[Bug 30220] Unhandled privileged instruction when starting Minitab 16 (Sentinel HASP hardlock.sys kernel driver tries to write to CR4/not handled in ntoskrnl emulate_instruction)
wine-bugs at winehq.org
wine-bugs at winehq.org
Tue Mar 20 15:21:04 CDT 2012
http://bugs.winehq.org/show_bug.cgi?id=30220
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |hardware, obfuscation
Status|UNCONFIRMED |NEW
CC| |focht at gmx.net
Component|-unknown |ntoskrnl
Summary|Unhandled Priveleged |Unhandled privileged
|instruction when starting |instruction when starting
|Minitab 16 |Minitab 16 (Sentinel HASP
| |hardlock.sys kernel driver
| |tries to write to CR4/not
| |handled in ntoskrnl
| |emulate_instruction)
Ever Confirmed|0 |1
--- Comment #3 from Anastasius Focht <focht at gmx.net> 2012-03-20 15:21:04 CDT ---
Hello,
confirming.
The kernel driver tries to write to CR4 which is a privileged instruction and
not (yet) emulated by Wine.
--- snip ---
000f:Call KERNEL32.CreateProcessW(00000000,00118968
L"C:\\windows\\system32\\winedevice.exe
hardlock",00000000,00000000,00000000,00000400,00540000,00000000,0033fc58,0033fc9c)
ret=7eda060b
...
000f:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7eda060b
...
0019:Call KERNEL32.LoadLibraryW(0011ab48
L"C:\\windows\\system32\\drivers\\hardlock.sys") ret=7effc932
...
0019:Ret KERNEL32.LoadLibraryW() retval=00540000 ret=7effc932
...
0019:Call driver init 0x5cac20
(obj=0x7efff9a0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\hardlock")
...
0019:Ret ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=00556cff
0019:Call
ntoskrnl.exe.KeWaitForSingleObject(005b4a80,00000000,00000000,00000000,00000000)
ret=005c1707
0019:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x5b4a80, 0, 0, 0, (nil)
0019:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=005c1707
0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf51 ip=005adf51
tid=0019
0019:trace:seh:raise_exception eax=00000001 ebx=00000000 ecx=00000000
edx=0053ef48 esi=00000019 edi=0053e5e4
0019:trace:seh:raise_exception ebp=0053e608 esp=0053e530 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496
code=c0000096 flags=0
0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned ffffffff
0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x5adf59 ip=005adf59
tid=0019
0019:trace:seh:raise_exception eax=00000000 ebx=00000000 ecx=00000000
edx=0053ef48 esi=00000019 edi=0053e5e4
0019:trace:seh:raise_exception ebp=0053e608 esp=0053e530 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0019:trace:seh:call_vectored_handlers calling handler at 0x7ed1e496
code=c0000096 flags=0
0019:trace:seh:call_vectored_handlers handler at 0x7ed1e496 returned 0
0019:trace:seh:call_stack_handlers calling handler at 0x7bc92029 code=c0000096
flags=0
0019:Call KERNEL32.UnhandledExceptionFilter(0053e008) ret=7bc92063
wine: Unhandled privileged instruction at address 0x5adf59 (thread 0019),
starting debugger...
--- snip ---
The driver contains mostly obfuscated code, debugging reveals:
--- snip ---
005ADF50 50 PUSH EAX
005ADF51 0F20E0 MOV EAX,CR4 ; privileged instruction (emulated)
005ADF54 25 F7FFFFFF AND EAX,FFFFFFF7
005ADF59 0F22E0 MOV CR4,EAX ; privileged instruction (not handled)
005ADF5C 58 POP EAX
005ADF5D C3 RETN
--- snip ---
The read of CR4 is trapped/emulated by Wine - CR4 write not, causing unhandled
exception.
It seems the kernel driver tries to cancel out CR4.DE (bit 3) which is
"Debugging Extensions".
--- quote ---
I/O breakpoints, including the CR4.DE bit for enabling debug extensions and
optional trapping of access to the DR4 and DR5 registers.
--- quote ---
Code:
http://source.winehq.org/git/wine.git/blob/57e4e608dcd73b36f1084e0cfcb7cf0929363c38:/dlls/ntoskrnl.exe/instr.c#l310
--- snip ---
249 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
250 {
...
310 switch(*instr)
311 {
312 case 0x0f: /* extended instruction */
313 switch(instr[1])
314 {
315 case 0x22: /* mov eax, crX */
316 switch (instr[2])
317 {
318 case 0xc0:
319 TRACE("mov eax,cr0 at 0x%08x, EAX=0x%08x\n",
context->Eip,context->Eax );
320 context->Eip += prefixlen+3;
321 return ExceptionContinueExecution;
322 default:
323 break; /*fallthrough to bad instruction handling */
324 }
325 break; /*fallthrough to bad instruction handling */
...
409 }
410 return ExceptionContinueSearch; /* Unable to emulate it */
411 }
412
--- snip ---
$ du -sh mtben1610su.exe
93M mtben1610su.exe
$ sha1sum mtben1610su.exe
3d4d2ead508e6f930583701a335e5db8f9d40b17 mtben1610su.exe
$ wine --version
wine-1.5.0
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list