http://bugs.winehq.org/show_bug.cgi?id=29460
Bug #: 29460 Summary: Ruijie Supplicant crash at start Product: Wine Version: 1.3.35 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: fracting@gmail.com Classification: Unclassified
Created attachment 38142 --> http://bugs.winehq.org/attachment.cgi?id=38142 Log: Ruijie Supplicant crash
1. Download RGSupplicant4.10_1026.exe http://115.com/file/cmr79xxh
2. winetricks vcrun6 ( for mfc42)
3. install RGSupplicant4.10_1026.exe with wine
4. Start RuijieSupplicant.exe
$ cd ".wine/drive_c/Program Files/Ruijie Networks/Ruijie Supplicant" $ wine RuijieSupplicant.exe
Actual result: Crash Expect result: Display the main GUI for RuijieSupplicant.exe
Log:
fixme:ntoskrnl:IoGetCurrentProcess () stub wine: Unhandled page fault on read access to 0x00000000 at address 0x78010765 (thread 0027), starting debugger...
Backtrace: =>0 0x78010765 in msvcrt (+0x10765) (0x0053e618) 1 0x005404ab in su1xdriver.sys (+0x4aa) (0x0053e6a8) 2 0x7ec1651a load_driver+0x58a() [/home/fracting/wine-git/programs/winedevice/device.c:253] in winedevice (0x0053e938) 3 0x7ec167be ServiceMain+0x11e(argc=0x1, argv=0x110af8) [/home/fracting/wine-git/programs/winedevice/device.c:307] in winedevice (0x0053e9a8) 4 0x7ebbd0e8 service_thread+0x161(arg=0x1108c0) [/home/fracting/wine-git/dlls/advapi32/service.c:291] in advapi32 (0x0053ea28)
http://bugs.winehq.org/show_bug.cgi?id=29460
fracting fracting@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download
http://bugs.winehq.org/show_bug.cgi?id=29460
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW URL| |http://115.com/file/cmr79xx | |h CC| |focht@gmx.net Component|-unknown |ntoskrnl Summary|Ruijie Supplicant crash at |Ruijie Supplicant |start |Su1xDriver.sys crashes in | |driver entry due to | |ntoskrnl.exe | |IoGetCurrentProcess() being | |a stub Ever Confirmed|0 |1
--- Comment #1 from Anastasius Focht focht@gmx.net 2011-12-28 06:23:24 CST --- Hello,
--- snip --- 0026:Call KERNEL32.LoadLibraryW(0011ab00 L"C:\windows\system32\DRIVERS\Su1xDriver.sys") ret=6819f8bd ... 0026:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=6819f8bd ... 0026:Call driver init 0x540b85 (obj=0x681a28e0,str=L"\Registry\Machine\System\CurrentControlSet\Services\Su1xDriver") 0026:Call ntoskrnl.exe.IoGetCurrentProcess() ret=00540496 0026:fixme:ntoskrnl:IoGetCurrentProcess () stub 0026:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=00540496 0026:trace:seh:raise_exception code=c0000005 flags=0 addr=0x78010765 ip=78010765 tid=0026 0026:trace:seh:raise_exception info[0]=00000000 0026:trace:seh:raise_exception info[1]=00000000 0026:trace:seh:raise_exception eax=00000000 ebx=00000006 ecx=00000006 edx=0053ef48 esi=00000000 edi=00540480 0026:trace:seh:raise_exception ebp=0053e5e8 esp=0053e5dc cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010206 0026:trace:seh:call_vectored_handlers calling handler at 0x6822f416 code=c0000005 flags=0 0026:trace:seh:call_vectored_handlers handler at 0x6822f416 returned 0 ... --- snip ---
the driver tries to access the EPROCESS structure returned by IoGetCurrentProcess(). The process name is checked for "System" but due to IoGetCurrentProcess() being a stub returning NULL the code crashes in driver entry.
It also peeks into low level stuff like SSDT (system service descriptor table) and hooks ZwOpenProcess API to control userspace access to processes.
Anyway what are you trying to accomplish?
Even getting that small helper "protection" driver to work requires considerable infrastructure - that is not going to happen in Wine in near future.
There are NDIS protocol drivers contained in this installation that are not going to work. The purpose of this package seems to be to provide/allow access to restricted networks in China and ensuring "filtering".
This "Ruijie Network Supplicant" also has a GNU/Linux project:
https://code.google.com/p/ruijieclient/
although not that maintained like Windows (guess why).
Regards
http://bugs.winehq.org/show_bug.cgi?id=29460
--- Comment #2 from fracting fracting@gmail.com 2011-12-29 23:39:05 CST --- Hello Anastasius,
Really grateful for your excellent analysis.
Anyway what are you trying to accomplish?
I'm looking forward if Ruijie Supplicant, H3C INode 802.1x Supplicant, Dr.com and some other authentication client could run on wine someday. These clients are widely used in Universities in China, some of them have no Linux clients, some of them have official or unofficial Linux clients but they are out of date.
- as you know, some of them already have open source alternative, However: * The open source alternative may develop by disassemble on the Win32 client, not sure about whether it is illegal * These companies may update there Win32 client and change the authentication protocol, that makes the open source alternative unusable. Such thing has already happen on H3C iNode and some other clients. * Once the developers of the open source client graduate and leave their university, they are unable to update the open source client since they can't access to the network in their university anymore.
- for people who google to this bug, they may interesting at this discussion as well : * Need help with off-standard 802.1x authentication on Linux http://lists.shmoo.com/pipermail/hostap/2011-September/023975.html
There are NDIS protocol drivers contained in this installation that are not
going to work.
Yes, Ruijie, H3C INode, Dr.com all depend on ndis.sys.
Dr.com also depends on winpcap. - According to Bug 8465 - "WinPCap based applications fail to load", which is a "Won't Fix" bug, winpcap will not work on wine - André has wrote a wrapper for wpcap: http://www.winehq.org/pipermail/wine-patches/2011-March/099838.html * This wrapper works pretty good for the demos in the winpcap developer's pack. * Dr.com still not work with this patch, I'm waiting for the wrapper be committed to wine and report bugs for it.
Any suggestions are appreciated!
http://bugs.winehq.org/show_bug.cgi?id=29460
Saulius K. saulius2@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |saulius2@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=29460
roger@mailinator.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |roger@mailinator.com
--- Comment #3 from roger@mailinator.com --- It's not stub anymore.
http://source.winehq.org/git/wine.git/?a=search&h=799731f4b9e9495181e18a...
http://source.winehq.org/git/wine.git/blob/799731f4b9e9495181e18a68eba16c921...
could you retest?
https://bugs.winehq.org/show_bug.cgi?id=29460
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello roger/Jarkko/<insert name/alias here>
lazy bum.
A single line 'git grep' is not a safe measure to verify the implementation state of an API function.
How about spending more time on bugs and actually double-check before posting noise, wasting other peoples time? Reading the source code for a start?
It will take a long time when Wine actually starts returning a meaningful EPROCESS structure which is needed here.
Regards
https://bugs.winehq.org/show_bug.cgi?id=29460
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |testing.tigerwolf@mail.com
--- Comment #5 from Austin English austinenglish@gmail.com --- *** Bug 26179 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=29460
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation Summary|Ruijie Supplicant |Multiple kernel drivers |Su1xDriver.sys crashes in |crash in entry due to |driver entry due to |ntoskrnl.exe |ntoskrnl.exe |IoGetCurrentProcess() being |IoGetCurrentProcess() being |a stub (Ruijie Supplicant |a stub |Su1xDriver.sys, nProtect | |GameGuard/Tachyon Kernel | |Control Driver)
--- Comment #6 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present.
Refining summary to target more DRM schemes.
Also needed for nProtect GameGuard Personal 3.0
http://fs2.download82.com/software/bbd8ff9dba17080c0c121804efbd61d5/nprotect...
--- snip --- ... 004a:trace:loaddll:load_native_dll Loaded L"C:\windows\system32\TKCtrl2k.sys" at 0x740000: native 004a:Call PE DLL (proc=0xf75f721f,module=0xf75f0000 L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) ... 004a:Ret PE DLL (proc=0xf75f721f,module=0xf75f0000 L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 004a:Ret KERNEL32.LoadLibraryW() retval=00740000 ret=7effaaa4 ... 004a:Call driver init 0x769b3f (obj=0x11c960,str=L"\Registry\Machine\System\CurrentControlSet\Services\TKCtrl") 004a:Call msvcrt.memset(00757760,00000000,0000a5e0) ret=00769ab4 004a:Ret msvcrt.memset() retval=00757760 ret=00769ab4 004a:Call ntdll.RtlInitUnicodeString(0063e7a0,00755fb0 L"\Device\TKCtrl") ret=00740bd5 004a:Ret ntdll.RtlInitUnicodeString() retval=0063e7a0 ret=00740bd5 004a:Call ntoskrnl.exe.IoCreateDevice(0011c960,00000000,0063e7a0,00000022,00000000,00000000,0063e79c) ret=00740bef 004a:Call ntdll.RtlAllocateHeap(00110000,00000008,000000b8) ret=7ecdff91 004a:Ret ntdll.RtlAllocateHeap() retval=0011cb20 ret=7ecdff91 004a:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00740bef 004a:Call ntdll.RtlInitUnicodeString(0063e7a8,00755f80 L"\DosDevices\TKCtrl") ret=00740c2d 004a:Ret ntdll.RtlInitUnicodeString() retval=0063e7a8 ret=00740c2d 004a:Call ntoskrnl.exe.IoCreateSymbolicLink(0063e7a8,0063e7a0) ret=00740c3b 004a:Call ntdll.NtCreateSymbolicLinkObject(0063e724,000f0001,0063e70c,0063e7a0) ret=7ece02ee 004a:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece02ee 004a:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00740c3b 004a:Call ntoskrnl.exe.PsGetCurrentProcessId() ret=007404d7 004a:Ret ntoskrnl.exe.PsGetCurrentProcessId() retval=00000044 ret=007404d7 004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=007404e2 004a:fixme:ntoskrnl:IoGetCurrentProcess () stub 004a:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=007404e2 004a:Call hal.KeGetCurrentIrql() ret=00753aec 004a:fixme:ntoskrnl:KeGetCurrentIrql stub! 004a:Ret hal.KeGetCurrentIrql() retval=00000000 ret=00753aec 004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=00753afd 004a:fixme:ntoskrnl:IoGetCurrentProcess () stub 004a:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=00753afd 004a:Call msvcrt._strnicmp(00756b80 "System",00000000,00000006) ret=00753b2e 004a:Ret msvcrt._strnicmp() retval=7fffffff ret=00753b2e 004a:Call msvcrt._strnicmp(00756b80 "System",00000001,00000006) ret=00753b2e 004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf753e253 ip=f753e253 tid=004a 004a:trace:seh:raise_exception info[0]=00000000 004a:trace:seh:raise_exception info[1]=00000001 004a:trace:seh:raise_exception eax=00000001 ebx=f75b1000 ecx=00000001 edx=00756b80 esi=0063e764 edi=0063e72c 004a:trace:seh:raise_exception ebp=00000006 esp=0063e6a0 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00010287 004a:trace:seh:call_vectored_handlers calling handler at 0x7ecdd005 code=c0000005 flags=0 004a:trace:seh:call_vectored_handlers handler at 0x7ecdd005 returned 0 004a:trace:seh:call_stack_handlers calling handler at 0x7bcad785 code=c0000005 flags=0 ... --- snip ---
Driver code:
--- snip --- 007418DA SUB ESP,8 007418DD CALL DWORD PTR DS:[<&ntoskrnl.IoGetCurrentProcess>] 007418E3 MOV DWORD PTR SS:[EBP-8],EAX ; PEPROCESS 007418E6 MOV DWORD PTR SS:[EBP-4],0 007418ED JMP SHORT TKFWFLT.007418F8 007418EF MOV EAX,DWORD PTR SS:[EBP-4] 007418F2 ADD EAX,1 007418F5 MOV DWORD PTR SS:[EBP-4],EAX 007418F8 CMP DWORD PTR SS:[EBP-4],3000 007418FF JGE SHORT TKFWFLT.0074192E 00741901 PUSH 6 ; len 00741903 MOV ECX,DWORD PTR SS:[EBP-8] 00741906 ADD ECX,DWORD PTR SS:[EBP-4] 00741909 PUSH ECX 0074190A PUSH TKFWFLT.007418D0 ; ASCII "System" 0074190F CALL DWORD PTR DS:[<&ntoskrnl._strnicmp>] ; msvcrt.MSVCRT__strnicmp 00741915 ADD ESP,0C 00741918 TEST EAX,EAX 0074191A JNZ SHORT TKFWFLT.0074192C 0074191C MOV EDX,DWORD PTR SS:[EBP-4] 0074191F MOV DWORD PTR DS:[74F820],EDX 00741925 MOV EAX,DWORD PTR DS:[74F820] 0074192A JMP SHORT TKFWFLT.00741930 0074192C JMP SHORT TKFWFLT.007418EF 0074192E XOR EAX,EAX 00741930 MOV ESP,EBP 00741932 POP EBP 00741933 RETN --- snip ---
Process name offset
--- snip --- #define SYSNAME "System"
ULONG GetProcessNameOffset(VOID) { PEPROCESS curproc; int i; curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) { return i; } } return 0; } --- snip ---
Anyway, the approach as seen in these "production" drivers is highly questionable. There are lengthy (old) threads on osronline.com stating this is completely fragile and subject to breaking at any time.
$ sha1sum nProtect-GameGuard_Personal-3.0_3745985868.exe 0dd17d9fbb9c6ee755ace60023631a1e1a7d60e9 nProtect-GameGuard_Personal-3.0_3745985868.exe
$] du -sh nProtect-GameGuard_Personal-3.0_3745985868.exe 1.7M nProtect-GameGuard_Personal-3.0_3745985868.exe
$ wine --version wine-2.14-50-g797a746fc2
Regards
https://bugs.winehq.org/show_bug.cgi?id=29460
pattietreutel katyaberezyaka@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |katyaberezyaka@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=29460
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |6ebc223955417f111de337a4de3 | |71a4b58f804ae Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #7 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=6ebc223955417f111de337a4d...
https://bugs.winehq.org/show_bug.cgi?id=29460
Jacek Caban jacek@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jacek@codeweavers.com
--- Comment #8 from Jacek Caban jacek@codeweavers.com --- (In reply to Alistair Leslie-Hughes from comment #7)
Fixed by https://source.winehq.org/git/wine.git/?a=commit; h=6ebc223955417f111de337a4de371a4b58f804ae
Partially yes, but code example from comment 6 will still not find "System" string for system process.
https://bugs.winehq.org/show_bug.cgi?id=29460
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #9 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 4.8.
-
wine-bugs@winehq.org