[Bug 29460] Multiple kernel drivers crash in entry due to ntoskrnl.exe IoGetCurrentProcess () being a stub (Ruijie Supplicant Su1xDriver.sys, nProtect GameGuard/ Tachyon Kernel Control Driver)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Aug 14 05:50:53 CDT 2017
https://bugs.winehq.org/show_bug.cgi?id=29460
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |obfuscation
Summary|Ruijie Supplicant |Multiple kernel drivers
|Su1xDriver.sys crashes in |crash in entry due to
|driver entry due to |ntoskrnl.exe
|ntoskrnl.exe |IoGetCurrentProcess() being
|IoGetCurrentProcess() being |a stub (Ruijie Supplicant
|a stub |Su1xDriver.sys, nProtect
| |GameGuard/Tachyon Kernel
| |Control Driver)
--- Comment #6 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
revisiting, still present.
Refining summary to target more DRM schemes.
Also needed for nProtect GameGuard Personal 3.0
http://fs2.download82.com/software/bbd8ff9dba17080c0c121804efbd61d5/nprotect-gameguard-personal/ggp3d.exe
--- snip ---
...
004a:trace:loaddll:load_native_dll Loaded
L"C:\\windows\\system32\\TKCtrl2k.sys" at 0x740000: native
004a:Call PE DLL (proc=0xf75f721f,module=0xf75f0000
L"hal.dll",reason=PROCESS_ATTACH,res=(nil))
...
004a:Ret PE DLL (proc=0xf75f721f,module=0xf75f0000
L"hal.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1
004a:Ret KERNEL32.LoadLibraryW() retval=00740000 ret=7effaaa4
...
004a:Call driver init 0x769b3f
(obj=0x11c960,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\TKCtrl")
004a:Call msvcrt.memset(00757760,00000000,0000a5e0) ret=00769ab4
004a:Ret msvcrt.memset() retval=00757760 ret=00769ab4
004a:Call ntdll.RtlInitUnicodeString(0063e7a0,00755fb0 L"\\Device\\TKCtrl")
ret=00740bd5
004a:Ret ntdll.RtlInitUnicodeString() retval=0063e7a0 ret=00740bd5
004a:Call
ntoskrnl.exe.IoCreateDevice(0011c960,00000000,0063e7a0,00000022,00000000,00000000,0063e79c)
ret=00740bef
004a:Call ntdll.RtlAllocateHeap(00110000,00000008,000000b8) ret=7ecdff91
004a:Ret ntdll.RtlAllocateHeap() retval=0011cb20 ret=7ecdff91
004a:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00740bef
004a:Call ntdll.RtlInitUnicodeString(0063e7a8,00755f80 L"\\DosDevices\\TKCtrl")
ret=00740c2d
004a:Ret ntdll.RtlInitUnicodeString() retval=0063e7a8 ret=00740c2d
004a:Call ntoskrnl.exe.IoCreateSymbolicLink(0063e7a8,0063e7a0) ret=00740c3b
004a:Call ntdll.NtCreateSymbolicLinkObject(0063e724,000f0001,0063e70c,0063e7a0)
ret=7ece02ee
004a:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece02ee
004a:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00740c3b
004a:Call ntoskrnl.exe.PsGetCurrentProcessId() ret=007404d7
004a:Ret ntoskrnl.exe.PsGetCurrentProcessId() retval=00000044 ret=007404d7
004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=007404e2
004a:fixme:ntoskrnl:IoGetCurrentProcess () stub
004a:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=007404e2
004a:Call hal.KeGetCurrentIrql() ret=00753aec
004a:fixme:ntoskrnl:KeGetCurrentIrql stub!
004a:Ret hal.KeGetCurrentIrql() retval=00000000 ret=00753aec
004a:Call ntoskrnl.exe.IoGetCurrentProcess() ret=00753afd
004a:fixme:ntoskrnl:IoGetCurrentProcess () stub
004a:Ret ntoskrnl.exe.IoGetCurrentProcess() retval=00000000 ret=00753afd
004a:Call msvcrt._strnicmp(00756b80 "System",00000000,00000006) ret=00753b2e
004a:Ret msvcrt._strnicmp() retval=7fffffff ret=00753b2e
004a:Call msvcrt._strnicmp(00756b80 "System",00000001,00000006) ret=00753b2e
004a:trace:seh:raise_exception code=c0000005 flags=0 addr=0xf753e253
ip=f753e253 tid=004a
004a:trace:seh:raise_exception info[0]=00000000
004a:trace:seh:raise_exception info[1]=00000001
004a:trace:seh:raise_exception eax=00000001 ebx=f75b1000 ecx=00000001
edx=00756b80 esi=0063e764 edi=0063e72c
004a:trace:seh:raise_exception ebp=00000006 esp=0063e6a0 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010287
004a:trace:seh:call_vectored_handlers calling handler at 0x7ecdd005
code=c0000005 flags=0
004a:trace:seh:call_vectored_handlers handler at 0x7ecdd005 returned 0
004a:trace:seh:call_stack_handlers calling handler at 0x7bcad785 code=c0000005
flags=0
...
--- snip ---
Driver code:
--- snip ---
007418DA SUB ESP,8
007418DD CALL DWORD PTR DS:[<&ntoskrnl.IoGetCurrentProcess>]
007418E3 MOV DWORD PTR SS:[EBP-8],EAX ; PEPROCESS
007418E6 MOV DWORD PTR SS:[EBP-4],0
007418ED JMP SHORT TKFWFLT.007418F8
007418EF MOV EAX,DWORD PTR SS:[EBP-4]
007418F2 ADD EAX,1
007418F5 MOV DWORD PTR SS:[EBP-4],EAX
007418F8 CMP DWORD PTR SS:[EBP-4],3000
007418FF JGE SHORT TKFWFLT.0074192E
00741901 PUSH 6 ; len
00741903 MOV ECX,DWORD PTR SS:[EBP-8]
00741906 ADD ECX,DWORD PTR SS:[EBP-4]
00741909 PUSH ECX
0074190A PUSH TKFWFLT.007418D0 ; ASCII "System"
0074190F CALL DWORD PTR DS:[<&ntoskrnl._strnicmp>] ; msvcrt.MSVCRT__strnicmp
00741915 ADD ESP,0C
00741918 TEST EAX,EAX
0074191A JNZ SHORT TKFWFLT.0074192C
0074191C MOV EDX,DWORD PTR SS:[EBP-4]
0074191F MOV DWORD PTR DS:[74F820],EDX
00741925 MOV EAX,DWORD PTR DS:[74F820]
0074192A JMP SHORT TKFWFLT.00741930
0074192C JMP SHORT TKFWFLT.007418EF
0074192E XOR EAX,EAX
00741930 MOV ESP,EBP
00741932 POP EBP
00741933 RETN
--- snip ---
Process name offset
--- snip ---
#define SYSNAME "System"
ULONG GetProcessNameOffset(VOID)
{
PEPROCESS curproc;
int i;
curproc = PsGetCurrentProcess();
for( i = 0; i < 3*PAGE_SIZE; i++ ) {
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) {
return i;
}
}
return 0;
}
--- snip ---
Anyway, the approach as seen in these "production" drivers is highly
questionable.
There are lengthy (old) threads on osronline.com stating this is completely
fragile and subject to breaking at any time.
$ sha1sum nProtect-GameGuard_Personal-3.0_3745985868.exe
0dd17d9fbb9c6ee755ace60023631a1e1a7d60e9
nProtect-GameGuard_Personal-3.0_3745985868.exe
$] du -sh nProtect-GameGuard_Personal-3.0_3745985868.exe
1.7M nProtect-GameGuard_Personal-3.0_3745985868.exe
$ wine --version
wine-2.14-50-g797a746fc2
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list