[Bug 21061] SUPERAntiSpyware 'saskutil.sys' kernel driver crashes on load (expects valid SDT/SST pointing to valid SSDT)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Aug 3 14:52:00 CDT 2014
http://bugs.winehq.org/show_bug.cgi?id=21061
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
Status|UNCONFIRMED |NEW
Component|-unknown |ntoskrnl
Summary|SUPERAntiSpyware |SUPERAntiSpyware
|saskutil.sys kernel driver |'saskutil.sys' kernel
|crashes on load |driver crashes on load
| |(expects valid SDT/SST
| |pointing to valid SSDT)
Ever confirmed|0 |1
Severity|enhancement |normal
--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
revisiting, refining info.
--- snip ---
003474F0 PUSH EBP
003474F1 MOV EBP,ESP
003474F3 MOV EAX,DWORD PTR DS:[<&ntoskrnl.ZwOpenKey>]
003474F8 MOV ECX,DWORD PTR DS:[EAX+1]
003474FB MOV EDX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
00347501 MOV EAX,DWORD PTR DS:[EDX]
00347503 MOV ECX,DWORD PTR DS:[EAX+ECX*4]
00347506 MOV DWORD PTR DS:[34F57C],ECX
0034750C MOV EDX,DWORD PTR DS:[<&ntoskrnl.ZwCreateKey>]
00347512 MOV EAX,DWORD PTR DS:[EDX+1]
00347515 MOV ECX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
0034751B MOV EDX,DWORD PTR DS:[ECX]
0034751D MOV EAX,DWORD PTR DS:[EDX+EAX*4]
00347520 MOV DWORD PTR DS:[34F580],EAX
00347525 MOV ECX,DWORD PTR DS:[<&ntoskrnl.ZwDeleteKey>]
0034752B MOV EDX,DWORD PTR DS:[ECX+1]
0034752E MOV EAX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
00347533 MOV ECX,DWORD PTR DS:[EAX]
00347535 MOV EDX,DWORD PTR DS:[ECX+EDX*4]
00347538 MOV DWORD PTR DS:[34F59C],EDX
0034753E MOV EAX,DWORD PTR DS:[<&ntoskrnl.ZwQueryKey>]
00347543 MOV ECX,DWORD PTR DS:[EAX+1]
00347546 MOV EDX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
0034754C MOV EAX,DWORD PTR DS:[EDX]
0034754E MOV ECX,DWORD PTR DS:[EAX+ECX*4]
00347551 MOV DWORD PTR DS:[34F588],ECX
00347557 MOV EDX,DWORD PTR DS:[<&ntoskrnl.ZwEnumerateKey>]
0034755D MOV EAX,DWORD PTR DS:[EDX+1]
00347560 MOV ECX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
00347566 MOV EDX,DWORD PTR DS:[ECX]
00347568 MOV EAX,DWORD PTR DS:[EDX+EAX*4]
0034756B MOV DWORD PTR DS:[34F58C],EAX
00347570 MOV ECX,DWORD PTR DS:[<&ntoskrnl.ZwEnumerateValueKey>]
00347576 MOV EDX,DWORD PTR DS:[ECX+1]
00347579 MOV EAX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
0034757E MOV ECX,DWORD PTR DS:[EAX]
00347580 MOV EDX,DWORD PTR DS:[ECX+EDX*4]
00347583 MOV DWORD PTR DS:[34F590],EDX
00347589 MOV EAX,DWORD PTR DS:[<&ntoskrnl.ZwQueryValueKey>]
0034758E MOV ECX,DWORD PTR DS:[EAX+1]
00347591 MOV EDX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
00347597 MOV EAX,DWORD PTR DS:[EDX]
00347599 MOV ECX,DWORD PTR DS:[EAX+ECX*4]
0034759C MOV DWORD PTR DS:[34F594],ECX
003475A2 MOV EDX,DWORD PTR DS:[<&ntoskrnl.ZwSetValueKey>]
003475A8 MOV EAX,DWORD PTR DS:[EDX+1]
003475AB MOV ECX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
003475B1 MOV EDX,DWORD PTR DS:[ECX]
003475B3 MOV EAX,DWORD PTR DS:[EDX+EAX*4]
003475B6 MOV DWORD PTR DS:[34F598],EAX
003475BB MOV ECX,DWORD PTR DS:[<&ntoskrnl.ZwDeleteValueKey>]
003475C1 MOV EDX,DWORD PTR DS:[ECX+1]
003475C4 MOV EAX,DWORD PTR DS:[<&ntoskrnl.KeServiceDescriptorTable>]
003475C9 MOV ECX,DWORD PTR DS:[EAX]
003475CB MOV EDX,DWORD PTR DS:[ECX+EDX*4]
003475CE MOV DWORD PTR DS:[34F584],EDX
003475D4 XOR EAX,EAX
003475D6 POP EBP
003475D7 RETN
--- snip ---
IMHO outside of Wine's scope, requires redesign/concept of shared "kernel"
address space (to allow global SSDT hooking).
$ sha1sum SUPERAntiSpyware.exe
4c252fa69448d282d4a1ffc37b4bcfba1c401e3a SUPERAntiSpyware.exe
$ du -sh SUPERAntiSpyware.exe
18M SUPERAntiSpyware.exe
$ wine --version
wine-1.7.23-33-gc654b7b
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list