New subject: [Bug 47170] nProtect GameGuard Personal/Anti-Virus/Spyware 3.x/ 4.x kernel drivers crash due to 'winedevice' PE module having no export table

12 May 2019


      https://bugs.winehq.org/show_bug.cgi?id=47170
Bug ID: 47170
           Summary: nProtect GameGuard Personal/Anti-Virus/Spyware 3.x/4.x
                    kernel drivers crash due to 'winedevice' PE module
                    having no export table
           Product: Wine
           Version: 4.8
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
as it says.
Stable download link which is a web-installer for nProtect GameGuard Personal
3.x (bundles nProtect Anti-Virus/Spyware 3.0 which fetches 4.0):
http://fs2.download82.com/software/bbd8ff9dba17080c0c121804efbd61d5/nprotect...
The AVS 4.0 installer works, although one can already see multiple crashing
kernel drivers in console which cause additional zombie service processes
(Windows userspace side).
--- snip ---
...
002d:trace:ntoskrnl:load_driver loading driver
L"C:\windows\system32\TKPcFtHk.sys" 
...
002d:Call driver init 0x350005
(obj=0x121ba0,str=L"\Registry\Machine\System\CurrentControlSet\Services\TKPcFt") 
...
002d:trace:ntoskrnl:IoCreateDevice (0x121ba0, 0, L"\Device\TKPcFt", 34, 0, 0,
0x348104) 
...
002d:trace:ntoskrnl:IoCreateSymbolicLink L"\DosDevices\TKPcFt" ->
L"\Device\TKPcFt" 
...
002d:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000000,00001000,34314c53)
ret=00342f27
002d:Call ntdll.RtlAllocateHeap(00110000,00000000,00001000) ret=7e8789fa
002d:Ret  ntdll.RtlAllocateHeap() retval=00121ea0 ret=7e8789fa
002d:trace:ntoskrnl:ExAllocatePoolWithTag 4096 pool 0 -> 0x121ea0
002d:Ret  ntoskrnl.exe.ExAllocatePoolWithTag() retval=00121ea0 ret=00342f27
002d:Call ntoskrnl.exe.memset(00121ea0,00000000,00001000) ret=00342f41
002d:Ret  ntoskrnl.exe.memset() retval=00121ea0 ret=00342f41
002d:Call
ntoskrnl.exe.ZwQuerySystemInformation(0000000b,00121ea0,00001000,0082f864)
ret=0034392d
002d:Call ntdll.NtQuerySystemInformation(0000000b,00121ea0,00001000,0082f864)
ret=7bc8e964
002d:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=7bc8e964
002d:Ret  ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=0034392d
002d:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000000,00000104,35314c53)
ret=00342f27
002d:Call ntdll.RtlAllocateHeap(00110000,00000000,00000104) ret=7e8789fa
002d:Ret  ntdll.RtlAllocateHeap() retval=00122ea8 ret=7e8789fa
002d:trace:ntoskrnl:ExAllocatePoolWithTag 260 pool 0 -> 0x122ea8
002d:Ret  ntoskrnl.exe.ExAllocatePoolWithTag() retval=00122ea8 ret=00342f27
002d:Call ntoskrnl.exe.memset(00122ea8,00000000,00000104) ret=00342f41
002d:Ret  ntoskrnl.exe.memset() retval=00122ea8 ret=00342f41
002d:trace:seh:raise_exception code=c0000005 flags=0 addr=0x343c13 ip=00343c13
tid=002d
002d:trace:seh:raise_exception  info[0]=00000000
002d:trace:seh:raise_exception  info[1]=00d05a4d
002d:trace:seh:raise_exception  eax=00345390 ebx=00121ba0 ecx=00d05a4f
edx=00d05a4d esi=00350005 edi=00121c54
002d:trace:seh:raise_exception  ebp=0082f8d4 esp=0082f888 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010206
002d:trace:seh:call_vectored_handlers calling handler at 0x7e877f10
code=c0000005 flags=0
002d:trace:seh:call_vectored_handlers handler at 0x7e877f10 returned 0
002d:trace:seh:call_stack_handlers calling handler at 0x7bcc3660 code=c0000005
flags=0
002d:Call msvcrt.signal(0000000b,00000000) ret=00403789
002d:trace:seh:MSVCRT_signal (11, (nil))
002d:Ret  msvcrt.signal() retval=00000000 ret=00403789
002d:trace:seh:start_debugger Starting debugger "winedbg --auto 42 56"
002d:trace:seh:call_stack_handlers handler at 0x7bcc3660 returned 1 
--- snip ---
The reason of the crash is not visible by tracing, one has to debug the
garbage.
Disassembly of sub-routine where the "custom" resolver magic happens, annotated
where needed ...
--- snip ---
005539C0  MOV EDI,EDI
005539C2  PUSH EBP
005539C3  MOV EBP,ESP
005539C5  SUB ESP,4C
005539C8  MOV DWORD PTR SS:[LOCAL.9],0
005539CF  MOV DWORD PTR SS:[LOCAL.10],0
005539D6  MOV DWORD PTR SS:[LOCAL.11],0
005539DD  MOV DWORD PTR SS:[LOCAL.13],0
005539E4  MOV DWORD PTR SS:[LOCAL.7],0
005539EB  MOV DWORD PTR SS:[LOCAL.4],0
005539F2  MOV DWORD PTR SS:[LOCAL.8],0
005539F9  MOV DWORD PTR SS:[LOCAL.6],0
00553A00  MOV DWORD PTR SS:[LOCAL.12],0
00553A07  MOV DWORD PTR SS:[LOCAL.1],0
00553A0E  MOV DWORD PTR SS:[LOCAL.3],0
00553A15  MOV DWORD PTR SS:[LOCAL.5],0
00553A1C  MOV DWORD PTR SS:[LOCAL.14],0
00553A23  MOV DWORD PTR SS:[LOCAL.2],0
00553A2A  CALL DWORD PTR DS:[<&HAL.KeGetCurrentIrql>]
00553A30  MOVZX EAX,AL
00553A33  TEST EAX,EAX
00553A35  JZ SHORT 00553A3C
00553A37  JMP 00553C72
00553A3C  LEA ECX,[LOCAL.10]
00553A3F  PUSH ECX
00553A40  PUSH 0B               ; SystemModuleInformation
00553A42  CALL 005538C0         ; ZwQuerySystemInformation
00553A47  MOV DWORD PTR SS:[LOCAL.11],EAX
00553A4A  CMP DWORD PTR SS:[LOCAL.11],0
00553A4E  JNE SHORT 00553A55
00553A50  JMP 00553C72
00553A55  PUSH 35314C53
00553A5A  PUSH 104
00553A5F  PUSH 0
00553A61  CALL 00552F00         ; ExAllocatePoolWithTag
00553A66  MOV DWORD PTR SS:[LOCAL.8],EAX
00553A69  CMP DWORD PTR SS:[LOCAL.8],0
00553A6D  JNE SHORT 00553A74
00553A6F  JMP 00553C72
00553A74  MOV EDX,DWORD PTR SS:[LOCAL.11]  ; _RTL_PROCESS_MODULE_INFORMATION
--- snip ---
--- snip ---
00553A74  ; typedef struct _RTL_PROCESS_MODULE_INFORMATION
00553A74  ; {
00553A74  ;     HANDLE Section;
00553A74  ;     PVOID MappedBase;
00553A74  ;     PVOID ImageBase;
00553A74  ;     ULONG ImageSize;
00553A74  ;     ULONG Flags;
00553A74  ;     USHORT LoadOrderIndex;
00553A74  ;     USHORT InitOrderIndex;
00553A74  ;     USHORT LoadCount;
00553A74  ;     USHORT OffsetToFileName;
00553A74  ;     UCHAR FullPathName[256];
00553A74  ; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
00553A74  ;
00553A74  ; $ ==>      00000000
00553A74  ; $+4        00000000
00553A74  ; $+8        7EFF0000  ; OFFSET winedevice.<STRUCT IMAGE_DOS_HEADER>
00553A74  ; $+C        00010000
00553A74  ; $+10       80080000
00553A74  ; $+14       00000000
00553A74  ; $+18       00140000
00553A74  ; $+1C       775C3A43  C:\w
00553A74  ; $+20       6F646E69  indo
00553A74  ; $+24       735C7377  ws\s
00553A74  ; $+28       65747379  yste
00553A74  ; $+2C       5C32336D  m32\
00553A74  ; $+30       656E6977  wine
00553A74  ; $+34       69766564  devi
00553A74  ; $+38       652E6563  ce.e
00553A74  ; $+3C       00006578  xe
00553A74  ; $+40       00000000
--- snip ---
--- snip ---
00553A77  ADD EDX,4
00553A7A  MOV DWORD PTR SS:[LOCAL.13],EDX ; ModuleInfo
00553A7D  MOV DWORD PTR SS:[LOCAL.4],0    ; mod_count
00553A84  JMP SHORT 00553A8F
00553A86  MOV EAX,DWORD PTR SS:[EBP-10]   ; loop_mod_count
00553A89  ADD EAX,1
00553A8C  MOV DWORD PTR SS:[EBP-10],EAX   ; loop_mod_count
00553A8F  MOV ECX,DWORD PTR SS:[EBP-2C]   ; ModuleInfo
00553A92  MOV EDX,DWORD PTR SS:[EBP-10]
00553A95  CMP EDX,DWORD PTR DS:[ECX]
00553A97  JAE 00553B5C
00553A9D  CMP DWORD PTR SS:[EBP+8],0
00553AA1  JNE SHORT 00553AD8
00553AA3  MOV EAX,DWORD PTR SS:[EBP-34]   ; ModuleInfo
00553AA6  MOV ECX,DWORD PTR DS:[EAX+8]    ; ImageBase
00553AA9  MOV DWORD PTR SS:[EBP-18],ECX
00553AAC  MOV EDX,DWORD PTR SS:[EBP-34]
00553AAF  MOVZX EAX,WORD PTR DS:[EDX+1A]  ; OffsetToFileName
00553AB3  MOV ECX,DWORD PTR SS:[EBP-34]
00553AB6  LEA EDX,[EAX+ECX+1C]
; ModuleInfo->Modules[i].FullPathName+ModuleInfo->Modules[i].OffsetToFileName
00553ABA  PUSH EDX
00553ABB  PUSH 00555520 ; ASCII "%s"
00553AC0  PUSH 104
00553AC5  MOV EAX,DWORD PTR SS:[EBP-20]
00553AC8  PUSH EAX
00553AC9  CALL 00553CA0                   ; copy_to_buffer
00553ACE  ADD ESP,10
00553AD1  JMP 00553B5C
00553AD6  JMP SHORT 00553B57
00553AD8  MOV ECX,DWORD PTR SS:[EBP+8]
00553ADB  PUSH ECX
00553ADC  MOV EDX,DWORD PTR SS:[EBP-10]   ; mod_count
00553ADF  IMUL EDX,EDX,11C
00553AE5  ADD EDX,DWORD PTR SS:[EBP-34]   ; ModuleInfo
00553AE8  MOV EAX,DWORD PTR SS:[EBP-10]
00553AEB  IMUL EAX,EAX,11C
00553AF1  MOV ECX,DWORD PTR SS:[EBP-34]
00553AF4  MOVZX EAX,WORD PTR DS:[EAX+ECX+1A]
00553AF9  LEA ECX,[EAX+EDX+1C]
00553AFD  PUSH ECX
00553AFE  CALL <JMP.&ntoskrnl_exe._stricmp>
00553B03  ADD ESP,8
00553B06  TEST EAX,EAX
00553B08  JNZ SHORT 00553B57
00553B0A  MOV EDX,DWORD PTR SS:[EBP-10]
00553B0D  IMUL EDX,EDX,11C
00553B13  MOV EAX,DWORD PTR SS:[EBP-34]
00553B16  MOV ECX,DWORD PTR DS:[EDX+EAX+8]
00553B1A  MOV DWORD PTR SS:[EBP-18],ECX
00553B1D  MOV EDX,DWORD PTR SS:[EBP-10]
00553B20  IMUL EDX,EDX,11C
00553B26  ADD EDX,DWORD PTR SS:[EBP-34]
00553B29  MOV EAX,DWORD PTR SS:[EBP-10]
00553B2C  IMUL EAX,EAX,11C
00553B32  MOV ECX,DWORD PTR SS:[EBP-34]
00553B35  MOVZX EAX,WORD PTR DS:[EAX+ECX+1A]
00553B3A  LEA ECX,[EAX+EDX+1C]
00553B3E  PUSH ECX
00553B3F  PUSH 00555520 ; ASCII "%s"
00553B44  PUSH 104
00553B49  MOV EDX,DWORD PTR SS:[EBP-20]
00553B4C  PUSH EDX
00553B4D  CALL 00553CA0                   ; copy_to_buffer
00553B52  ADD ESP,10
00553B55  JMP SHORT 00553B5C
00553B57  JMP 00553A86
00553B5C  CMP DWORD PTR SS:[EBP-18],0     ; ImageBase
00553B60  JNE SHORT 00553B67
00553B62  JMP 00553C72
00553B67  MOV EAX,DWORD PTR SS:[EBP-18]
00553B6A  MOV DWORD PTR SS:[EBP-30],EAX
00553B6D  MOV ECX,DWORD PTR SS:[EBP-30]
00553B70  MOVZX EDX,WORD PTR DS:[ECX]
00553B73  CMP EDX,5A4D                    ; DOS HEADER
00553B79  JE SHORT 00553B80
00553B7B  JMP 00553C72
00553B80  MOV EAX,DWORD PTR SS:[EBP-30]   ; ImageBase
00553B83  MOV ECX,DWORD PTR SS:[EBP-18]   
00553B86  ADD ECX,DWORD PTR DS:[EAX+3C]   ; file offset to the PE signature
00553B89  MOV DWORD PTR SS:[EBP-4],ECX
00553B8C  MOV EDX,DWORD PTR SS:[EBP-4]
00553B8F  MOV EAX,DWORD PTR SS:[EBP-18]
00553B92  ADD EAX,DWORD PTR DS:[EDX+78]   ; RVA of the export table
00553B95  MOV DWORD PTR SS:[EBP-0C],EAX   ; Wine: NULL -> image_base
00553B98  MOV ECX,DWORD PTR SS:[EBP-0C]
00553B9B  MOV EDX,DWORD PTR SS:[EBP-18]
00553B9E  ADD EDX,DWORD PTR DS:[ECX+20]   ; offset(names table)
00553BA1  MOV DWORD PTR SS:[EBP-14],EDX
00553BA4  MOV EAX,DWORD PTR SS:[EBP-0C]
00553BA7  MOV ECX,DWORD PTR SS:[EBP-18]
00553BAA  ADD ECX,DWORD PTR DS:[EAX+1C]   ; offset(address table)
00553BAD  MOV DWORD PTR SS:[EBP-38],ECX
00553BB0  MOV EDX,DWORD PTR SS:[EBP-0C]
00553BB3  MOV EAX,DWORD PTR SS:[EBP-18]
00553BB6  ADD EAX,DWORD PTR DS:[EDX+24]   ; offset(ordinals table)
00553BB9  MOV DWORD PTR SS:[EBP-8],EAX
00553BBC  MOV DWORD PTR SS:[EBP-10],0
00553BC3  JMP SHORT 00553BE0
00553BC5  MOV ECX,DWORD PTR SS:[EBP-10]
00553BC8  ADD ECX,1
00553BCB  MOV DWORD PTR SS:[EBP-10],ECX
00553BCE  MOV EDX,DWORD PTR SS:[EBP-14]   ; export_names
00553BD1  ADD EDX,4
00553BD4  MOV DWORD PTR SS:[EBP-14],EDX
00553BD7  MOV EAX,DWORD PTR SS:[EBP-8]    ; EAT ordinals_addr
00553BDA  ADD EAX,2
00553BDD  MOV DWORD PTR SS:[EBP-8],EAX
00553BE0  MOV ECX,DWORD PTR SS:[EBP-0C]   ; export_table_addr
00553BE3  MOV EDX,DWORD PTR SS:[EBP-10]
00553BE6  CMP EDX,DWORD PTR DS:[ECX+18]   ; table numberOfNamePointers
00553BE9  JAE 00553C72
00553BEF  CMP DWORD PTR SS:[EBP+0C],0     ; func_name
00553BF3  JNE SHORT 00553BF7
00553BF5  JMP SHORT 00553C6D
00553BF7  MOV EAX,DWORD PTR SS:[EBP-14]   ; export_names
00553BFA  MOV ECX,DWORD PTR SS:[EBP-18]   ; ImageBase
00553BFD  ADD ECX,DWORD PTR DS:[EAX]
00553BFF  MOV DWORD PTR SS:[EBP-3C],ECX
00553C02  MOV EDX,DWORD PTR SS:[EBP+0C]
00553C05  MOV DWORD PTR SS:[EBP-40],EDX
00553C08  MOV EAX,DWORD PTR SS:[EBP-40]
00553C0B  MOV CL,BYTE PTR DS:[EAX]
00553C0D  MOV BYTE PTR SS:[EBP-41],CL
00553C10  MOV EDX,DWORD PTR SS:[EBP-3C]   ; name_ptr_rva
00553C13  CMP CL,BYTE PTR DS:[EDX]        ; *boom*
00553C15  JNE SHORT 00553C45
00553C17  CMP BYTE PTR SS:[EBP-41],0
00553C1B  JE SHORT 00553C3C
00553C1D  MOV EAX,DWORD PTR SS:[EBP-40]
00553C20  MOV CL,BYTE PTR DS:[EAX+1]
00553C23  MOV BYTE PTR SS:[EBP-42],CL
00553C26  MOV EDX,DWORD PTR SS:[EBP-3C]
00553C29  CMP CL,BYTE PTR DS:[EDX+1]
00553C2C  JNE SHORT 00553C45
00553C2E  ADD DWORD PTR SS:[EBP-40],2
00553C32  ADD DWORD PTR SS:[EBP-3C],2
00553C36  CMP BYTE PTR SS:[EBP-42],0
00553C3A  JNE SHORT 00553C08
00553C3C  MOV DWORD PTR SS:[EBP-48],0
00553C43  JMP SHORT 00553C4D
00553C45  SBB EAX,EAX
00553C47  SBB EAX,-1
00553C4A  MOV DWORD PTR SS:[EBP-48],EAX
00553C4D  MOV ECX,DWORD PTR SS:[EBP-48]
00553C50  MOV DWORD PTR SS:[EBP-4C],ECX
00553C53  CMP DWORD PTR SS:[EBP-4C],0
00553C57  JNE SHORT 00553C6D
00553C59  MOV EDX,DWORD PTR SS:[EBP-8]    ; eat_ordinals_addr
00553C5C  MOVSX EAX,WORD PTR DS:[EDX]
00553C5F  MOV ECX,DWORD PTR SS:[EBP-38]   ; export_address_table
00553C62  MOV EDX,DWORD PTR SS:[EBP-18]   ; ImageBase
00553C65  ADD EDX,DWORD PTR DS:[EAX*4+ECX]
00553C68  MOV DWORD PTR SS:[EBP-24],EDX
00553C6B  JMP SHORT 00553C72
00553C6D  JMP 00553BC5
00553C72  CMP DWORD PTR SS:[EBP-2C],0     ; ModuleInfo
00553C76  JE SHORT 00553C81
00553C78  MOV EAX,DWORD PTR SS:[EBP-2C]
00553C7B  PUSH EAX
00553C7C  CALL 00552F60
00553C81  CMP DWORD PTR SS:[EBP-20],0
00553C85  JE SHORT 00553C90
00553C87  MOV ECX,DWORD PTR SS:[EBP-20]
00553C8A  PUSH ECX
00553C8B  CALL 00552F60
00553C90  MOV EAX,DWORD PTR SS:[EBP-24]
00553C93  MOV ESP,EBP
00553C95  POP EBP
00553C96  RETN 8
--- snip ---
To cut it short: The driver(s) populate the list of loaded modules. Wine runs
kernel drivers by design using a helper 'winedevice' hosting process.
'winedevice' is part of the system modules list (first entry). Unfortunately it
doesn't export anything hence the drivers choke on an empty export address
table.
$ sha1sum ggp3d.exe 
5c1b2cca00da683b047c5a429bee540cc585b53e  ggp3d.exe
$ du -sh ggp3d.exe 
392K    ggp3d.exe
$ wine --version
wine-4.8
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 47170] New: nProtect GameGuard Personal/Anti-Virus/Spyware 3.x/ 4.x kernel drivers crash due to 'winedevice' PE module having no export table