[Bug 44636] New: Sentinel HASP 'hardlock.sys' kernel driver access to CR4 via %ESI register operand not handled in ntoskrnl emulate_instruction
wine-bugs at winehq.org
wine-bugs at winehq.org
Wed Feb 28 18:19:45 CST 2018
https://bugs.winehq.org/show_bug.cgi?id=44636
Bug ID: 44636
Summary: Sentinel HASP 'hardlock.sys' kernel driver access to
CR4 via %ESI register operand not handled in ntoskrnl
emulate_instruction
Product: Wine
Version: 3.2
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 37852
This time it's another variant of bug 30220 now with %ESI being register
operand.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Minitab/Minitab 16
$ WINEDEBUG=+seh,+relay,+winedevice,+ntoskrnl wine ./Mtb.exe >>log.txt 2>&1
...
0019:trace:winedevice:load_driver_module
L"C:\\windows\\system32\\drivers\\hardlock.sys": relocating from 0x10000 to
0x780000
...
0019:Call driver init 0x80ac20
(obj=0x11cb28,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\hardlock")
...
0019:Call ntoskrnl.exe.RtlInitUnicodeString(0065fc74,007efa18
L"\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Services\\HaspNt")
ret=00786720
0019:Call ntdll.RtlInitUnicodeString(0065fc74,007efa18
L"\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Services\\HaspNt")
ret=7bc7e247
0019:Ret ntdll.RtlInitUnicodeString() retval=0065fc74 ret=7bc7e247
0019:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0065fc74 ret=00786720
0019:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000084,36346b48)
ret=00786748
0019:Call ntdll.RtlAllocateHeap(00110000,00000000,00000084) ret=7ecce269
0019:Ret ntdll.RtlAllocateHeap() retval=0011cd08 ret=7ecce269
0019:trace:ntoskrnl:ExAllocatePoolWithTag 132 pool 1 -> 0x11cd08
0019:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011cd08 ret=00786748
0019:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000148,34356b48)
ret=007879d7
0019:Call ntdll.RtlAllocateHeap(00110000,00000000,00000148) ret=7ecce269
0019:Ret ntdll.RtlAllocateHeap() retval=0011d2e8 ret=7ecce269
0019:trace:ntoskrnl:ExAllocatePoolWithTag 328 pool 1 -> 0x11d2e8
0019:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011d2e8 ret=007879d7
0019:Call ntoskrnl.exe.RtlInitUnicodeString(0011d2e8,00000000) ret=00787a0f
0019:Call ntdll.RtlInitUnicodeString(0011d2e8,00000000) ret=7bc7e247
0019:Ret ntdll.RtlInitUnicodeString() retval=0011d2e8 ret=7bc7e247
0019:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0011d2e8 ret=00787a0f
0019:trace:seh:raise_exception code=c0000096 flags=0 addr=0x787a18 ip=00787a18
tid=0019
0019:trace:seh:raise_exception eax=00110078 ebx=00000000 ecx=0011d2f0
edx=00000000 esi=0011d2e8 edi=0011cd08
0019:trace:seh:raise_exception ebp=0065fbb4 esp=0065fb64 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0019:trace:seh:call_vectored_handlers calling handler at 0x7ecc9f55
code=c0000096 flags=0
0019:trace:seh:call_vectored_handlers handler at 0x7ecc9f55 returned 0
0019:trace:seh:call_stack_handlers calling handler at 0x7bcb01c8 code=c0000096
flags=0
0019:Call KERNEL32.UnhandledExceptionFilter(0065f664) ret=7bcb0203
wine: Unhandled privileged instruction at address 0x787a18 (thread 0019),
starting debugger...
--- snip ---
Disassembly:
--- snip ---
....
00787A16 FFF6 PUSH ESI
00787A18 0F20E6 MOV ESI,CR4 ; unhandled opcode
00787A1B 66:81E6 F7FF AND SI,0FFF7
00787A20 0F22E6 MOV CR4,ESI ; unhandled opcode
00787A23 5E POP ESI
00787A24 66:05 C800 ADD AX,0C8
00787A28 FFF7 PUSH EDI
00787A2A 66:8946 02 MOV WORD PTR DS:[ESI+2],AX
00787A2E E9 F4F40600 JMP hardlock.007F6F27
...
--- snip ---
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#l329
--- snip ---
329 switch(*instr)
330 {
331 case 0x0f: /* extended instruction */
332 switch(instr[1])
333 {
334 case 0x22: /* mov eax, crX */
335 switch (instr[2])
336 {
337 case 0xc0:
338 TRACE("mov eax,cr0 at 0x%08x, EAX=0x%08x\n",
context->Eip,context->Eax );
339 context->Eip += prefixlen+3;
340 return ExceptionContinueExecution;
341 case 0xe0:
342 TRACE("mov eax,cr4 at 0x%08x, EAX=0x%08x\n",
context->Eip,context->Eax );
343 context->Eip += prefixlen+3;
344 return ExceptionContinueExecution;
345 default:
346 break; /*fallthrough to bad instruction handling */
347 }
348 ERR("Unsupported EAX -> CR register, eip+2 is %02x\n",
instr[2]);
349 break; /*fallthrough to bad instruction handling */
350 case 0x20: /* mov crX, eax */
351 switch (instr[2])
352 {
353 case 0xe0: /* mov cr4, eax */
354 /* CR4 register . See linux/arch/i386/mm/init.c, X86_CR4_
defs
355 * bit 0: VME Virtual Mode Exception ?
356 * bit 1: PVI Protected mode Virtual Interrupt
357 * bit 2: TSD Timestamp disable
358 * bit 3: DE Debugging extensions
359 * bit 4: PSE Page size extensions
360 * bit 5: PAE Physical address extension
361 * bit 6: MCE Machine check enable
362 * bit 7: PGE Enable global pages
363 * bit 8: PCE Enable performance counters at IPL3
364 */
365 TRACE("mov cr4,eax at 0x%08x\n",context->Eip);
366 context->Eax = 0;
367 context->Eip += prefixlen+3;
368 return ExceptionContinueExecution;
--- snip ---
%EAX as register operand is handled but %ESI not.
0x0f 0x20-0x2f
20: MOV Rd,Cd
21: MOV Rd,Dd
22: MOV Cd,Rd
23: MOV Dd,Rd
$ sha1sum MTBen1610su.exe
f457d13475a783a0d2fff5566c0279640ba26bc6 MTBen1610su.exe
$ du -sh MTBen1610su.exe
93M MTBen1610su.exe
$ wine --version
wine-3.2-293-g0a72708126
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list