[Bug 37852] New: Sentinel HASP 'hardlock.sys' kernel driver custom imports resolver can't cope with many 'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to start)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Jan 5 17:56:23 CST 2015
https://bugs.winehq.org/show_bug.cgi?id=37852
Bug ID: 37852
Summary: Sentinel HASP 'hardlock.sys' kernel driver custom
imports resolver can't cope with many 'ntoskrnl.exe'
functions being fowarded to 'ntdll.dll' (Minitab 16
fails to start)
Product: Wine
Version: 1.7.33
Hardware: x86
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 30220
No, we don't need to emulate I/O ... the opcode from crash
https://bugs.winehq.org/show_bug.cgi?id=30220#c7 is actually an ASCII string.
The kernel driver is not only heavily obfuscated but also has an own imports
resolver which fails to cope with Wine's forwards to 'ntdll.dll'.
--- snip ---
...
0054670E 68 18FA5A00 PUSH 005AFA18 ; UNICODE
"\REGISTRY\MACHINE\System\CurrentControlSet\Services\HaspNt"
00546713 8D45 DC LEA EAX,[EBP-24]
00546716 50 PUSH EAX
00546717 C1EF 40 SHR EDI,40
0054671A FF15 28F65A00 CALL DWORD PTR DS:[5AF628]
00546720 8D36 LEA ESI,[ESI]
...
--- snip ---
The driver's own IAT, dumped from memory:
--- snip ---
...
005AF3FC 00000000
005AF400 F761EC0C ; hal.KfAcquireSpinLock
005AF404 F761ED98 ; hal.KfReleaseSpinLock
005AF408 F761EE21 ; hal.HalGetBusData
005AF40C F761EFFA ; hal.KeGetCurrentIrql
005AF410 F761E928 ; hal.WRITE_PORT_UCHAR
005AF414 F761E820 ; hal.READ_PORT_UCHAR
005AF418 F761ED10 ; hal.KfRaiseIrql
005AF41C F761EC8C ; hal.KfLowerIrql
005AF420 F761E770 ; hal.KeStallExecutionProcessor
005AF424 00000000
005AF428 7ECE39B4 ; ntoskrnl_exe.KeBugCheck
005AF42C 7ECECD0C ; ntoskrnl_exe.IofCallDriver
005AF430 7ECE42A4 ; ntoskrnl_exe.KeReadStateEvent
005AF434 7ECE2070 ; ntoskrnl_exe.IoCancelIrp
005AF438 7ECE3AE8 ; ntoskrnl_exe.KeDelayExecutionThread
005AF43C 7ECECA85 ; ntoskrnl_exe.IoGetDeviceObjectPointer
005AF440 7ECEBED8 ; ntoskrnl_exe.IoBuildDeviceIoControlRequest
005AF444 7ED1073A ; ASCII "ntdll.RtlIntegerToUnicodeString"
005AF448 7ED0FE0F ; ASCII "ntdll.RtlAppendUnicodeStringToString"
005AF44C 7ECECE21 ; ntoskrnl_exe.IoGetConfigurationInformation
005AF450 7ECED88E ; ntoskrnl_exe.ExAllocatePoolWithTag
005AF454 7ED0FF5C ; ASCII "ntdll.RtlCompareMemory"
005AF458 7ECEDEB8 ; ntoskrnl_exe.KeInitializeEvent
005AF45C 7ED116CE ; ASCII "ntdll.ZwQueryInformationProcess"
005AF460 7ECEEBFD ; ntoskrnl_exe.MmMapIoSpace
005AF464 7ECE5BE8 ; ntoskrnl_exe.ObReferenceObjectByPointer
005AF468 7ECE25C4 ; ntoskrnl_exe.IoFileObjectType
005AF46C 7ECEC823 ; ntoskrnl_exe.IoCreateSymbolicLink
005AF470 7ECEC45A ; ntoskrnl_exe.IoCreateDevice
005AF474 7ECEF361 ; ntoskrnl_exe.PsGetVersion
005AF478 7ECEC6BE ; ntoskrnl_exe.IoDeleteDevice
005AF47C 7ECEC906 ; ntoskrnl_exe.IoDeleteSymbolicLink
005AF480 7ECEE15C ; ntoskrnl_exe.KeInitializeSpinLock
005AF484 7ECEDF3F ; ntoskrnl_exe.KeInitializeMutex
005AF488 7ED11DD4 ; ASCII "msvcrt.memmove"
005AF48C 7ED117DF ; ASCII "ntdll.ZwQueryValueKey"
005AF490 7ECED2CB ; ntoskrnl_exe.IoReportResourceUsage
005AF494 7ECEEFF2 ; ntoskrnl_exe.MmUnmapIoSpace
005AF498 7ED1134F ; ASCII "ntdll.ZwEnumerateValueKey"
005AF49C 7ED114DB ; ASCII "ntdll.ZwOpenKey"
005AF4A0 7ED119D9 ; ASCII "ntdll.ZwSetValueKey"
005AF4A4 7ECEF1F0 ; ntoskrnl_exe.ObfDereferenceObject
005AF4A8 7ECEDA29 ; ntoskrnl_exe.ExFreePool
005AF4AC 7ED1007D ; ASCII "ntdll.RtlCopyUnicodeString"
005AF4B0 7ED0FE34 ; ASCII "ntdll.RtlAppendUnicodeToString"
005AF4B4 7ED10B19 ; ASCII "ntdll.RtlQueryRegistryValues"
005AF4B8 7ED11DE3 ; ASCII "msvcrt.memset"
005AF4BC 7ED11E0A ; ASCII "msvcrt.sprintf"
005AF4C0 7ED11DC6 ; ASCII "msvcrt.memcpy"
005AF4C4 7ED0FDB0 ; ASCII "ntdll.RtlAnsiStringToUnicodeString"
005AF4C8 7ED1066D ; ASCII "ntdll.RtlInitAnsiString"
005AF4CC 7ECECDAC ; ntoskrnl_exe.IoGetRelatedDeviceObject
005AF4D0 7ECEF0D9 ; ntoskrnl_exe.ObReferenceObjectByHandle
005AF4D4 7ECEE3F4 ; ntoskrnl_exe.KeReleaseSemaphore
005AF4D8 7ECEBA2D ; ntoskrnl_exe.IoFreeIrp
005AF4DC 7ECEDE4C ; ntoskrnl_exe.KeGetCurrentThread
005AF4E0 7ECEB922 ; ntoskrnl_exe.IoAllocateIrp
005AF4E4 7ECEDB0D ; ntoskrnl_exe.ExInitializeResourceLite
005AF4E8 7ECE01AC ; ntoskrnl_exe.ExDeleteResourceLite
005AF4EC 7ECE4118 ; ntoskrnl_exe.KeLeaveCriticalRegion
005AF4F0 7ECDF184 ; ntoskrnl_exe.ExReleaseResourceLite
005AF4F4 7ECE3BC4 ; ntoskrnl_exe.KeEnterCriticalRegion
005AF4F8 7ECEB5A8 ; ntoskrnl_exe.IoReleaseCancelSpinLock
005AF4FC 7ECED768 ; ntoskrnl_exe.InterlockedExchange
005AF500 7ECEB538 ; ntoskrnl_exe.IoAcquireCancelSpinLock
005AF504 7ECE0020 ; ntoskrnl_exe.ExAcquireResourceExclusiveLite
005AF508 7ECEDDE0 ; ntoskrnl_exe.IoGetCurrentProcess
005AF50C 7ECE2A3C ; ntoskrnl_exe.IoIsSystemThread
005AF510 7ED11E5E ; ASCII "msvcrt.strlen"
005AF514 7ED111C1 ; ASCII "ntdll.ZwClose"
005AF518 7ECE2438 ; ntoskrnl_exe.IoDetachDevice
005AF51C 7ECEBD2A ; ntoskrnl_exe.IoFreeMdl
005AF520 7ECEEF82 ; ntoskrnl_exe.MmUnlockPages
005AF524 7ECE55E4 ; ntoskrnl_exe.MmUnmapLockedPages
005AF528 7ECE521C ; ntoskrnl_exe.MmMapLockedPages
005AF52C 7ECEEE8B ; ntoskrnl_exe.MmProbeAndLockPages
005AF530 7ECEBB3B ; ntoskrnl_exe.IoAllocateMdl
005AF534 7ED11BED ; ASCII "msvcrt._local_unwind2"
005AF538 7ED11BA4 ; ASCII "msvcrt._except_handler3"
005AF53C 7ECE4DFC ; ntoskrnl_exe.MmBuildMdlForNonPagedPool
005AF540 7ED10685 ; ASCII "ntdll.RtlInitString"
005AF544 7ED1168F ; ASCII "ntdll.ZwQueryInformationFile"
005AF548 7ECE4354 ; ntoskrnl_exe.KeReadStateSemaphore
005AF54C 7ECE067C ; ntoskrnl_exe.ExQueueWorkItem
005AF550 7ECEE0DE ; ntoskrnl_exe.KeInitializeSemaphore
005AF554 7ECEF2E3 ; ntoskrnl_exe.PsGetCurrentProcessId
005AF558 7ED11A69 ; ASCII "ntdll.ZwUnmapViewOfSection"
005AF55C 7ECE49DC ; ntoskrnl_exe.KeWaitForMultipleObjects
005AF560 7ECE0700 ; ntoskrnl_exe.ExRaiseException
005AF564 7ECEED07 ; ntoskrnl_exe.MmMapLockedPagesSpecifyCache
005AF568 7ED104B3 ; ASCII "ntdll.RtlFreeAnsiString"
005AF56C 7ED10DCC ; ASCII "ntdll.RtlUnicodeStringToAnsiString"
005AF570 7ECEEB67 ; ntoskrnl_exe.MmIsAddressValid
005AF574 7ECE5FDC ; ntoskrnl_exe.ProbeForRead
005AF578 7ED102B3 ; ASCII "ntdll.RtlEqualUnicodeString"
005AF57C 7ECE5B90 ; ntoskrnl_exe.ObOpenObjectByPointer
005AF580 7ED0F6FF ; ASCII "ntdll.DbgPrint"
005AF584 7ECE32D4 ; ntoskrnl_exe.IoSynchronousPageWrite
005AF588 7ECE2960 ; ntoskrnl_exe.IoGetTopLevelIrp
005AF58C 7ECEF478 ; ntoskrnl_exe.PsSetCreateProcessNotifyRoutine
005AF590 7ED11023 ; ASCII "ntdll.RtlWriteRegistryValue"
005AF594 7ECE6E20 ; ntoskrnl_exe.RtlCreateRegistryKey
005AF598 7ED0FF19 ; ASCII "ntdll.RtlCheckRegistryKey"
005AF59C 7ECE1F94 ; ntoskrnl_exe.IoAttachDeviceByPointer
005AF5A0 7ECE24BC ; ntoskrnl_exe.IoDeviceObjectType
005AF5A4 7ECEF268 ; ntoskrnl_exe.PsCreateSystemThread
005AF5A8 7ECE004C ; ntoskrnl_exe.ExAcquireResourceSharedLite
005AF5AC 7ECE68CC ; ntoskrnl_exe.PsProcessType
005AF5B0 7ECE6C68 ; ntoskrnl_exe.PsThreadType
005AF5B4 7ED113CD ; ASCII "ntdll.ZwFsControlFile"
005AF5B8 7ECE327C ; ntoskrnl_exe.IoStopTimer
005AF5BC 7ED104F4 ; ASCII "ntdll.RtlFreeUnicodeString"
005AF5C0 7ED11416 ; ASCII "ntdll.ZwLoadDriver"
005AF5C4 7ED11ABF ; ASCII "ntdll.ZwWriteFile"
005AF5C8 7ED11E50 ; ASCII "msvcrt.strcpy"
005AF5CC 7ED11E8A ; ASCII "msvcrt.strncpy"
005AF5D0 7ED11B30 ; ASCII "ntdll._alldiv"
005AF5D4 7ECDF33C ; ntoskrnl_exe.ExfInterlockedInsertTailList
005AF5D8 7ED11818 ; ASCII "ntdll.ZwReadFile"
005AF5DC 7ED102CF ; ASCII "ntdll.RtlExtendedIntegerMultiply"
005AF5E0 7ED10851 ; ASCII "ntdll.RtlLargeIntegerDivide"
005AF5E4 7ECDF3C0 ; ntoskrnl_exe.ExfInterlockedRemoveHeadList
005AF5E8 7ECEF572 ; ntoskrnl_exe.PsTerminateSystemThread
005AF5EC 7ECEE592 ; ntoskrnl_exe.KeSetPriorityThread
005AF5F0 7ECEE487 ; ntoskrnl_exe.KeQueryTimeIncrement
005AF5F4 7ED12FE8 ; OFFSET ntoskrnl_exe.KeTickCount
005AF5F8 7ED117C0 ; ASCII "ntdll.ZwQuerySystemInformation"
005AF5FC 7ECED800 ; ntoskrnl_exe.ExAllocatePool
005AF600 7ED112D9 ; ASCII "ntdll.ZwDeviceIoControlFile"
005AF604 7ED11215 ; ASCII "ntdll.ZwCreateFile"
005AF608 7ECEE506 ; ntoskrnl_exe.KeSetEvent
005AF60C 7ECEE67C ; ntoskrnl_exe.KeWaitForSingleObject
005AF610 7ECEE059 ; ntoskrnl_exe.KeReleaseMutex
005AF614 7ECEBAB6 ; ntoskrnl_exe.IoAllocateErrorLogEntry
005AF618 7ECE36C8 ; ntoskrnl_exe.IoWriteErrorLogEntry
005AF61C 7ECED650 ; ntoskrnl_exe.IofCompleteRequest
005AF620 7ED0FFA6 ; ASCII "ntdll.RtlCompareUnicodeString"
005AF624 7ED13000 ; OFFSET ntoskrnl_exe.KeServiceDescriptorTable
005AF628 7ED10699 ; ASCII "ntdll.RtlInitUnicodeString"
005AF62C 00000000
--- snip ---
Everything tagged 'ASCII' is an unresolved forwarded import.
The crash is due to 'ntdll.RtlInitUnicodeString' not being resolved.
$ sha1sum MTBen1610su.exe
f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe
$ du -sh MTBen1610su.exe
93M MTBen1610su.exe
$ wine --version
wine-1.7.33-146-g102d893
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list