https://bugs.winehq.org/show_bug.cgi?id=47014

Bug ID: 47014 Summary: Multiple kernel drivers need 'ntoskrnl.exe.ExInitializePagedLookasideList' implementation (Norton 360/Symantec Eraser Control Driver) Product: Wine Version: 4.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 45819

--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wineboot >>log.txt 2>&1 ... 0016:trace:ntoskrnl:load_driver loading driver L"C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys" 0016:Call KERNEL32.LoadLibraryW(00027b00 L"C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys") ret=7f9a9cb4baec ... 0016:Ret KERNEL32.LoadLibraryW() retval=00450000 ret=7f9a9cb4baec ... 0016:trace:ntoskrnl:load_driver_module L"C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys": relocating from 0x10000 to 0x450000 ... 0016:Call driver init 0x4b6118 (obj=0x278a0,str=L"\Registry\Machine\System\CurrentControlSet\Services\eeCtrl") ... 0016:Call ntoskrnl.exe.KeQueryActiveProcessors() ret=0046c4a7 0016:Call KERNEL32.GetProcessAffinityMask(ffffffffffffffff,0032f3b8,00000000) ret=7f9a9cb52f10 0016:Ret KERNEL32.GetProcessAffinityMask() retval=00000001 ret=7f9a9cb52f10 0016:Ret ntoskrnl.exe.KeQueryActiveProcessors() retval=000000ff ret=0046c4a7 0016:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000000,00000440,56664343) ret=0046c4e5 0016:Call ntdll.RtlAllocateHeap(00010000,00000000,00000440) ret=7f9a9cb4aff8 0016:Ret ntdll.RtlAllocateHeap() retval=00030120 ret=7f9a9cb4aff8 0016:trace:ntoskrnl:ExAllocatePoolWithTag 1088 pool 0 -> 0x30120 0016:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=00030120 ret=0046c4e5 0016:Call ntoskrnl.exe.ExInitializePagedLookasideList(00030140,0046c6ac,0046c6f4,00000000,00000248,56664343,00000000) ret=0046c54d 0016:fixme:ntoskrnl:ExInitializePagedLookasideList stub: 0x30140, 0x46c6ac, 0x46c6f4, 0, 584, 1449542467, 0 0016:Ret ntoskrnl.exe.ExInitializePagedLookasideList() retval=0000006c ret=0046c54d 0016:Call ntoskrnl.exe.ExInitializePagedLookasideList(000301c0,0046c6ac,0046c6f4,00000000,00000248,56664343,00000000) ret=0046c54d 0016:fixme:ntoskrnl:ExInitializePagedLookasideList stub: 0x301c0, 0x46c6ac, 0x46c6f4, 0, 584, 1449542467, 0 0016:Ret ntoskrnl.exe.ExInitializePagedLookasideList() retval=0000006c ret=0046c54d 0016:Call ntoskrnl.exe.ExInitializePagedLookasideList(00030240,0046c6ac,0046c6f4,00000000,00000248,56664343,00000000) ret=0046c54d 0016:fixme:ntoskrnl:ExInitializePagedLookasideList stub: 0x30240, 0x46c6ac, 0x46c6f4, 0, 584, 1449542467, 0 0016:Ret ntoskrnl.exe.ExInitializePagedLookasideList() retval=0000006c ret=0046c54d ... 0016:Call ntoskrnl.exe.RtlInitUnicodeString(0032f3a0,004565b8 L"Started") ret=00464bfe 0016:Call ntdll.RtlInitUnicodeString(0032f3a0,004565b8 L"Started") ret=7bc8de2f 0016:Ret ntdll.RtlInitUnicodeString() retval=00000010 ret=7bc8de2f 0016:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=00000010 ret=00464bfe 0016:Call ntoskrnl.exe.ZwCreateKey(0032f328,000f003f,0032f370,00000000,00000000,00000001,00000000) ret=0046cb6c 0016:Call ntdll.NtCreateKey(0032f328,000f003f,0032f370,00000000,00000000,00000001,00000000) ret=7bc8de2f 0016:Ret ntdll.NtCreateKey() retval=00000000 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ZwCreateKey() retval=00000000 ret=0046cb6c 0016:Call ntoskrnl.exe.ZwClose(0000003c) ret=0046c926 0016:Call ntdll.NtClose(0000003c) ret=7bc8de2f 0016:Ret ntdll.NtClose() retval=00000000 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ZwClose() retval=00000000 ret=0046c926 0016:Call ntoskrnl.exe.ZwClose(00000038) ret=0046c926 0016:Call ntdll.NtClose(00000038) ret=7bc8de2f 0016:Ret ntdll.NtClose() retval=00000000 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ZwClose() retval=00000000 ret=0046c926 0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(0002f880) ret=00466c3b 0016:Call ntdll.RtlInterlockedPopEntrySList(0002f880) ret=7bc8de2f 0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=00010310 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=00010310 ret=00466c3b 0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(0002f880) ret=00466c3b 0016:Call ntdll.RtlInterlockedPopEntrySList(0002f880) ret=7bc8de2f 0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=000309c0 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=000309c0 ret=00466c3b 0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(0002f880) ret=00466c3b 0016:Call ntdll.RtlInterlockedPopEntrySList(0002f880) ret=7bc8de2f 0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=000100f0 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=000100f0 ret=00466c3b 0016:Call ntoskrnl.exe.RtlInitUnicodeString(0032f2d0,004abc50 L"*.sys") ret=004702ba 0016:Call ntdll.RtlInitUnicodeString(0032f2d0,004abc50 L"*.sys") ret=7bc8de2f 0016:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7bc8de2f 0016:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0000000c ret=004702ba 0016:Call ntoskrnl.exe.RtlAppendUnicodeStringToString(0032f360,0032f2d0) ret=00466d7c 0016:Call ntdll.RtlAppendUnicodeStringToString(0032f360,0032f2d0) ret=7bc8de2f 0016:Ret ntdll.RtlAppendUnicodeStringToString() retval=00000000 ret=7bc8de2f 0016:Ret ntoskrnl.exe.RtlAppendUnicodeStringToString() retval=00000000 ret=00466d7c 0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(00030140) ret=00470873 0016:Call ntdll.RtlInterlockedPopEntrySList(00030140) ret=7bc8de2f 0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=00000000 ret=7bc8de2f 0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=00000000 ret=00470873 0016:trace:seh:NtRaiseException code=c0000005 flags=0 addr=(nil) ip=0 tid=0016 0016:trace:seh:NtRaiseException info[0]=0000000000000008 0016:trace:seh:NtRaiseException info[1]=0000000000000000 0016:trace:seh:NtRaiseException rax=0000000000000000 rbx=0000000000030140 rcx=0000000000000000 rdx=0000000000000000 0016:trace:seh:NtRaiseException rsi=000000000032f350 rdi=0000000000000120 rbp=00000000000100f0 rsp=000000000032f278 0016:trace:seh:NtRaiseException r8=0000000000000000 r9=000000000032ea82 r10=0000000000000000 r11=0000000000000000 0016:trace:seh:NtRaiseException r12=000000000002e3e0 r13=0000000000000000 r14=000000000002e320 r15=0000000000000100 ... --- snip ---

Annotated disassembly from driver crash site:

--- snip --- 0000000000470834 | push rbx | 0000000000470836 | sub rsp,20 | 000000000047083A | cmp qword ptr ds:[4602C8],0 | 0000000000470842 | je eectrl64.47088A | 0000000000470844 | mov al,byte ptr gs:[184] | 000000000047084C | xor edx,edx | 000000000047084E | movzx eax,al | 0000000000470851 | div dword ptr ds:[4602D4] | 0000000000470857 | imul edx,dword ptr ds:[4602D0]| 000000000047085E | mov ebx,edx | 0000000000470860 | add rbx,qword ptr ds:[4602C8] | 0000000000470867 | mov rcx,rbx | ListHead 000000000047086A | inc dword ptr ds:[rbx+14] | Lookaside->L.TotalAllocates++ 000000000047086D | call qword ptr ds:[452110] | ExpInterlockedPopEntrySList() 0000000000470873 | test rax,rax | 0000000000470876 | jne eectrl64.4708C1 | 0000000000470878 | mov edx,dword ptr ds:[rbx+2C] | Lookaside->L.Size 000000000047087B | mov r8d,dword ptr ds:[rbx+28] | Lookaside->L.Tag 000000000047087F | mov ecx,dword ptr ds:[rbx+24] | Lookaside->L.Type 0000000000470882 | inc dword ptr ds:[rbx+18] | Lookaside->L.AllocateMisses++ 0000000000470885 | call qword ptr ds:[rbx+30] | Lookaside->L.Allocate() -> *boom* 0000000000470888 | jmp eectrl64.4708C1 | 000000000047088A | inc dword ptr ds:[460254] | Lookaside->L.TotalAllocates++ 0000000000470890 | lea rcx,qword ptr ds:[460240] | ListHead 0000000000470897 | call qword ptr ds:[452110] | ExpInterlockedPopEntrySList() 000000000047089D | test rax,rax | 00000000004708A0 | jne eectrl64.4708C1 | 00000000004708A2 | mov edx,dword ptr ds:[46026C] | Lookaside->L.Size 00000000004708A8 | mov r8d,dword ptr ds:[460268] | Lookaside->L.Tag 00000000004708AF | mov ecx,dword ptr ds:[460264] | Lookaside->L.Type 00000000004708B5 | inc dword ptr ds:[460258] | Lookaside->L.AllocateMisses++ 00000000004708BB | call qword ptr ds:[460270] | Lookaside->L.Allocate 00000000004708C1 | add rsp,20 | 00000000004708C5 | pop rbx | 00000000004708C6 | ret | --- snip ---

Not sure if I got all the members/offsets correct (GENERAL_LOOKASIDE_LAYOUT) but it should give you the idea.

https://source.winehq.org/git/wine.git/blob/HEAD:/include/ddk/wdm.h#l1302

Microsoft docs:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf...

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...

--- snip --- 2407 /*********************************************************************** 2408 * ExInitializePagedLookasideList (NTOSKRNL.EXE.@) 2409 */ 2410 void WINAPI ExInitializePagedLookasideList(PPAGED_LOOKASIDE_LIST Lookaside, 2411 PALLOCATE_FUNCTION Allocate, 2412 PFREE_FUNCTION Free, 2413 ULONG Flags, 2414 SIZE_T Size, 2415 ULONG Tag, 2416 USHORT Depth) 2417 { 2418 FIXME( "stub: %p, %p, %p, %u, %lu, %u, %u\n", Lookaside, Allocate, Free, Flags, Size, Tag, Depth ); 2419 } --- snip ---

Likely needed for a lot of other drivers as well, hence keeping the summary generic.

$ sha1sum N360-TW-21.1.0-EN.exe aa05ccf9668e166ef28923d451f1c2ecad6f75f1 N360-TW-21.1.0-EN.exe

$ du -sh N360-TW-21.1.0-EN.exe 203M N360-TW-21.1.0-EN.exe

$ wine --version wine-4.6

Regards