[Bug 44880] 64-bit Mod Organizer 2.1.2 dev6-Silarn-prerelease fails to load ' usvfs_x64.dll', needs ' ntdll.RtlDosPathNameToRelativeNtPathName_U_WithStatus'
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Apr 1 15:37:19 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=44880
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|-unknown |ntdll
Keywords| |win64
CC| |focht at gmx.net
Summary|Latest dev build of Mod |64-bit Mod Organizer 2.1.2
|Organizer 2 fails to |dev6-Silarn-prerelease
|initialize dlls |fails to load
| |'usvfs_x64.dll', needs
| |'ntdll.RtlDosPathNameToRela
| |tiveNtPathName_U_WithStatus
| |'
--- Comment #2 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming too.
--- snip ---
$ WINEDEBUG=+seh,+relay,+module wine ./ModOrganizer.exe >>log.txt 2>&1
...
0030:Call PE DLL (proc=0xd4b068,module=0xc80000
L"usvfs_x64.dll",reason=PROCESS_ATTACH,res=0x23fb00)
0030:Call KERNEL32.LoadLibraryExW(00dcd320
L"api-ms-win-core-synch-l1-2-0",00000000,00000800) ret=00d6ab15
...
0030:Call KERNEL32.GetModuleHandleW(00dbea90 L"ntdll.dll") ret=00d07f73
0030:trace:module:LdrGetDllHandle L"ntdll.dll" -> 0x7bc80000 (load path
L"Z:\\home\\focht\\Downloads;C:\\windows\\system32;C:\\windows\\system;C:\\windows;.;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem")
0030:Ret KERNEL32.GetModuleHandleW() retval=7bc80000 ret=00d07f73
0030:Call KERNEL32.GetProcAddress(7bc80000,00db8ba8 "NtQueryDirectoryFile")
ret=00d07f86
0030:Ret KERNEL32.GetProcAddress() retval=7bc8a2dc ret=00d07f86
0030:Call KERNEL32.GetProcAddress(7bc80000,00db8bc0 "NtQueryDirectoryFileEx")
ret=00d07f9d
0030:Ret KERNEL32.GetProcAddress() retval=00000000 ret=00d07f9d
0030:Call KERNEL32.GetProcAddress(7bc80000,00db8b70
"NtQueryFullAttributesFile") ret=00d07fb4
0030:Ret KERNEL32.GetProcAddress() retval=7bc8a36c ret=00d07fb4
0030:Call KERNEL32.GetProcAddress(7bc80000,00db8b90 "NtQueryAttributesFile")
ret=00d07fcb
0030:Ret KERNEL32.GetProcAddress() retval=7bc8a28c ret=00d07fcb
0030:Call KERNEL32.GetProcAddress(7bc80000,00db8bd8 "NtCreateFile")
ret=00d07fe2
0030:Ret KERNEL32.GetProcAddress() retval=7bc898e0 ret=00d07fe2
0030:Call KERNEL32.GetProcAddress(7bc80000,00db7828 "NtOpenFile") ret=00d07ff9
0030:Ret KERNEL32.GetProcAddress() retval=7bc89f84 ret=00d07ff9
0030:Call KERNEL32.GetProcAddress(7bc80000,00db7838 "NtClose") ret=00d08010
0030:Ret KERNEL32.GetProcAddress() retval=7bc89848 ret=00d08010
0030:Call KERNEL32.GetProcAddress(7bc80000,00dbeaa8 "RtlDoesFileExists_U")
ret=00d08027
0030:Ret KERNEL32.GetProcAddress() retval=7bc8bb04 ret=00d08027
0030:Call KERNEL32.GetProcAddress(7bc80000,00dbeac0
"RtlDosPathNameToRelativeNtPathName_U_WithStatus") ret=00d0803e
0030:Ret KERNEL32.GetProcAddress() retval=00000000 ret=00d0803e
0030:Call KERNEL32.GetProcAddress(7bc80000,00dbeaf0 "RtlReleaseRelativeName")
ret=00d08055
0030:Ret KERNEL32.GetProcAddress() retval=00000000 ret=00d08055
0030:Call KERNEL32.GetProcAddress(7bc80000,00dbeb08 "RtlGetVersion")
ret=00d0806c
0030:Ret KERNEL32.GetProcAddress() retval=7bc8c3c8 ret=00d0806c
0030:Call KERNEL32.GetProcAddress(7bc80000,00db8be8 "NtTerminateProcess")
ret=00d08083
0030:Ret KERNEL32.GetProcAddress() retval=7bc8ad98 ret=00d08083
0030:trace:seh:NtRaiseException code=c0000005 flags=0 addr=(nil) ip=0 tid=0030
0030:trace:seh:NtRaiseException info[0]=0000000000000008
0030:trace:seh:NtRaiseException info[1]=0000000000000000
0030:trace:seh:NtRaiseException rax=0000000000000000 rbx=0000000000e425b0
rcx=0000000000dbb170 rdx=000000000023e538
0030:trace:seh:NtRaiseException rsi=0000000000e425a0 rdi=0000000000e425a8
rbp=0000000000000000 rsp=000000000023e508
0030:trace:seh:NtRaiseException r8=0000000000000000 r9=000000000023e548
r10=0000000000000002 r11=0000000000000246
0030:trace:seh:NtRaiseException r12=000000007c000a70 r13=00007fff0d184bc0
r14=0000000000c80000 r15=0000000000000000
...
0030:exception in PE entry point
(proc=0xd4b068,module=0xc80000,reason=PROCESS_ATTACH,res=0x23fb00)
0030:Ret PE DLL (proc=0xd4b068,module=0xc80000
L"usvfs_x64.dll",reason=PROCESS_ATTACH,res=0x23fb00) retval=0
0030:Call TLS callback
(proc=0xd43030,module=0xc80000,reason=PROCESS_DETACH,reserved=0)
0030:Ret TLS callback
(proc=0xd43030,module=0xc80000,reason=PROCESS_DETACH,reserved=0)
0030:Call PE DLL (proc=0xd4b068,module=0xc80000
L"usvfs_x64.dll",reason=PROCESS_DETACH,res=0x23fb00)
0030:Ret PE DLL (proc=0xd4b068,module=0xc80000
L"usvfs_x64.dll",reason=PROCESS_DETACH,res=0x23fb00) retval=0
0030:warn:module:process_attach Initialization of L"usvfs_x64.dll" failed
0030:trace:module:process_attach (L"usvfs_x64.dll",0x23fb00) - END
0030:trace:module:process_attach (L"ModOrganizer.exe",0x23fb00) - END
0030:err:module:attach_dlls "usvfs_x64.dll" failed to initialize, aborting
0030:err:module:attach_dlls Initializing dlls for
L"Z:\\home\\focht\\Downloads\\ModOrganizer.exe" failed, status c0000005
--- snip ---
ProtectionID scan of 'usvfs_x64.dll':
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> Z:\home\focht\Downloads\usvfs_x64.dll
File Type : 64-Bit Dll (Subsystem : Win GUI / 2), Size : 1905664 (01D1400h)
Byte(s) | Machine: 0x8664 (AMD64)
Compilation TimeStamp : 0x5ABEC65C -> Fri 30th Mar 2018 23:21:00 (GMT)
[TimeStamp] 0x5ABEC65C -> Fri 30th Mar 2018 23:21:00 (GMT) | PE Header | - |
Offset: 0x00000000:00000120 | VA: 0x00000001:80000120 | -
[TimeStamp] 0xFFFFFFFF -> Sun 07th Feb 2106 06:28:15 (GMT) | Export | - |
Offset: 0x00000000:0019AF54 | VA: 0x00000001:8019C954 | -
[TimeStamp] 0x5ABEC65C -> Fri 30th Mar 2018 23:21:00 (GMT) | DebugDirectory | -
| Offset: 0x00000000:001659E4 | VA: 0x00000001:801673E4 | -
[TimeStamp] 0x5ABEC65C -> Fri 30th Mar 2018 23:21:00 (GMT) | DebugDirectory | -
| Offset: 0x00000000:00165A00 | VA: 0x00000001:80167400 | -
[TimeStamp] 0x5ABEC65C -> Fri 30th Mar 2018 23:21:00 (GMT) | DebugDirectory | -
| Offset: 0x00000000:00165A1C | VA: 0x00000001:8016741C | -
[TimeStamp] 0x5ABEC65C -> Fri 30th Mar 2018 23:21:00 (GMT) | DebugDirectory | -
| Offset: 0x00000000:00165A38 | VA: 0x00000001:80167438 | -
[!] Executable uses TLS callbacks (1 total... 0 invalid addresses)
[LoadConfig] Struct determined as v8 (Expected size 232 | Actual size 256)
[LoadConfig] CFG (/Guard) - Handler @ 0x1:80132708
[LoadConfig] CFG Table @ 0x0:00000000 | 0x00 (00) entries
[LoadConfig] CFG Flags : 0x100
[LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0
| Reserved 0x0
[LoadConfig] GuardAddressTakenIatEntryTable 0x0:00000000 | Count 0x000000000
(00)
[LoadConfig] GuardLongJumpTargetTable 0x0:00000000 | Count 0x000000000 (00)
[LoadConfig] HybridMetadataPointer 0x1:00000000 | DynamicValueRelocTable
0x0:00000000
[LoadConfig] FailFastIndirectProc 0x0:00000000 | FailFastPointer 0x0:00000000
[LoadConfig] UnknownZero1 0x0 0
[LoadConfig] CFG Data Present, yet setting is not present in the
DllCharacteristics.. patched out?
[File Heuristics] -> Flag #1 : 00000100000001001101000100010000 (0x0404D110)
[Entrypoint Section Entropy] : 6.41 (section #0) ".text " | Size : 0x13013C
(1245500) byte(s)
[DllCharacteristics] -> Flag : (0x0160) -> HEVA | ASLR | DEP
[SectionCount] 6 (0x6) | ImageSize 0x1DA000 (1941504) byte(s)
[Export] 100% of function(s) (63 of 63) are in file | 0 are forwarded | 63 code
| 0 data | 0 uninit data | 0 unknown |
[VersionInfo] Company Name : Community Edition
[VersionInfo] Product Name : USVFS
[VersionInfo] Product Version : 0.3.1.0-beta5
[VersionInfo] File Description : Windows OverlayFS
[VersionInfo] File Version : 0.3.1.0-beta5
[VersionInfo] Original FileName : usvfs_x64.dll
[ModuleReport] [IAT] Modules -> SHLWAPI.dll | KERNEL32.dll | USER32.dll |
ADVAPI32.dll | SHELL32.dll
[Debug Info] (record 1 of 4) (file offset 0x1659E0)
Characteristics : 0x0 | TimeDateStamp : 0x5ABEC65C (Fri 30th Mar 2018 23:21:00
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x3D (61)
AddressOfRawData : 0x17336C | PointerToRawData : 0x17196C
CvSig : 0x53445352 | SigGuid EDA278F0-B278-4BB2-988DBC49DBC556F3
Age : 0x12 (18) | Pdb : D:\MOB\build\usvfs\lib\usvfs_x64.pdb
[Debug Info] (record 2 of 4) (file offset 0x1659FC)
Characteristics : 0x0 | TimeDateStamp : 0x5ABEC65C (Fri 30th Mar 2018 23:21:00
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 12 (0xC) -> Undocumented | Size : 0x14 (20)
AddressOfRawData : 0x1733AC | PointerToRawData : 0x1719AC
[Debug Info] (record 3 of 4) (file offset 0x165A18)
Characteristics : 0x0 | TimeDateStamp : 0x5ABEC65C (Fri 30th Mar 2018 23:21:00
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 13 (0xD) -> Undocumented | Size : 0x3D8 (984)
AddressOfRawData : 0x1733C0 | PointerToRawData : 0x1719C0
[Debug Info] (record 4 of 4) (file offset 0x165A34)
Characteristics : 0x0 | TimeDateStamp : 0x5ABEC65C (Fri 30th Mar 2018 23:21:00
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 14 (0xE) -> Undocumented | Size : 0x0 (0)
AddressOfRawData : 0x0 | PointerToRawData : 0x0
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.524 Second(s) [00000020Ch (524) tick(s)] [162 of 580 scan(s)
done]
--- snip ---
-> Windows OverlayFS 0.3.1.0-beta5
It might be originating from this project:
https://github.com/TanninOne/usvfs
After some further digging I found this one:
https://github.com/TanninOne/usvfs/pull/10
which goes to:
https://github.com/LePresidente/usvfs
But even that one didn't have some of the native API hooked:
https://github.com/LePresidente/usvfs/blob/master/src/usvfs_dll/hookmanager.cpp#L214
Further going down the Github fork chain for this project:
https://github.com/LePresidente/usvfs/network/members
This one looks suspicious (more recent activity), also with mentioning of 'Mod
Organizer 2' (obvious):
https://github.com/Modorganizer2/usvfs
https://github.com/Modorganizer2/usvfs/blob/Develop/src/usvfs_dll/hookmanager.cpp#L216
Still no code change related to the missing native API.
I might be that the code for this dll isn't on Github but a private fork.
Anyway, the dll in question here doesn't have error handling on its manual
imports hence the crash in the entry point.
https://www.geoffchappell.com/studies/windows/win32/ntdll/api/index.htm
--- quote ---
RtlDosPathNameToRelativeNtPathName_U_WithStatus 5.2 from Windows Server
2003 SP1, and higher
--- quote ---
Wine also misses 'ntdll.RtlReleaseRelativeName' (see trace log) which will
likely cause a follow-up crash too.
$ sha1sum MO2-2.1.2dev6-Silarn-prerelease.7z
f4ff6d1739fbe9da8f7ea6a45728702067a15153 MO2-2.1.2dev6-Silarn-prerelease.7z
$ du -sh MO2-2.1.2dev6-Silarn-prerelease.7z
57M MO2-2.1.2dev6-Silarn-prerelease.7z
$ wine --version
wine-3.5-5-g03ece22480
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list