[Bug 23999] EMS SQL Manager 2010 Lite for PostgreSQL crashes after 10 min (needs NtQueryVirtualMemory with MemorySectionName info class)

wine-bugs at winehq.org wine-bugs at winehq.org
Tue Aug 17 14:16:21 CDT 2010 

http://bugs.winehq.org/show_bug.cgi?id=23999


Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
                 CC|                            |focht at gmx.net
          Component|-unknown                    |ntdll
            Summary|EMS SQL Manager 2010 Lite   |EMS SQL Manager 2010 Lite
                   |for PostgreSQL crashes      |for PostgreSQL crashes
                   |after 10 min                |after 10 min (needs
                   |                            |NtQueryVirtualMemory with
                   |                            |MemorySectionName info
                   |                            |class)




--- Comment #4 from Anastasius Focht <focht at gmx.net>  2010-08-17 14:16:19 ---
Hello,

although that app seems to be protected by a commercial protection system it
might be possible that "home-grown" code is the culprit here.

--- snip ---
Scanning -> C:\Program Files\EMS\SQL Manager Lite for PostgreSQL\PgManager.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 6485952 (062F7C0h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 062E200h, size : 015C0h / 05568
byte(s)
-> File has 512 (0200h) bytes of appended data starting at offset 062E000h
[File Heuristics] -> Flag : 00000000000001001100000000100110 (0x0004C026)
[!] ASProtect SKE v2.3 - v2.5 detected !
--- snip ---

There is more than one bug present ...
The first bug is an ntdll.NtQueryVirtualMemory(), MemorySectionName info class 
insufficiency (lookup image name by address).

There is a watch-guard thread (0x2d) that verifies that parts of the in-memory
app PE image have not been modified (patched) by looking at disk image.
Due to non-implemented MemorySectionName info class, it fails to do so hence
another (error reporting) thread is spawned that goes haywire (which is in
theory another bug).

--- snip ---
...
002b:Call
KERNEL32.CreateThread(00000000,00000000,033d0000,03370000,00000000,00000000)
ret=0336c015
002b:Ret  KERNEL32.CreateThread() retval=00000078 ret=0336c015 
...
002d:Call ntdll.ZwDelayExecution(00000000,035de240) ret=033d1cab 
...
002d:Ret  ntdll.ZwDelayExecution() retval=00000000 ret=033d1cab
002d:Call KERNEL32.VirtualAlloc(00000000,00000014,00003000,00000004)
ret=033d1cbc
002d:Ret  KERNEL32.VirtualAlloc() retval=038e0000 ret=033d1cbc
002d:Call ntdll.RtlAllocateHeap(00110000,00000000,00000620) ret=033d2e65
002d:Ret  ntdll.RtlAllocateHeap() retval=001c3128 ret=033d2e65
002d:Call
ntdll.ZwQueryVirtualMemory(ffffffff,00400000,00000002,001c3128,0000030c,00000000)
ret=033d2ea4
002d:fixme:virtual:NtQueryVirtualMemory (process=0xffffffff,addr=0x400000)
Unimplemented information class: MemorySectionName
002d:Ret  ntdll.ZwQueryVirtualMemory() retval=c0000003 ret=033d2ea4
002d:Call ntdll.RtlFreeHeap(00110000,00000000,001c3128) ret=033d3b85
002d:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=033d3b85
002d:Call KERNEL32.OpenThread(0000005a,00000000,0000002b) ret=033b3799
002d:Ret  KERNEL32.OpenThread() retval=00000094 ret=033b3799
002d:Call KERNEL32.SuspendThread(00000094) ret=033b37bc
002d:Ret  KERNEL32.SuspendThread() retval=00000000 ret=033b37bc
002d:Call KERNEL32.GetThreadContext(00000094,035dcf34) ret=033b37f3
002d:Ret  KERNEL32.GetThreadContext() retval=00000001 ret=033b37f3
002d:Call KERNEL32.VirtualAlloc(00000000,0000000c,00003000,00000040)
ret=033b3827
002d:Ret  KERNEL32.VirtualAlloc() retval=038f0000 ret=033b3827
002d:Call
KERNEL32.CreateThread(00000000,00000000,033c0000,038e0000,00000000,00000000)
ret=033b387c
002d:Ret  KERNEL32.CreateThread() retval=000000a4 ret=033b387c
...
002e:Starting thread proc 0x33c0000 (arg=0x38e0000)
002e:trace:seh:raise_exception code=c0000096 flags=0 addr=0x683f43cb
ip=683f43cb tid=002e 
--- snip ---

If that MemorySectionName stuff gets implemented one day it could also be of
help to psapi (GetMappedFileName).

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list