[Bug 46969] New: Multiple 64-bit WDM kernel drivers want Windows 8+ ' ntdll.RtlQueryRegistryValuesEx' (WIBUKEY)
https://bugs.winehq.org/show_bug.cgi?id=46969
Bug ID: 46969 Summary: Multiple 64-bit WDM kernel drivers want Windows 8+ 'ntdll.RtlQueryRegistryValuesEx' (WIBUKEY) Product: Wine Version: 4.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. It's not critical as most kernel drivers fall back to 'ntdll.RtlQueryRegistryValues' if the entry point can't be resolved.
It still produces considerable 'fixme:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" not found' spam in some cases for every registry value read. Additionally it might lead people to draw incorrect conclusions as the fallback can't be seen without additional debug channels.
--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wineboot >>log.txt 2>&1 ... 0025:trace:ntoskrnl:open_driver opened service for driver L"\Registry\Machine\System\CurrentControlSet\Services\WIBUKEY" ... 0025:trace:ntoskrnl:load_driver loading driver L"SYSTEM32\DRIVERS\WibuKey64.sys" 0025:Call KERNEL32.LoadLibraryW(00026460 L"SYSTEM32\DRIVERS\WibuKey64.sys") ret=7f0a3ebbbe25 ... 0025:Call driver init 0x10004ee0 (obj=0x27980,str=L"\Registry\Machine\System\CurrentControlSet\Services\WIBUKEY") ... 0025:Call ntoskrnl.exe.RtlInitUnicodeString(0032f260,10012210 L"RtlQueryRegistryValuesEx") ret=10005f5f 0025:Call ntdll.RtlInitUnicodeString(0032f260,10012210 L"RtlQueryRegistryValuesEx") ret=7bd10e87 0025:Ret ntdll.RtlInitUnicodeString() retval=0032f260 ret=7bd10e87 0025:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0032f260 ret=10005f5f 0025:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0032f260) ret=10005f6a 0025:Call ntdll.RtlUnicodeStringToAnsiString(0032f0a0,0032f260,00000001) ret=7f0a3ebb9187 0025:Ret ntdll.RtlUnicodeStringToAnsiString() retval=00000000 ret=7f0a3ebb9187 0025:Call KERNEL32.GetModuleHandleW(7f0a3ebcd1e0 L"ntoskrnl.exe") ret=7f0a3ebb91a5 0025:Ret KERNEL32.GetModuleHandleW() retval=7f0a3eb90000 ret=7f0a3ebb91a5 0025:Call KERNEL32.GetProcAddress(7f0a3eb90000,00026460 "RtlQueryRegistryValuesEx") ret=7f0a3ebb91c3 0025:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7f0a3ebb91c3 0025:Call KERNEL32.GetModuleHandleW(7f0a3ebcd200 L"hal.dll") ret=7f0a3ebb91e6 0025:Ret KERNEL32.GetModuleHandleW() retval=7f0a4cf80000 ret=7f0a3ebb91e6 0025:Call KERNEL32.GetProcAddress(7f0a4cf80000,00026460 "RtlQueryRegistryValuesEx") ret=7f0a3ebb920c 0025:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7f0a3ebb920c ... 0025:fixme:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" not found 0025:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=10005f6a 0025:Call ntoskrnl.exe.RtlQueryRegistryValues(00000000,100122e0,000266f0,00000000,00000000) ret=10005f87 0025:Call ntdll.RtlQueryRegistryValues(00000000,100122e0,000266f0,00000000,00000000) ret=7bd10e87 0025:Ret ntdll.RtlQueryRegistryValues() retval=c0000034 ret=7bd10e87 0025:Ret ntoskrnl.exe.RtlQueryRegistryValues() retval=c0000034 ret=10005f87 ... <repeated dozen times> ... 0025:Ret driver init 0x10004ee0 (obj=0x27980,str=L"\Registry\Machine\System\CurrentControlSet\Services\WIBUKEY") retval=00000000 0025:Call KERNEL32.IsBadStringPtrW(00027918,ffffffffffffffff) ret=7f0a3ebaa4a8 0025:Ret KERNEL32.IsBadStringPtrW() retval=00000000 ret=7f0a3ebaa4a8 0025:trace:ntoskrnl:init_driver init done for L"WIBUKEY" obj 0x27980 0025:trace:ntoskrnl:init_driver - DriverInit = 0x10004ee0 0025:trace:ntoskrnl:init_driver - DriverStartIo = (nil) 0025:trace:ntoskrnl:init_driver - DriverUnload = 0x10005110 0025:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x10005170 0025:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x10005170 0025:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x10005170 0025:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x7f0a3ebb04dd 0025:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f0a3ebb04dd --- snip ---
The prototype seems to be the same as 'ntdll.RtlQueryRegistryValues'
https://github.com/Gbps/gbhv/blob/master/gbhv/phnt/ntrtl.h#L6903
--- snip --- NTSYSAPI NTSTATUS NTAPI RtlQueryRegistryValues( _In_ ULONG RelativeTo, _In_ PWSTR Path, _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, _In_ PVOID Context, _In_opt_ PVOID Environment );
// rev NTSYSAPI NTSTATUS NTAPI RtlQueryRegistryValuesEx( _In_ ULONG RelativeTo, _In_ PWSTR Path, _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, _In_ PVOID Context, _In_opt_ PVOID Environment ); --- snip ---
https://www.geoffchappell.com/studies/windows/win32/ntdll/api/index.htm
https://www.geoffchappell.com/studies/windows/win32/ntdll/history/names62.ht...
--- quote --- RtlQueryRegistryValuesEx 6.2 and higher --- quote ---
The purpose of this function is mentioned here (which also explains why the prototype is the same):
http://www.powerofcommunity.net/poc2012/mj0011.pdf ("Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement")
Slide 15 "Windows8 Kernel Security Improvements":
--- quote --- Kernel Security Improvements on Windows 8: ... Introducingthe new RtlQueryRegistryValuesEx function.
Windows 8 drivers use this new function as much as possible. If driver calls new function and the registy key is untrusted, it would cause BugCheck = KERNEL_SECURITY_CHECK_FAILURE. --- quote ---
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntdll/reg.c#l1218
--- snip --- 1218 /************************************************************************* 1219 * RtlQueryRegistryValues [NTDLL.@] 1220 * 1221 * Query multiple registry values with a single call. 1222 * 1223 * PARAMS 1224 * RelativeTo [I] Registry path that Path refers to 1225 * Path [I] Path to key 1226 * QueryTable [I] Table of key values to query 1227 * Context [I] Parameter to pass to the application defined QueryRoutine function 1228 * Environment [I] Optional parameter to use when performing expansion 1229 * 1230 * RETURNS 1231 * STATUS_SUCCESS or an appropriate NTSTATUS error code. 1232 */ 1233 NTSTATUS WINAPI RtlQueryRegistryValues(IN ULONG RelativeTo, IN PCWSTR Path, 1234 IN PRTL_QUERY_REGISTRY_TABLE QueryTable, IN PVOID Context, 1235 IN PVOID Environment OPTIONAL) 1236 { ... --- snip --- $ sha1sum ARCHICAD-22-USA-3006-1.4.exe 981ffe19e9b03b2736dddc335c9dfc8a7cfe0750 ARCHICAD-22-USA-3006-1.4.exe
$ du -sh ARCHICAD-22-USA-3006-1.4.exe 1.9G ARCHICAD-22-USA-3006-1.4.exe
$ wine --version wine-4.5-227-g6552b7144e
Regards
https://bugs.winehq.org/show_bug.cgi?id=46969
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://graphisoft.akamaize | |d.net/cdn/AC/22/USA/AC/ARCH | |ICAD-22-USA-3006-1.4.exe Keywords| |download
https://bugs.winehq.org/show_bug.cgi?id=46969
Radim pesekradim@seznam.cz changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pesekradim@seznam.cz
https://bugs.winehq.org/show_bug.cgi?id=46969
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://graphisoft.akamaize |https://web.archive.org/web |d.net/cdn/AC/22/USA/AC/ARCH |/20200122092844/https://www |ICAD-22-USA-3006-1.4.exe |.gis-net.de/updates/WibuKey | |%20Dongle%20driver%2032-64% | |20Bit%20V6.51.exe
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download links via Internet Archive:
https://web.archive.org/web/20200122090355/https://graphisoft.akamaized.net/...
There is a much smaller download from the WIBUKEY vendor site:
https://www.wibu.com/support/user/user-software.html ("WibuKey Runtime for Windows") -> v6.51
https://www.wibu.com/support/user/user-software/file/download/5790.html
Unfortunately snapshotting didn't work for that CDN, hence alternative with Dongle drivers part only:
https://web.archive.org/web/20200122092844/https://www.gis-net.de/updates/Wi...
$ sha1sum WibuKey\ Dongle\ driver\ 32-64\ Bit\ V6.51.exe 41888513d08db6c2fd47bf12a3b1967ed59778ff WibuKey Dongle driver 32-64 Bit V6.51.exe
$ du -sh WibuKey\ Dongle\ driver\ 32-64\ Bit\ V6.51.exe 19M WibuKey Dongle driver 32-64 Bit V6.51.exe
$ sha1sum WkRuntime.exe 8014f601f2ca1042a3604e466d05becfcc135777 WkRuntime.exe
$ du -sh WkRuntime.exe 30M WkRuntime.exe
$ wine --version wine-5.0
Regards
https://bugs.winehq.org/show_bug.cgi?id=46969
--- Comment #2 from Anastasius Focht focht@gmx.net --- *** Bug 47700 has been marked as a duplicate of this bug. ***
https://bugs.winehq.org/show_bug.cgi?id=46969
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Multiple 64-bit WDM kernel |Multiple 64-bit WDM kernel |drivers want Windows 8+ |drivers want Windows 8+ |'ntdll.RtlQueryRegistryValu |'ntdll.RtlQueryRegistryValu |esEx' (WIBUKEY) |esEx' (WIBUKEY, Denuvo | |Anti-Cheat)
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present. Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' also wants this. Continuation from bug 49224 (split out from bug 49194).
Same as with the drivers already listed here: RtlQueryRegistryValues() fallback will be used in case this Windows 8+ API function is not present.
--- snip --- $ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll,+reg wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:Call ntoskrnl.exe.MmGetSystemRoutineAddress(00b5edf0) ret=00c85092 ... 00d0:fixme:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" not found 00d0:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=00c85092 00d0:Call ntoskrnl.exe.RtlQueryRegistryValues(00000004,00cfab48,00b5ee10,00b5eda8,00000000) ret=00c850b9 00d0:Call ntdll.RtlQueryRegistryValues(00000004,00cfab48,00b5ee10,00b5eda8,00000000) ret=7bca112f 00d0:trace:reg:RtlQueryRegistryValues (4, L"VIDEO", 0xb5ee10, 0xb5eda8, (nil)) 00d0:trace:reg:open_key ((nil),L"\Registry\Machine\Hardware\DeviceMap\VIDEO",f003f,0xb5ea68) 00d0:trace:reg:open_key <- 0x50 00d0:trace:reg:NtQueryValueKey (0x50,L"MaxObjectNumber",1,(nil),0) 00d0:Ret ntdll.RtlQueryRegistryValues() retval=00000000 ret=7bca112f 00d0:Ret ntoskrnl.exe.RtlQueryRegistryValues() retval=00000000 ret=00c850b9 ... --- snip ---
$ wine --version wine-5.9
Regards
https://bugs.winehq.org/show_bug.cgi?id=46969
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |STAGED CC| |leslie_alistair@hotmail.com Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/ntdll-RtlQueryRe | |gistryValuesEx
https://bugs.winehq.org/show_bug.cgi?id=46969
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Fixed by SHA1| |ba5465c71feec8dd95c1c912530 | |af55ac5673ffc Status|STAGED |RESOLVED
--- Comment #4 from Anastasius Focht focht@gmx.net --- Hello folks,
this is now fixed by commit https://source.winehq.org/git/wine.git/commitdiff/ba5465c71feec8dd95c1c91253... ("ntdll: Export RtlQueryRegistryValuesEx().")
Thanks Zeb.
--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+reg wine net start WIBUKEY >>log.txt 2>&1 ... 0108:Call ntoskrnl.exe.RtlInitUnicodeString(00c4f490,10013210 L"RtlQueryRegistryValuesEx") ret=1000615f ... 0108:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=00000032 ret=1000615f 0108:Call ntoskrnl.exe.MmGetSystemRoutineAddress(00c4f490) ret=1000616a ... 0108:Call KERNEL32.GetProcAddress(00320000,00053f00 "RtlQueryRegistryValuesEx") ret=00334bab 0108:Ret KERNEL32.GetProcAddress() retval=0032a17c ret=00334bab ... 0108:trace:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" -> 000000000032A17C 0108:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=0032a17c ret=1000616a 0108:Call ntoskrnl.exe.RtlQueryRegistryValuesEx(00000000,10013a80,009e0620,00000000,00000000) ret=10006187 0108:Call ntdll.RtlQueryRegistryValues(00000000,10013a80,009e0620,00000000,00000000) ret=7bc437cf 0108:trace:reg:RtlQueryRegistryValues (0, L"\Registry\Machine\Hardware\Description\System", 00000000009E0620, 0000000000000000, 0000000000000000) 0108:trace:reg:NtOpenKeyEx ((nil),L"\Registry\Machine\Hardware\Description\System",f003f,0xc4f2b0) 0108:trace:reg:NtOpenKeyEx <- 0x48 0108:trace:reg:NtQueryValueKey (0x48,L"IDENTIFIER",1,(nil),0) 0108:trace:reg:NtQueryValueKey (0x48,L"IDENTIFIER",1,0x53f00,68) 0108:Ret ntdll.RtlQueryRegistryValues() retval=00000000 ret=7bc437cf 0108:Ret ntoskrnl.exe.RtlQueryRegistryValuesEx() retval=00000000 ret=10006187 ... --- snip ---
$ wine --version wine-6.3-250-g9107f591d3d
Regards
https://bugs.winehq.org/show_bug.cgi?id=46969
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.4.
-
wine-bugs@winehq.org -
WineHQ Bugzilla