http://bugs.winehq.org/show_bug.cgi?id=21038
Summary: BlackLight: crash after accepting license agreement Product: Wine Version: 1.1.34 Platform: PC-x86-64 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs@winehq.org ReportedBy: alex@stanev.org
Created an attachment (id=25234) --> (http://bugs.winehq.org/attachment.cgi?id=25234) BlackLight crash traces
This standalone(no installer) application crashes on startup, right after accepting license agreement. Attaching traces.
http://bugs.winehq.org/show_bug.cgi?id=21038
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #25234|text/x-apport |text/plain mime type| |
http://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #1 from Andrew Nguyen arethusa26@gmail.com 2009-12-23 08:48:39 --- I'm confirming with wine-1.1.35-105-gd4a7a9d.
http://bugs.winehq.org/show_bug.cgi?id=21038
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Ever Confirmed|0 |1
--- Comment #2 from Austin English austinenglish@gmail.com 2009-12-23 10:32:13 --- (In reply to comment #1)
I'm confirming with wine-1.1.35-105-gd4a7a9d.
Confirming then.
http://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #3 from Alex Stanev alex@stanev.org 2010-11-16 02:42:58 CST --- Still present in 1.3.7
http://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #4 from Alex Stanev alex@stanev.org 2011-11-24 10:05:07 CST --- Still present in 1.3.33
http://bugs.winehq.org/show_bug.cgi?id=21038
Bruno Jesus 00cpxxx@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |00cpxxx@gmail.com
--- Comment #5 from Bruno Jesus 00cpxxx@gmail.com 2011-11-24 10:25:18 CST --- Please, attach the new console output from 1.3.33.
http://bugs.winehq.org/show_bug.cgi?id=21038
Alex Stanev alex@stanev.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #25234|0 |1 is obsolete| |
--- Comment #6 from Alex Stanev alex@stanev.org 2011-11-28 11:48:37 CST --- Created attachment 37681 --> http://bugs.winehq.org/attachment.cgi?id=37681 Console outpus from 1.3.33
It seams to crash in the same place
http://bugs.winehq.org/show_bug.cgi?id=21038
Alex Stanev alex@stanev.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #37681|Console outpus from 1.3.33 |Console output from 1.3.33 description| |
http://bugs.winehq.org/show_bug.cgi?id=21038
joaopa jeremielapuree@yahoo.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jeremielapuree@yahoo.fr
--- Comment #7 from joaopa jeremielapuree@yahoo.fr 2012-05-12 01:06:24 CDT --- still a bug in current wine?
If yes, please attach a new bactrace with debug symbols installed.
http://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #8 from Bruno Jesus 00cpxxx@gmail.com 2012-05-12 09:20:37 CDT --- Created attachment 40133 --> http://bugs.winehq.org/attachment.cgi?id=40133 1.5.4 crash
There is no backtrace, just the crash as seen in the last attachment.
http://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #9 from Bruno Jesus 00cpxxx@gmail.com 2013-06-11 19:07:39 CDT --- Still in wine 1.6-rc1, same crash from previous comment.
http://bugs.winehq.org/show_bug.cgi?id=21038
hanska2@luukku.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hanska2@luukku.com
--- Comment #10 from hanska2@luukku.com --- Still the same.
1.7.22
https://bugs.winehq.org/show_bug.cgi?id=21038
Teras teras@luukku.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |teras@luukku.com
--- Comment #11 from Teras teras@luukku.com --- the same wine 1.7.36
https://bugs.winehq.org/show_bug.cgi?id=21038
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation CC| |focht@gmx.net Summary|BlackLight: crash after |F-Secure BlackLight Engine |accepting license agreement |2.2.x (Rootkit scanner) | |crashes after accepting | |license agreement (Wine | |on-disk placeholder dlls | |sections must be padded | |with data up to section | |virtual size)
--- Comment #12 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
The app doesn't like relay and debuggers :)
It loads the on-disk images of Wine builtins (fake dlls) to peek at.
* ntdll.dll * kernel32.dll * advapi32.dll * user32.dll
It processes the section header and makes a copy of each section.
Since 'SizeOfRawData' > 'VirtualSize' most of the time, it uses the sections 'VirtualSize' for copy count (= minimum size in bytes for OS loader allocate for the section).
Unfortunately this can't work with builtins: 32-bit Wine 'ntdll.dll' placeholder in system32 is 2468 bytes, with section virtual size >= page size.
The copy loop for .text section crosses the page boundary, causing an unhandled fault.
Snippet of app code:
--- snip --- ... 00412608 6A 00 PUSH 0 0041260A 6A 00 PUSH 0 0041260C 6A 00 PUSH 0 0041260E 6A 04 PUSH 4 00412610 56 PUSH ESI 00412611 FF15 84434500 CALL DWORD PTR DS:[<&KERNEL32.MapViewOfFile>] 00412617 8BD8 MOV EBX,EAX 00412619 85DB TEST EBX,EBX 0041261B 895C24 14 MOV DWORD PTR SS:[LOCAL.3],EBX 0041261F 0F84 E7000000 JZ 0041270C 00412625 8B4B 3C MOV ECX,DWORD PTR DS:[EBX+3C] ; offset to PE header 00412628 8B4419 50 MOV EAX,DWORD PTR DS:[EBX+ECX+50] ; SizeOfImage 0041262C 8D3C19 LEA EDI,[EBX+ECX] ; VA PE header 0041262F 50 PUSH EAX 00412630 E8 FB750200 CALL 00439C30 ... 00412652 8B77 54 MOV ESI,DWORD PTR DS:[EDI+54] ; SizeOfHeaders 00412655 56 PUSH ESI 00412656 53 PUSH EBX ; Arg2 = mapping 00412657 55 PUSH EBP ; Arg1 = copy buffer 00412658 E8 73870200 CALL 0043ADD0 ; copy section headers 0041265D 8B4F 38 MOV ECX,DWORD PTR DS:[EDI+38] ; SectionAlignment 00412660 33D2 XOR EDX,EDX 00412662 8BC6 MOV EAX,ESI ; SizeOfHeaders 00412664 F7F1 DIV ECX 00412666 83C4 18 ADD ESP,18 00412669 85D2 TEST EDX,EDX 0041266B 75 04 JNZ SHORT 00412671 0041266D 8BEE MOV EBP,ESI 0041266F EB 0E JMP SHORT 0041267F 00412671 33D2 XOR EDX,EDX 00412673 8BC6 MOV EAX,ESI 00412675 F7F1 DIV ECX 00412677 8BE8 MOV EBP,EAX 00412679 83C5 01 ADD EBP,1 0041267C 0FAFE9 IMUL EBP,ECX 0041267F 0FB747 06 MOVZX EAX,WORD PTR DS:[EDI+6] ; NumberOfSections 00412683 85C0 TEST EAX,EAX 00412685 76 53 JBE SHORT 004126DA 00412687 8D9F 0C010000 LEA EBX,[EDI+10C] ; Section.PointerToRawData 0041268D 894424 10 MOV DWORD PTR SS:[LOCAL.4],EAX ; NumberOfSections 00412691 8B73 F4 MOV ESI,DWORD PTR DS:[EBX-0C] ; Section.VirtualSize 00412694 85F6 TEST ESI,ESI 00412696 76 34 JBE SHORT 004126CC 00412698 8B03 MOV EAX,DWORD PTR DS:[EBX] ; PointerToRawData 0041269A 034424 14 ADD EAX,DWORD PTR SS:[LOCAL.3] ; section VA 0041269E 8B4C24 18 MOV ECX,DWORD PTR SS:[LOCAL.2] ; buffer 004126A2 56 PUSH ESI ; Arg3 = section VSize 004126A3 50 PUSH EAX ; Arg2 = section VA 004126A4 8D1429 LEA EDX,[EBP+ECX] 004126A7 52 PUSH EDX ; Arg1 = buffer 004126A8 E8 23870200 CALL 0043ADD0 ; copy section *boom* ... --- snip ---
Dump of 'ntdll.dll' on-disk placeholder mapping, starting with PE header
--- snip --- ... 00360060 50 45 00 00 ASCII "PE" ; PE signature (PE) 00360064 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386 00360066 0300 DW 0003 ; NumberOfSections = 3 00360068 00000000 DD 00000000 ; TimeDateStamp = 0 0036006C 00000000 DD 00000000 ; PointerToSymbolTable = 0 00360070 00000000 DD 00000000 ; NumberOfSymbols = 0 00360074 E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.) 00360076 2220 DW 2022 ; Characteristics = DLL|EXE_IMAGE|20 00360078 0B01 DW 010B ; MagicNumber = PE32 0036007A 00 DB 00 ; MajorLinkerVersion = 0 0036007B 00 DB 00 ; MinorLinkerVersion = 0 0036007C 05000000 DD 00000005 ; SizeOfCode = 5 00360080 00000000 DD 00000000 ; SizeOfInitializedData = 0 00360084 00000000 DD 00000000 ; SizeOfUninitializedData = 0 00360088 00100000 DD 00001000 ; AddressOfEntryPoint = 1000 0036008C 00100000 DD 00001000 ; BaseOfCode = 1000 00360090 00000000 DD 00000000 ; BaseOfData = 0 00360094 00000010 DD 10000000 ; ImageBase = 10000000 00360098 00100000 DD 00001000 ; SectionAlignment = 1000 0036009C 00020000 DD 00000200 ; FileAlignment = 200 003600A0 0100 DW 0001 ; MajorOSVersion = 1 003600A2 0000 DW 0000 ; MinorOSVersion = 0 003600A4 0000 DW 0000 ; MajorImageVersion = 0 003600A6 0000 DW 0000 ; MinorImageVersion = 0 003600A8 0400 DW 0004 ; MajorSubsystemVersion = 4 003600AA 0000 DW 0000 ; MinorSubsystemVersion = 0 003600AC 00000000 DD 00000000 ; Reserved 003600B0 00400000 DD 00004000 ; SizeOfImage = 4000 (16384.) 003600B4 00020000 DD 00000200 ; SizeOfHeaders = 200 (512.) 003600B8 00000000 DD 00000000 ; CheckSum = 0 003600BC 0000 DW 0000 ; Subsystem = IMAGE_SUBSYSTEM_UNKNOWN 003600BE 0001 DW 0100 ; DLLCharacteristics = 100 003600C0 00001000 DD 00100000 ; SizeOfStackReserve = 100000 003600C4 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.) 003600C8 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 003600CC 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.) 003600D0 00000000 DD 00000000 ; LoaderFlags = 0 003600D4 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.) 003600D8 00000000 DD 00000000 ; Export Table address = 0 003600DC 00000000 DD 00000000 ; Export Table size = 0 003600E0 00000000 DD 00000000 ; Import Table address = 0 003600E4 00000000 DD 00000000 ; Import Table size = 0 003600E8 00300000 DD 00003000 ; Resource Table address = 3000 003600EC A4030000 DD 000003A4 ; Resource Table size = 3A4 (932.) 003600F0 00000000 DD 00000000 ; Exception Table address = 0 003600F4 00000000 DD 00000000 ; Exception Table size = 0 003600F8 00000000 DD 00000000 ; Certificate File pointer = 0 003600FC 00000000 DD 00000000 ; Certificate Table size = 0 00360100 00200000 DD 00002000 ; Relocation Table address = 2000 00360104 08000000 DD 00000008 ; Relocation Table size = 8 00360108 00000000 DD 00000000 ; Debug Data address = 0 0036010C 00000000 DD 00000000 ; Debug Data size = 0 00360110 00000000 DD 00000000 ; Architecture Data address = 0 00360114 00000000 DD 00000000 ; Architecture Data size = 0 00360118 00000000 DD 00000000 ; Global Ptr address = 0 0036011C 00000000 DD 00000000 ; Must be 0 00360120 00000000 DD 00000000 ; TLS Table address = 0 00360124 00000000 DD 00000000 ; TLS Table size = 0 00360128 00000000 DD 00000000 ; Load Config Table address = 0 0036012C 00000000 DD 00000000 ; Load Config Table size = 0 00360130 00000000 DD 00000000 ; Bound Import Table address = 0 00360134 00000000 DD 00000000 ; Bound Import Table size = 0 00360138 00000000 DD 00000000 ; Import Address Table address = 0 0036013C 00000000 DD 00000000 ; Import Address Table size = 0 00360140 00000000 DD 00000000 ; Delay Import Descriptor address = 0 00360144 00000000 DD 00000000 ; Delay Import Descriptor size = 0 00360148 00000000 DD 00000000 ; COM+ Runtime Header address = 0 0036014C 00000000 DD 00000000 ; Import Address Table size = 0 00360150 00000000 DD 00000000 ; Reserved 00360154 00000000 DD 00000000 ; Reserved 00360158 2E 74 65 78 >ASCII ".text" ; SECTION 00360160 00100000 DD 00001000 ; VirtualSize = 1000 (4096.) 00360164 00100000 DD 00001000 ; VirtualAddress = 1000 00360168 05000000 DD 00000005 ; SizeOfRawData = 5 0036016C 00020000 DD 00000200 ; PointerToRawData = 200 00360170 00000000 DD 00000000 ; PointerToRelocations = 0 00360174 00000000 DD 00000000 ; PointerToLineNumbers = 0 00360178 0000 DW 0000 ; NumberOfRelocations = 0 0036017A 0000 DW 0000 ; NumberOfLineNumbers = 0 0036017C 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ ... --- snip ---
You need to pad the placeholder sections with (dummy) data up to section virtual size.
Besides that, I'm not sure what you're intending to do with this app.
It can't work by design because it later tries to load a kernel driver which expects the Windows kernel space architecture with SSDT and shadow SSDT (hooking checks).
$ sha1sum fsbl.exe b91cc97353117ed488acee290b39ef63ded7f5e4 fsbl.exe
$ du -sh fsbl.exe 1.1M fsbl.exe
$ wine --version wine-1.7.36-83-gf75d1b0
Regards
https://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #13 from Gijs Vermeulen gijsvrm@gmail.com --- Is it possible this bug is fixed? With wine-6.0-rc6 there is a non-fatal page fault after accepting the license agreement, but the app still starts.
In any case, this app is useless for use with wine anyway.
https://bugs.winehq.org/show_bug.cgi?id=21038
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |kernel32 Resolution|--- |FIXED Status|NEW |RESOLVED URL|ftp://ftp.f-secure.com/anti |https://web.archive.org/web |-virus/tools/fsbl.exe |/20210116145628/ftp://ftp.f | |-secure.com/anti-virus/tool | |s/fsbl.exe Fixed by SHA1| |0c631ebb2354334eaf309bc0765 | |d3283654cf902
--- Comment #14 from Anastasius Focht focht@gmx.net --- Hello Gijs,
--- quote --- Is it possible this bug is fixed? With wine-6.0-rc6 there is a non-fatal page fault after accepting the license agreement, but the app still starts. --- quote ---
thanks for the reminder. Yes, it was fixed by commit https://source.winehq.org/git/wine.git/commitdiff/0c631ebb2354334eaf309bc076... ("kernel32: Build with msvcrt.").
Part of Wine 5.19 release.
Thanks Alexandre.
There is bug 15437 ("Multiple programs using madCodeHook crash (in-memory PE image of Wine builtins vs. ELF image on disk)") which references same commit sha1. Bug 15437 is about EAT/IAT validation between on-disk image and mapped PE images. The problem here is about PE section layout/requirements hence it makes sense to keep it separate.
Although it was pretty clear which Wine releases/commits to check for (comment #12), I wrote small autohotkey and shell script to automate the task.
'bug21038.ahk':
---snip --- FileDelete, c:\fsbl.fail
Run, fsbl.exe WinWait, F-Secure BlackLight,,10 if ErrorLevel { FileAppend,, c:\fsbl.fail Exit } Sleep, 1000 ControlClick,I accept the agreement ControlClick,Next >
Loop, 5 { Sleep, 1000 Process, Exist, winedbg.exe If ErrorLevel { FileAppend,, c:\fsbl.fail Process, Close, winedbg.exe Exit } } Process, Close, fsbl.exe --- snip ---
Shell script 'bug21038_test.sh' for running the autohotkey script against a number of Wine releases:
--- snip --- for ver in 2.0 3.0 4.0 5.{0..22} 6.0 ; do (echo "#####" export WINEPREFIX=~/wineprefix-bug21038 && rm -rf $WINEPREFIX export WINEARCH=win32 wine_register_path $ver winetricks -q autohotkey &> /dev/null ; wine "c:\Program Files\AutoHotkey\AutoHotkey.exe" bug21038.ahk 2>&1 | \ egrep "(debugger|overflow)" ; \ [ -f $WINEPREFIX/drive_c/fsbl.fail ] && echo "FSBL fail." || \ echo "FSBL ok." wineserver -w) ; rm -f fsbl-*.log done --- snip ---
Output:
--- snip --- $ bash bug21038_test.sh ##### Active Wine version: wine-2.0 wine: Unhandled page fault on read access to 0x00361000 at address 0x43ae2a (thread 004e), starting debugger... FSBL fail. ##### Active Wine version: wine-3.0 wine: Unhandled page fault on read access to 0x003b1000 at address 0x44656d (thread 0053), starting debugger... FSBL fail. ##### Active Wine version: wine-4.0 0053:err:seh:setup_exception_record stack overflow 1212 bytes in thread 0053 eip 7bc8463c esp 00240e74 stack 0x240000-0x241000-0x340000 FSBL fail. ##### Active Wine version: wine-5.0 wine: Unhandled page fault on read access to 09E11000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.1 wine: Unhandled page fault on read access to 09FD1000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.2 wine: Unhandled page fault on read access to 01A71000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.3 wine: Unhandled page fault on read access to 09E31000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.4 wine: Unhandled page fault on read access to 09E31000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.5 wine: Unhandled page fault on read access to 0A171000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.6 wine: Unhandled page fault on read access to 0A171000 at address 0044656D (thread 0054), starting debugger... FSBL fail. ##### Active Wine version: wine-5.7 wine: Unhandled page fault on read access to 0A171000 at address 0043AE2A (thread 0055), starting debugger... FSBL fail. ##### Active Wine version: wine-5.8 wine: Unhandled page fault on read access to 0A1B1000 at address 0044656D (thread 014c), starting debugger... FSBL fail. ##### Active Wine version: wine-5.9 wine: Unhandled page fault on read access to 09921000 at address 0044656D (thread 014c), starting debugger... FSBL fail. ##### Active Wine version: wine-5.10 wine: Unhandled page fault on read access to 09921000 at address 0043AE2A (thread 0164), starting debugger... FSBL fail. ##### Active Wine version: wine-5.11 wine: Unhandled page fault on read access to 09921000 at address 0043AE2A (thread 0164), starting debugger... FSBL fail. ##### Active Wine version: wine-5.12 wine: Unhandled page fault on read access to 09DAC000 at address 00412535 (thread 015c), starting debugger... FSBL fail. ##### Active Wine version: wine-5.13 wine: Unhandled page fault on read access to 09DAC000 at address 00412535 (thread 015c), starting debugger... FSBL fail. ##### Active Wine version: wine-5.14 wine: Unhandled page fault on read access to 09CBC000 at address 00412535 (thread 015c), starting debugger... FSBL fail. ##### Active Wine version: wine-5.15 015c:err:virtual:virtual_setup_exception stack overflow 860 bytes in thread 015c addr 0xf7d7820f stack 0x220ca4 (0x220000-0x221000-0x320000) FSBL fail. ##### Active Wine version: wine-5.16 wine: Unhandled page fault on read access to 09B19000 at address 0044656D (thread 015c), starting debugger... FSBL fail. ##### Active Wine version: wine-5.17 wine: Unhandled page fault on read access to 09C59000 at address 0044656D (thread 0184), starting debugger... FSBL fail. ##### Active Wine version: wine-5.18 wine: Unhandled page fault on read access to 0152A000 at address 0044656D (thread 01e8), starting debugger... FSBL fail. ##### Active Wine version: wine-5.19 FSBL ok. ##### Active Wine version: wine-5.20 FSBL ok. ##### Active Wine version: wine-5.21 FSBL ok. ##### Active Wine version: wine-5.22 FSBL ok. ##### Active Wine version: wine-6.0 FSBL ok. --- snip ---
After that it was only a small step left to check Wine 5.19 shortlog.
$ wine --version wine-6.0-40-g00401d22782
Regards
https://bugs.winehq.org/show_bug.cgi?id=21038
--- Comment #15 from Anastasius Focht focht@gmx.net --- Hello folks,
--- quote --- With wine-6.0-rc6 there is a non-fatal page fault after accepting the license agreement, but the app still starts. --- quote ---
that's bug 39406 ("Multiple kernel drivers crash due to missing 'ntoskrnl.SeExports' export (SE_EXPORTS structure)(LabVIEW 201x CVI 'cvintdrv.sys', F-Secure BlackLight Engine 2.2 'fsbldrv.sys')").
The app can't obviously work without the helper rootkit detection kernel driver (scan will do nothing).
Regards
https://bugs.winehq.org/show_bug.cgi?id=21038
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #16 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.1.
-
wine-bugs@winehq.org -
WineHQ Bugzilla