[Bug 29460] Multiple kernel drivers crash in entry due to ntoskrnl.exe IoGetCurrentProcess () being a stub (Ruijie Supplicant Su1xDriver.sys, nProtect GameGuard/ Tachyon Kernel Control Driver)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Aug 14 05:50:53 CDT 2017 

https://bugs.winehq.org/show_bug.cgi?id=29460

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |obfuscation
            Summary|Ruijie Supplicant           |Multiple kernel drivers
                   |Su1xDriver.sys crashes in   |crash in entry due to
                   |driver entry due to         |ntoskrnl.exe
                   |ntoskrnl.exe                |IoGetCurrentProcess() being
                   |IoGetCurrentProcess() being |a stub (Ruijie Supplicant
                   |a stub                      |Su1xDriver.sys, nProtect
                   |                            |GameGuard/Tachyon Kernel
                   |                            |Control Driver)

--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

revisiting, still present.

Refining summary to target more DRM schemes.

Also needed for nProtect GameGuard Personal 3.0

http://fs2.download82.com/software/bbd8ff9dba17080c0c121804efbd61d5/nprotect-gameguard-personal/ggp3d.exe

--- snip ---
...
004a:trace:loaddll:load_native_dll Loaded
L"C:\\windows\\system32\\TKCtrl2k.sys" at 0x740000: native
004a:Call PE DLL (proc=0xf75f721f,module=0xf75f0000
L"hal.dll",reason=PROCESS_ATTACH,res=(nil))
...
004a:Ret  PE DLL (proc=0xf75f721f,module=0xf75f0000
L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
004a:Ret  KERNEL32.LoadLibraryW() retval=00740000 ret=7effaaa4
...
004a:Call driver init 0x769b3f
(obj=0x11c960,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TKCtrl")
004a:Call msvcrt.memset(00757760,00000000,0000a5e0) ret=00769ab4
004a:Ret  msvcrt.memset() retval=00757760 ret=00769ab4
004a:Call ntdll.RtlInitUnicodeString(0063e7a0,00755fb0 L"\\Device\\TKCtrl")
ret=00740bd5
004a:Ret  ntdll.RtlInitUnicodeString() retval=0063e7a0 ret=00740bd5
004a:Call
ntoskrnl.exe.IoCreateDevice(0011c960,00000000,0063e7a0,00000022,00000000,00000000,0063e79c)
ret=00740bef
004a:Call ntdll.RtlAllocateHeap(00110000,00000008,000000b8) ret=7ecdff91
004a:Ret  ntdll.RtlAllocateHeap() retval=0011cb20 ret=7ecdff91
004a:Ret  ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00740bef
004a:Call ntdll.RtlInitUnicodeString(0063e7a8,00755f80 L"\\DosDevices\\TKCtrl")
ret=00740c2d
004a:Ret  ntdll.RtlInitUnicodeString() retval=0063e7a8 ret=00740c2d
004a:Call ntoskrnl.exe.IoCreateSymbolicLink(0063e7a8,0063e7a0) ret=00740c3b
004a:Call ntdll.NtCreateSymbolicLinkObject(0063e724,000f0001,0063e70c,0063e7a0)
ret=7ece02ee
004a:Ret  ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece02ee
004a:Ret  ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00740c3b
004a:Call ntoskrnl.exe.PsGetCurrentProcessId() ret=007404d7
004a:Ret  ntoskrnl.exe.PsGetCurrentProcessId() retval=00000044 ret=007404d7
004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=007404e2
004a:fixme:ntoskrnl:IoGetCurrentProcess () stub
004a:Ret  ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=007404e2
004a:Call hal.KeGetCurrentIrql() ret=00753aec
004a:fixme:ntoskrnl:KeGetCurrentIrql  stub!
004a:Ret  hal.KeGetCurrentIrql() retval=00000000 ret=00753aec
004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=00753afd
004a:fixme:ntoskrnl:IoGetCurrentProcess () stub
004a:Ret  ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=00753afd
004a:Call msvcrt._strnicmp(00756b80 "System",00000000,00000006) ret=00753b2e
004a:Ret  msvcrt._strnicmp() retval=7fffffff ret=00753b2e
004a:Call msvcrt._strnicmp(00756b80 "System",00000001,00000006) ret=00753b2e
004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf753e253
ip=f753e253 tid=004a
004a:trace:seh:raise_exception  info[0]=00000000
004a:trace:seh:raise_exception  info[1]=00000001
004a:trace:seh:raise_exception  eax=00000001 ebx=f75b1000 ecx=00000001
edx=00756b80 esi=0063e764 edi=0063e72c
004a:trace:seh:raise_exception  ebp=00000006 esp=0063e6a0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010287
004a:trace:seh:call_vectored_handlers calling handler at 0x7ecdd005
code=c0000005 flags=0
004a:trace:seh:call_vectored_handlers handler at 0x7ecdd005 returned 0
004a:trace:seh:call_stack_handlers calling handler at 0x7bcad785 code=c0000005
flags=0
...
--- snip ---

Driver code:

--- snip ---
007418DA  SUB ESP,8
007418DD  CALL DWORD PTR DS:[<&ntoskrnl.IoGetCurrentProcess>]
007418E3  MOV DWORD PTR SS:[EBP-8],EAX      ; PEPROCESS
007418E6  MOV DWORD PTR SS:[EBP-4],0
007418ED  JMP SHORT TKFWFLT.007418F8
007418EF  MOV EAX,DWORD PTR SS:[EBP-4]
007418F2  ADD EAX,1
007418F5  MOV DWORD PTR SS:[EBP-4],EAX
007418F8  CMP DWORD PTR SS:[EBP-4],3000
007418FF  JGE SHORT TKFWFLT.0074192E
00741901  PUSH 6                            ; len
00741903  MOV ECX,DWORD PTR SS:[EBP-8]
00741906  ADD ECX,DWORD PTR SS:[EBP-4]
00741909  PUSH ECX
0074190A  PUSH TKFWFLT.007418D0             ; ASCII "System"
0074190F  CALL DWORD PTR DS:[<&ntoskrnl._strnicmp>] ; msvcrt.MSVCRT__strnicmp
00741915  ADD ESP,0C
00741918  TEST EAX,EAX
0074191A  JNZ SHORT TKFWFLT.0074192C
0074191C  MOV EDX,DWORD PTR SS:[EBP-4]
0074191F  MOV DWORD PTR DS:[74F820],EDX
00741925  MOV EAX,DWORD PTR DS:[74F820]
0074192A  JMP SHORT TKFWFLT.00741930
0074192C  JMP SHORT TKFWFLT.007418EF
0074192E  XOR EAX,EAX
00741930  MOV ESP,EBP
00741932  POP EBP
00741933  RETN
--- snip ---

Process name offset

--- snip ---
#define SYSNAME "System"

ULONG GetProcessNameOffset(VOID)
{
    PEPROCESS curproc;
    int i;
    curproc = PsGetCurrentProcess();
    for( i = 0; i < 3*PAGE_SIZE; i++ ) {
        if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) {
             return i;
        }
    }
    return 0;
}
--- snip ---

Anyway, the approach as seen in these "production" drivers is highly
questionable.
There are lengthy (old) threads on osronline.com stating this is completely
fragile and subject to breaking at any time.

$ sha1sum nProtect-GameGuard_Personal-3.0_3745985868.exe 
0dd17d9fbb9c6ee755ace60023631a1e1a7d60e9 
nProtect-GameGuard_Personal-3.0_3745985868.exe

$] du -sh nProtect-GameGuard_Personal-3.0_3745985868.exe 
1.7M    nProtect-GameGuard_Personal-3.0_3745985868.exe

$ wine --version
wine-2.14-50-g797a746fc2

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list