[Bug 45655] New: Acronis Storage Filter Management Driver 'fltsrv.sys' crashes on unimplemented function 'ntoskrnl.exe.DbgQueryDebugFilterState' in trace mode

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Aug 17 03:51:43 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45655

            Bug ID: 45655
           Summary: Acronis Storage Filter Management Driver 'fltsrv.sys'
                    crashes on unimplemented function
                    'ntoskrnl.exe.DbgQueryDebugFilterState' in trace mode
           Product: Wine
           Version: 3.13
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says.

--- snip ---
...
0028:Call driver init 0x789a4c
(obj=0x11ccd0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\fltsrv") 
...
0028:Call ntoskrnl.exe.RtlInitUnicodeString(0065fb3c,00792408 L"EnableTrace")
ret=007858d1
0028:Call ntdll.RtlInitUnicodeString(0065fb3c,00792408 L"EnableTrace")
ret=7bc813a3
0028:Ret  ntdll.RtlInitUnicodeString() retval=0065fb3c ret=7bc813a3
0028:Ret  ntoskrnl.exe.RtlInitUnicodeString() retval=0065fb3c ret=007858d1
0028:Call ntoskrnl.exe.ZwOpenKey(0065fa98,00000001,0065fa70) ret=00790c21
0028:Call ntdll.NtOpenKey(0065fa98,00000001,0065fa70) ret=7bc813a3
0028:trace:reg:open_key
((nil),L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\fltsrv\\Parameters",1,0x65fa98)
0028:trace:reg:open_key <- 0x44
0028:Ret  ntdll.NtOpenKey() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwOpenKey() retval=00000000 ret=00790c21
0028:Call
ntoskrnl.exe.ZwQueryValueKey(00000044,0065fa2c,00000002,0065fa60,00000014,0065fa34)
ret=00790c86
0028:Call
ntdll.NtQueryValueKey(00000044,0065fa2c,00000002,0065fa60,00000014,0065fa34)
ret=7bc813a3
0028:trace:reg:NtQueryValueKey (0x44,L"EnableTrace",2,0x65fa60,20)
0028:Ret  ntdll.NtQueryValueKey() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwQueryValueKey() retval=00000000 ret=00790c86
0028:Call ntoskrnl.exe.ZwClose(00000044) ret=00790b84
0028:Call ntdll.NtClose(00000044) ret=7bc813a3
0028:Ret  ntdll.NtClose() retval=00000000 ret=7bc813a3
0028:Ret  ntoskrnl.exe.ZwClose() retval=00000000 ret=00790b84 
...
0028:Call hal.KeGetCurrentIrql() ret=0078914f
0028:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0028:Ret  hal.KeGetCurrentIrql() retval=00000000 ret=0078914f
0028:Call hal.KeGetCurrentIrql() ret=00785e7f
0028:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0028:Ret  hal.KeGetCurrentIrql() retval=00000000 ret=00785e7f
0028:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x11cf04) stub!
0028:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x11cf04 0) stub!
0028:Call KERNEL32.RaiseException(80000100,00000001,00000002,0065faf4)
ret=7e98b32d
0028:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b44733b
ip=7b44733b tid=0028
0028:trace:seh:raise_exception  info[0]=7e98b360
0028:trace:seh:raise_exception  info[1]=7e98baeb
wine: Call from 0x7b44733b to unimplemented function
ntoskrnl.exe.DbgQueryDebugFilterState, aborting 
--- snip ---

One has to explicitly enable trace mode by adding the following registry key:

--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fltsrv\Parameters]
"EnableTrace"=dword:00000001
--- snip ---

Source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l114

--- snip ---
 114 @ stub DbgQueryDebugFilterState
--- snip ---

Prototype:

https://github.com/processhacker/processhacker/blob/master/phnt/include/ntdbg.h

--- snip ---
NTSYSAPI NTSTATUS NTAPI DbgQueryDebugFilterState(
    _In_ ULONG ComponentId,
    _In_ ULONG Level
);

--- snip ---

It's enough to dump the parameters and return 'STATUS_NOT_IMPLEMENTED'.
With that in place the driver is a bit more verbose using
'ntdll:vDbgPrintExWithPrefix()'.

--- snip ---
...
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x112774, 0
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x1126bc) stub!
0027:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x1126bc 0) stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x1126bc) stub!
0027:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x1126bc 0) stub!
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x2
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Trace:driver.cpp(37):OnLoad:
passed...
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x14883c, 0
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x148874, 0
0027:fixme:ntoskrnl:ObQueryNameString (0x1488a0 0x148988 128 0x65fa94) stub
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x148994, 0
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x14878c, 0
0027:fixme:ntoskrnl:KeInitializeMutex stub: 0x1487d0, 0
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x2
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Version=2227,
DeviceNotificationDisabled=0
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x1
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: status=0xC0000002
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d 0x2
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d:
Trace:driver.cpp(56):OnUnload: passed...
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:KeGetCurrentIrql  stub!
0027:fixme:ntoskrnl:__regs_KfAcquireSpinLock (0x14865c) stub!
0027:fixme:ntoskrnl:__regs_KfReleaseSpinLock (0x14865c 0) stub!
0027:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x148994, 0, 0, 0, (nil)
0027:fixme:ntoskrnl:DbgQueryDebugFilterState stub: 0x4d (nil)
0027:err:ntdll:vDbgPrintExWithPrefix [fltsrv] 4d: Expression 'LockWithStatus()'
failed with status 0xc0000002, Source File: threading\mutex.cpp, line 32
...
--- snip ---

ProtectionID scan:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\windows\system32\drivers\fltsrv.sys
File Type : 32-Bit Driver (BAD checksum - won't load!), Good Checksum = 01ED8Bh
Size : 0123744 (01E360h) Byte(s)  | Machine: 0x14C (I386)
Compilation TimeStamp : 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT)
[TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | PE Header | - |
Offset: 0x000000F0 | VA: 0x004000F0 | -
[TimeStamp] 0x5638DF2A -> Tue 03rd Nov 2015 16:22:02 (GMT) | DebugDirectory | -
| Offset: 0x000139B4 | VA: 0x004151B4 | -
-> File Appears to be Digitally Signed @ Offset 017A00h, size : 06960h / 026976
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (3 calculated 2 recorded... 1 invalid
addresses) 
[!]    * table may be compressed / encrypted *
[LoadConfig] CodeIntegrity -> Flags 0x5352 | Catalog 0x5344 (21316) | Catalog
Offset 0x1E431CED | Reserved 0x4EDC114E
[LoadConfig] GuardAddressTakenIatEntryTable 0x356CB182 | Count 0x821065B8
(2182112696)
[LoadConfig] GuardLongJumpTargetTable 0x1 | Count 0x325C3A4B (844905035)
[LoadConfig] HybridMetadataPointer 0x5C373232 | DynamicValueRelocTable
0x6E72656B
[LoadConfig] FailFastIndirectProc 0x775C6C65 | FailFastPointer 0x2E5C6E69
[LoadConfig] UnknownZero1 0x7074756F
[File Heuristics] -> Flag #1 : 00000100000001001101000000000100 (0x0404D004)
[Entrypoint Section Entropy] : 6.66 (section #0) ".text   " | Size : 0x13308
(78600) byte(s)
[DllCharacteristics] -> Flag : (0x0140) -> ASLR | DEP
[SectionCount] 6 (0x6) | ImageSize 0x1C000 (114688) byte(s)
[VersionInfo] Company Name : Acronis International GmbH
[VersionInfo] Product Name : Acronis Storage Filter Management
[VersionInfo] Product Version : 1.3.0.2227
[VersionInfo] File Description : Acronis Storage Filter Management Driver
[VersionInfo] File Version : 1.3.0.2227
[VersionInfo] Original FileName : fltsrv.sys
[VersionInfo] Internal Name : fltsrv
[VersionInfo] Version Comments : Acronis Storage Filter Management
[VersionInfo] Legal Trademarks : Acronis International GmbH. All rights
reserved.
[VersionInfo] Legal Copyrights : Copyright © Acronis International GmbH.
2002-2013.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[Debug Info] (record 1 of 1) (file offset 0x139B0)
Characteristics : 0x0 | TimeDateStamp : 0x5638DF2A (Tue 03rd Nov 2015 16:22:02
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x4C (76) 
AddressOfRawData : 0x166A4 | PointerToRawData : 0x14EA4
CvSig : 0x53445352 | SigGuid 1E431CED-114E-4EDC-82B16C35B8651082
Age : 0x1 (1) | Pdb : K:\2227\kernel\win\.output\Win32\Release\fltsrv.pdb
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.247 Second(s) [0000000F7h (247) tick(s)] [135 of 580 scan(s)
done]
--- snip ---

$ sha1sum ADD12_trial_en-US.exe 
da5cd4fb2b457b86bc9a76b0fafd96ceec5608e6e  ADD12_trial_en-US.exe

$ du -sh ADD12_trial_en-US.exe 
293M    ADD12_trial_en-US.exe

$ wine --version
wine-3.13-318-gccf6211c0a

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list