetProcessHeap(), 0, lstrlenW(system_dir) * sizeof(WCHAR) + sizeof(winedeviceW)))) 872 return ERROR_NOT_ENOUGH_SERVER_MEMORY; 873 874 lstrcpyW(*path, system_dir); 875 lstrcatW(*path, winedeviceW); 876 return ERROR_SUCCESS; 877 } --- snip ---
Virustotal.com scan of the binary:
https://www.virustotal.com/gui/file/b8110fba782df5f9bfc25d39315b5ccd1f375b20...
$ sha1sum NAV10TBEN.exe eadfb9c860146186c548aba695a9be87607f5586 NAV10TBEN.exe
$ du -sh NAV10TBEN.exe 74M NAV10TBEN.exe
$ wine --version wine-6.0-rc4
Regards
https://bugs.winehq.org/show_bug.cgi?id=50431
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://web.archive.org/web | |/20111104092310/http://spft | |rl.digitalriver.com/pub/sym | |antec/tbyb/NAM/NAV10TBEN.ex | |e Keywords| |download
https://bugs.winehq.org/show_bug.cgi?id=50431
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de