[Bug 21038] F-Secure BlackLight Engine 2.2.x (Rootkit scanner) crashes after accepting license agreement (Wine on-disk placeholder dlls sections must be padded with data up to section virtual size)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sat Feb 14 06:31:38 CST 2015
https://bugs.winehq.org/show_bug.cgi?id=21038
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
CC| |focht at gmx.net
Summary|BlackLight: crash after |F-Secure BlackLight Engine
|accepting license agreement |2.2.x (Rootkit scanner)
| |crashes after accepting
| |license agreement (Wine
| |on-disk placeholder dlls
| |sections must be padded
| |with data up to section
| |virtual size)
--- Comment #12 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
The app doesn't like relay and debuggers :)
It loads the on-disk images of Wine builtins (fake dlls) to peek at.
* ntdll.dll
* kernel32.dll
* advapi32.dll
* user32.dll
It processes the section header and makes a copy of each section.
Since 'SizeOfRawData' > 'VirtualSize' most of the time, it uses the sections
'VirtualSize' for copy count (= minimum size in bytes for OS loader allocate
for the section).
Unfortunately this can't work with builtins: 32-bit Wine 'ntdll.dll'
placeholder in system32 is 2468 bytes, with section virtual size >= page size.
The copy loop for .text section crosses the page boundary, causing an unhandled
fault.
Snippet of app code:
--- snip ---
...
00412608 6A 00 PUSH 0
0041260A 6A 00 PUSH 0
0041260C 6A 00 PUSH 0
0041260E 6A 04 PUSH 4
00412610 56 PUSH ESI
00412611 FF15 84434500 CALL DWORD PTR DS:[<&KERNEL32.MapViewOfFile>]
00412617 8BD8 MOV EBX,EAX
00412619 85DB TEST EBX,EBX
0041261B 895C24 14 MOV DWORD PTR SS:[LOCAL.3],EBX
0041261F 0F84 E7000000 JZ 0041270C
00412625 8B4B 3C MOV ECX,DWORD PTR DS:[EBX+3C] ; offset to PE header
00412628 8B4419 50 MOV EAX,DWORD PTR DS:[EBX+ECX+50] ; SizeOfImage
0041262C 8D3C19 LEA EDI,[EBX+ECX] ; VA PE header
0041262F 50 PUSH EAX
00412630 E8 FB750200 CALL 00439C30
...
00412652 8B77 54 MOV ESI,DWORD PTR DS:[EDI+54] ; SizeOfHeaders
00412655 56 PUSH ESI
00412656 53 PUSH EBX ; Arg2 = mapping
00412657 55 PUSH EBP ; Arg1 = copy buffer
00412658 E8 73870200 CALL 0043ADD0 ; copy section headers
0041265D 8B4F 38 MOV ECX,DWORD PTR DS:[EDI+38] ; SectionAlignment
00412660 33D2 XOR EDX,EDX
00412662 8BC6 MOV EAX,ESI ; SizeOfHeaders
00412664 F7F1 DIV ECX
00412666 83C4 18 ADD ESP,18
00412669 85D2 TEST EDX,EDX
0041266B 75 04 JNZ SHORT 00412671
0041266D 8BEE MOV EBP,ESI
0041266F EB 0E JMP SHORT 0041267F
00412671 33D2 XOR EDX,EDX
00412673 8BC6 MOV EAX,ESI
00412675 F7F1 DIV ECX
00412677 8BE8 MOV EBP,EAX
00412679 83C5 01 ADD EBP,1
0041267C 0FAFE9 IMUL EBP,ECX
0041267F 0FB747 06 MOVZX EAX,WORD PTR DS:[EDI+6] ; NumberOfSections
00412683 85C0 TEST EAX,EAX
00412685 76 53 JBE SHORT 004126DA
00412687 8D9F 0C010000 LEA EBX,[EDI+10C] ; Section.PointerToRawData
0041268D 894424 10 MOV DWORD PTR SS:[LOCAL.4],EAX ; NumberOfSections
00412691 8B73 F4 MOV ESI,DWORD PTR DS:[EBX-0C] ; Section.VirtualSize
00412694 85F6 TEST ESI,ESI
00412696 76 34 JBE SHORT 004126CC
00412698 8B03 MOV EAX,DWORD PTR DS:[EBX] ; PointerToRawData
0041269A 034424 14 ADD EAX,DWORD PTR SS:[LOCAL.3] ; section VA
0041269E 8B4C24 18 MOV ECX,DWORD PTR SS:[LOCAL.2] ; buffer
004126A2 56 PUSH ESI ; Arg3 = section VSize
004126A3 50 PUSH EAX ; Arg2 = section VA
004126A4 8D1429 LEA EDX,[EBP+ECX]
004126A7 52 PUSH EDX ; Arg1 = buffer
004126A8 E8 23870200 CALL 0043ADD0 ; copy section *boom*
...
--- snip ---
Dump of 'ntdll.dll' on-disk placeholder mapping, starting with PE header
--- snip ---
...
00360060 50 45 00 00 ASCII "PE" ; PE signature (PE)
00360064 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
00360066 0300 DW 0003 ; NumberOfSections = 3
00360068 00000000 DD 00000000 ; TimeDateStamp = 0
0036006C 00000000 DD 00000000 ; PointerToSymbolTable = 0
00360070 00000000 DD 00000000 ; NumberOfSymbols = 0
00360074 E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
00360076 2220 DW 2022 ; Characteristics = DLL|EXE_IMAGE|20
00360078 0B01 DW 010B ; MagicNumber = PE32
0036007A 00 DB 00 ; MajorLinkerVersion = 0
0036007B 00 DB 00 ; MinorLinkerVersion = 0
0036007C 05000000 DD 00000005 ; SizeOfCode = 5
00360080 00000000 DD 00000000 ; SizeOfInitializedData = 0
00360084 00000000 DD 00000000 ; SizeOfUninitializedData = 0
00360088 00100000 DD 00001000 ; AddressOfEntryPoint = 1000
0036008C 00100000 DD 00001000 ; BaseOfCode = 1000
00360090 00000000 DD 00000000 ; BaseOfData = 0
00360094 00000010 DD 10000000 ; ImageBase = 10000000
00360098 00100000 DD 00001000 ; SectionAlignment = 1000
0036009C 00020000 DD 00000200 ; FileAlignment = 200
003600A0 0100 DW 0001 ; MajorOSVersion = 1
003600A2 0000 DW 0000 ; MinorOSVersion = 0
003600A4 0000 DW 0000 ; MajorImageVersion = 0
003600A6 0000 DW 0000 ; MinorImageVersion = 0
003600A8 0400 DW 0004 ; MajorSubsystemVersion = 4
003600AA 0000 DW 0000 ; MinorSubsystemVersion = 0
003600AC 00000000 DD 00000000 ; Reserved
003600B0 00400000 DD 00004000 ; SizeOfImage = 4000 (16384.)
003600B4 00020000 DD 00000200 ; SizeOfHeaders = 200 (512.)
003600B8 00000000 DD 00000000 ; CheckSum = 0
003600BC 0000 DW 0000 ; Subsystem = IMAGE_SUBSYSTEM_UNKNOWN
003600BE 0001 DW 0100 ; DLLCharacteristics = 100
003600C0 00001000 DD 00100000 ; SizeOfStackReserve = 100000
003600C4 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.)
003600C8 00001000 DD 00100000 ; SizeOfHeapReserve = 100000
003600CC 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
003600D0 00000000 DD 00000000 ; LoaderFlags = 0
003600D4 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
003600D8 00000000 DD 00000000 ; Export Table address = 0
003600DC 00000000 DD 00000000 ; Export Table size = 0
003600E0 00000000 DD 00000000 ; Import Table address = 0
003600E4 00000000 DD 00000000 ; Import Table size = 0
003600E8 00300000 DD 00003000 ; Resource Table address = 3000
003600EC A4030000 DD 000003A4 ; Resource Table size = 3A4 (932.)
003600F0 00000000 DD 00000000 ; Exception Table address = 0
003600F4 00000000 DD 00000000 ; Exception Table size = 0
003600F8 00000000 DD 00000000 ; Certificate File pointer = 0
003600FC 00000000 DD 00000000 ; Certificate Table size = 0
00360100 00200000 DD 00002000 ; Relocation Table address = 2000
00360104 08000000 DD 00000008 ; Relocation Table size = 8
00360108 00000000 DD 00000000 ; Debug Data address = 0
0036010C 00000000 DD 00000000 ; Debug Data size = 0
00360110 00000000 DD 00000000 ; Architecture Data address = 0
00360114 00000000 DD 00000000 ; Architecture Data size = 0
00360118 00000000 DD 00000000 ; Global Ptr address = 0
0036011C 00000000 DD 00000000 ; Must be 0
00360120 00000000 DD 00000000 ; TLS Table address = 0
00360124 00000000 DD 00000000 ; TLS Table size = 0
00360128 00000000 DD 00000000 ; Load Config Table address = 0
0036012C 00000000 DD 00000000 ; Load Config Table size = 0
00360130 00000000 DD 00000000 ; Bound Import Table address = 0
00360134 00000000 DD 00000000 ; Bound Import Table size = 0
00360138 00000000 DD 00000000 ; Import Address Table address = 0
0036013C 00000000 DD 00000000 ; Import Address Table size = 0
00360140 00000000 DD 00000000 ; Delay Import Descriptor address = 0
00360144 00000000 DD 00000000 ; Delay Import Descriptor size = 0
00360148 00000000 DD 00000000 ; COM+ Runtime Header address = 0
0036014C 00000000 DD 00000000 ; Import Address Table size = 0
00360150 00000000 DD 00000000 ; Reserved
00360154 00000000 DD 00000000 ; Reserved
00360158 2E 74 65 78 >ASCII ".text" ; SECTION
00360160 00100000 DD 00001000 ; VirtualSize = 1000 (4096.)
00360164 00100000 DD 00001000 ; VirtualAddress = 1000
00360168 05000000 DD 00000005 ; SizeOfRawData = 5
0036016C 00020000 DD 00000200 ; PointerToRawData = 200
00360170 00000000 DD 00000000 ; PointerToRelocations = 0
00360174 00000000 DD 00000000 ; PointerToLineNumbers = 0
00360178 0000 DW 0000 ; NumberOfRelocations = 0
0036017A 0000 DW 0000 ; NumberOfLineNumbers = 0
0036017C 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
...
--- snip ---
You need to pad the placeholder sections with (dummy) data up to section
virtual size.
Besides that, I'm not sure what you're intending to do with this app.
It can't work by design because it later tries to load a kernel driver which
expects the Windows kernel space architecture with SSDT and shadow SSDT
(hooking checks).
$ sha1sum fsbl.exe
b91cc97353117ed488acee290b39ef63ded7f5e4 fsbl.exe
$ du -sh fsbl.exe
1.1M fsbl.exe
$ wine --version
wine-1.7.36-83-gf75d1b0
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list