[Bug 30220] Unhandled privileged instruction when starting Minitab 16 (Sentinel HASP hardlock.sys kernel driver tries to write to CR4/not handled in ntoskrnl emulate_instruction)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Mar 20 15:21:04 CDT 2012 

http://bugs.winehq.org/show_bug.cgi?id=30220

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |hardware, obfuscation
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
          Component|-unknown                    |ntoskrnl
            Summary|Unhandled Priveleged        |Unhandled privileged
                   |instruction when starting   |instruction when starting
                   |Minitab 16                  |Minitab 16 (Sentinel HASP
                   |                            |hardlock.sys kernel driver
                   |                            |tries to write to CR4/not
                   |                            |handled in ntoskrnl
                   |                            |emulate_instruction)
     Ever Confirmed|0                           |1

--- Comment #3 from Anastasius Focht <focht at gmx.net> 2012-03-20 15:21:04 CDT ---
Hello,

confirming.

The kernel driver tries to write to CR4 which is a privileged instruction and
not (yet) emulated by Wine.

--- snip ---
000f:Call KERNEL32.CreateProcessW(00000000,00118968
L"C:\\windows\\system32\\winedevice.exe
hardlock",00000000,00000000,00000000,00000400,00540000,00000000,0033fc58,0033fc9c)
ret=7eda060b 
...
000f:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=7eda060b 
...
0019:Call KERNEL32.LoadLibraryW(0011ab48
L"C:\\windows\\system32\\drivers\\hardlock.sys") ret=7effc932
...
0019:Ret  KERNEL32.LoadLibraryW() retval=00540000 ret=7effc932
...
0019:Call driver init 0x5cac20
(obj=0x7efff9a0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\hardlock") 
...
0019:Ret  ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=00556cff
0019:Call
ntoskrnl.exe.KeWaitForSingleObject(005b4a80,00000000,00000000,00000000,00000000)
ret=005c1707
0019:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x5b4a80, 0, 0, 0, (nil)
0019:Ret  ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005c1707
0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf51 ip=005adf51
tid=0019
0019:trace:seh:raise_exception  eax=00000001 ebx=00000000 ecx=00000000
edx=0053ef48 esi=00000019 edi=0053e5e4
0019:trace:seh:raise_exception  ebp=0053e608 esp=0053e530 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496
code=c0000096 flags=0
0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned ffffffff
0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf59 ip=005adf59
tid=0019
0019:trace:seh:raise_exception  eax=00000000 ebx=00000000 ecx=00000000
edx=0053ef48 esi=00000019 edi=0053e5e4
0019:trace:seh:raise_exception  ebp=0053e608 esp=0053e530 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496
code=c0000096 flags=0
0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned 0
0019:trace:seh:call_stack_handlers calling handler at 0x7bc92029 code=c0000096
flags=0
0019:Call KERNEL32.UnhandledExceptionFilter(0053e008) ret=7bc92063
wine: Unhandled privileged instruction at address 0x5adf59 (thread 0019),
starting debugger... 
--- snip ---

The driver contains mostly obfuscated code, debugging reveals:

--- snip ---
005ADF50  50           PUSH EAX
005ADF51  0F20E0       MOV EAX,CR4 ; privileged instruction (emulated)
005ADF54  25 F7FFFFFF  AND EAX,FFFFFFF7
005ADF59  0F22E0       MOV CR4,EAX ; privileged instruction (not handled)
005ADF5C  58           POP EAX
005ADF5D  C3           RETN
--- snip ---

The read of CR4 is trapped/emulated by Wine - CR4 write not, causing unhandled
exception.

It seems the kernel driver tries to cancel out CR4.DE (bit 3) which is
"Debugging Extensions".

--- quote ---
I/O breakpoints, including the CR4.DE bit for enabling debug extensions and
optional trapping of access to the DR4 and DR5 registers.
--- quote ---

Code:
http://source.winehq.org/git/wine.git/blob/57e4e608dcd73b36f1084e0cfcb7cf0929363c38:/dlls/ntoskrnl.exe/instr.c#l310

--- snip ---
 249 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
 250 {
...
 310     switch(*instr)
 311     {
 312     case 0x0f: /* extended instruction */
 313         switch(instr[1])
 314         {
 315         case 0x22: /* mov eax, crX */
 316             switch (instr[2])
 317             {
 318             case 0xc0:
 319                 TRACE("mov eax,cr0 at 0x%08x, EAX=0x%08x\n",
context->Eip,context->Eax );
 320                 context->Eip += prefixlen+3;
 321                 return ExceptionContinueExecution;
 322             default:
 323                 break; /*fallthrough to bad instruction handling */
 324             }
 325             break; /*fallthrough to bad instruction handling */
...
 409     }
 410     return ExceptionContinueSearch;  /* Unable to emulate it */
 411 }
 412 
--- snip ---

$ du -sh mtben1610su.exe 
93M    mtben1610su.exe

$ sha1sum mtben1610su.exe 
3d4d2ead508e6f930583701a335e5db8f9d40b17  mtben1610su.exe

$ wine --version
wine-1.5.0

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list