[Bug 45521] New: 64-bit Sentinel HASP hardlock.sys kernel driver crashes due ntoskrnl emulate_instruction not handling 'cli' and 'sti'

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Jul 27 15:47:59 CDT 2018 

https://bugs.winehq.org/show_bug.cgi?id=45521

            Bug ID: 45521
           Summary: 64-bit Sentinel HASP hardlock.sys kernel driver
                    crashes due ntoskrnl emulate_instruction not handling
                    'cli' and 'sti'
           Product: Wine
           Version: 3.13
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

originally reported in bug 45510 (which now covers a different issue) and
extracted here.

Prerequisite:

* 64-bit WINEPREFIX (otherwise you run into bug 45510)

Download:

https://www.uwerk.de/en/images/UWerkDownLoads/HASP/GUI/HASPUserSetup.zip

--- snip ---
...
0051:Call ntoskrnl.exe.RtlAppendUnicodeToString(0002a240,006bfc98
L"\\Parameters") ret=006c6b88
0051:Call ntdll.RtlAppendUnicodeToString(0002a240,006bfc98 L"\\Parameters")
ret=7bcfdc7b
0051:Ret  ntdll.RtlAppendUnicodeToString() retval=00000000 ret=7bcfdc7b
0051:Ret  ntoskrnl.exe.RtlAppendUnicodeToString() retval=00000000 ret=006c6b88
0051:Call
ntoskrnl.exe.RtlQueryRegistryValues(80000000,0002a250,0055f5e0,00000000,00000000)
ret=006c6bec
0051:Call
ntdll.RtlQueryRegistryValues(80000000,0002a250,0055f5e0,00000000,00000000)
ret=7bcfdc7b
0051:Ret  ntdll.RtlQueryRegistryValues() retval=c0000034 ret=7bcfdc7b
0051:Ret  ntoskrnl.exe.RtlQueryRegistryValues() retval=c0000034 ret=006c6bec
0051:Call ntoskrnl.exe.ExFreePoolWithTag(0002a240,00000000) ret=006c6bfe
0051:trace:ntoskrnl:ExFreePoolWithTag 0x2a240
0051:Call ntdll.RtlFreeHeap(00010000,00000000,0002a240) ret=7faa2ee4dfb1
0051:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7faa2ee4dfb1
0051:Ret  ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=006c6bfe
0051:trace:seh:NtRaiseException code=c0000096 flags=0 addr=0x6cc5f6 ip=6cc5f6
tid=0051
0051:trace:seh:NtRaiseException  rax=0000000000000000 rbx=0000000000027ca8
rcx=000000000055f6b4 rdx=000000000055f6b0
0051:trace:seh:NtRaiseException  rsi=0000000000026ee0 rdi=0000000000027d58
rbp=0000000000027d04 rsp=000000000055f660
0051:trace:seh:NtRaiseException   r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
0051:trace:seh:NtRaiseException  r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00000000000271b0
0051:trace:seh:call_vectored_handlers calling handler at 0x7faa2ee458d8
code=c0000096 flags=0
0051:trace:seh:call_vectored_handlers handler at 0x7faa2ee458d8 returned 0 
...
0051:trace:seh:dwarf_virtual_unwind next function rip=0000000000000000
0051:trace:seh:dwarf_virtual_unwind   rax=0000000000000000 rbx=0000000000000000
rcx=00007faa2ee80fa0 rdx=00000000000c0155
0051:trace:seh:dwarf_virtual_unwind   rsi=0000000000000000 rdi=0000000000000000
rbp=0000000000000000 rsp=000000000055ffe0
0051:trace:seh:dwarf_virtual_unwind    r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
0051:trace:seh:dwarf_virtual_unwind   r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00007faa2ee30000
0051:trace:seh:call_stack_handlers found wine frame 0x55fe00 rsp 55ffe0 handler
0x7bd57b2b
0051:trace:seh:call_teb_handler calling TEB handler 0x7bd57b2b (rec=0x55f520,
frame=0x55fe00 context=0x55e7c0, dispatch=0x55ec90)
0051:Call KERNEL32.UnhandledExceptionFilter(0055e700) ret=7bd57b85
wine: Unhandled privileged instruction at address 0x6cc5f6 (thread 0051),
starting debugger... 
--- snip ---

Disassembly after decryption of 64-bit driver:

--- snip ---
...
00000000006CC5B3 | E8 38 A5 FF FF       | call    hardlock.6C6AF0 
00000000006CC5B8 | 84 C0                | test    al, al            
00000000006CC5BA | 74 04                | je      hardlock.6CC5C0   
00000000006CC5BC | 83 4B 58 01          | or      dword ptr ds:[rbx+58], 1      
00000000006CC5C0 | 4C 8D 44 24 4C       | lea     r8, qword ptr ss:[rsp+4C]     
00000000006CC5C5 | 48 8D 15 94 35 FF FF | lea     rdx, qword ptr ds:[6BFB60]
00000000006CC5CC | 49 8B CF             | mov     rcx, r15 
00000000006CC5CF | E8 1C A5 FF FF       | call    hardlock.6C6AF0   
00000000006CC5D4 | 84 C0                | test    al, al            
00000000006CC5D6 | 74 0E                | je      hardlock.6CC5E6   
00000000006CC5D8 | 44 39 6C 24 4C       | cmp     dword ptr ss:[rsp+4C], r13d   
00000000006CC5DD | 74 07                | je      hardlock.6CC5E6   
00000000006CC5DF | 81 4B 58 80 00 00 00 | or      dword ptr ds:[rbx+58], 80     
00000000006CC5E6 | 48 8D 54 24 50       | lea     rdx, qword ptr ss:[rsp+50]    
00000000006CC5EB | 48 8D 4C 24 54       | lea     rcx, qword ptr ss:[rsp+54]    
00000000006CC5F0 | 45 33 C9             | xor     r9d, r9d          
00000000006CC5F3 | 45 33 C0             | xor     r8d, r8d          
00000000006CC5F6 | FB                   | sti                      ; problem!   
00000000006CC5F7 | E8 6A E4 FE FF       | call    hardlock.6BAA66   
00000000006CC5FC | 44 8B 5C 24 54       | mov     r11d, dword ptr ss:[rsp+54]   
00000000006CC601 | 41 C1 E3 08          | shl     r11d, 8           
00000000006CC605 | 44 03 5C 24 50       | add     r11d, dword ptr ss:[rsp+50]   
...
--- snip ---

'cli' and 'sti' are handled in 32-bit case:

Source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#l438

--- snip ---
 266 /***********************************************************************
 267  *           emulate_instruction
 268  *
 269  * Emulate a privileged instruction.
 270  * Returns exception continuation status.
 271  */
 272 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
 273 {
...
 437 
 438     case 0xfa: /* cli */
 439     case 0xfb: /* sti */
 440         context->Eip += prefixlen + 1;
 441         return ExceptionContinueExecution;
 442     }
 443     return ExceptionContinueSearch;  /* Unable to emulate it */
 444 }
--- snip ---

but not in 64-bit:

Source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#l589

--- snip ---
 588 
 589 /***********************************************************************
 590  *           emulate_instruction
 591  *
 592  * Emulate a privileged instruction.
 593  * Returns exception continuation status.
 594  */
 595 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
 596 {
...
 802     case 0xa0: /* mov Ob, AL */
 803     case 0xa1: /* mov Ovqp, rAX */
...
 818     }
 819     return ExceptionContinueSearch;  /* Unable to emulate it */
 820 }
--- snip ---

ProtectionID scan for documentation:

--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42

Scanning -> Z:\home\focht\Downloads\HASPUserSetup.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 14533512 (0DDC388h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x4B96E621 -> Wed 10th Mar 2010 00:21:53 (GMT)
[!] Digital Signature signed by a known DRM provider -> SafeNet, Inc.
[TimeStamp] 0x4B96E621 -> Wed 10th Mar 2010 00:21:53 (GMT) | PE Header | - |
Offset: 0x000000F8 | VA: 0x004000F8 | -
[TimeStamp] 0x4B96E620 -> Wed 10th Mar 2010 00:21:52 (GMT) | Export | - |
Offset: 0x00012ED4 | VA: 0x004146D4 | -
-> File Appears to be Digitally Signed @ Offset 0DDAA00h, size : 01988h / 06536
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (3 calculated 3 recorded... 0 invalid
addresses) 
[LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0
| Reserved 0x0
[LoadConfig] GuardAddressTakenIatEntryTable 0x0 | Count 0x0 (0)
[LoadConfig] GuardLongJumpTargetTable 0xFFFFFFFE | Count 0x0 (0)
[LoadConfig] HybridMetadataPointer 0xFFFFFF88 | DynamicValueRelocTable 0x0
[LoadConfig] FailFastIndirectProc 0xFFFFFFFE | FailFastPointer 0x407A0A
[LoadConfig] UnknownZero1 0x407A0E
[File Heuristics] -> Flag #1 : 00000000000001001100000100000100 (0x0004C104)
[Entrypoint Section Entropy] : 6.53 (section #0) ".text   " | Size : 0xF208
(61960) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 5 (0x5) | ImageSize 0xDEF000 (14610432) byte(s)
[Export] 100% of function(s) (6 of 6) are in file | 0 are forwarded | 6 code |
0 data | 0 uninit data | 0 unknown | 
[VersionInfo] Company Name : SafeNet Inc.
[VersionInfo] File Description : Sentinel Runtime
[VersionInfo] File Version : 6.60.1.36770
[VersionInfo] Legal Copyrights : SafeNet Inc.
[ModuleReport] [IAT] Modules -> WSOCK32.dll | VERSION.dll | KERNEL32.dll |
USER32.dll | GDI32.dll | ADVAPI32.dll | SHELL32.dll
[CdKeySerial] found "Evaluation period" @ VA: 0x00D99B54 / Offset: 0x00D85B54
[CdKeySerial] found "Evaluation period" @ VA: 0x00D99BEC / Offset: 0x00D85BEC
[CdKeySerial] found "Evaluation version" @ VA: 0x00DCE8DC / Offset: 0x00DBA8DC
[CdKeySerial] found "Serial Number" @ VA: 0x00DCF3C9 / Offset: 0x00DBB3C9
[CompilerDetect] -> Visual C++ 9.0 (Visual Studio 2008)
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 2.518 Second(s) [0000009B2h (2482) tick(s)] [506 of 580 scan(s)
done]
--- snip ---

--- snip ---
Scanning -> Z:\home\focht\Downloads\hardlock.sys
File Type : 64-Bit Driver (good checksum) (Subsystem : Native / 1), Size :
331328 (050E40h) Byte(s) | Machine: 0x8664 (AMD64)
Compilation TimeStamp : 0x51A349DA -> Mon 27th May 2013 11:56:10 (GMT)
[!] Digital Signature signed by a known DRM provider -> SafeNet, Inc.
[TimeStamp] 0x51A349DA -> Mon 27th May 2013 11:56:10 (GMT) | PE Header | - |
Offset: 0x00000000:000000E8 | VA: 0x00000000:000100E8 | -
-> File Appears to be Digitally Signed @ Offset 04F600h, size : 01840h / 06208
byte(s)
[LoadConfig] CodeIntegrity -> Flags 0xAA60 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46AB40
[LoadConfig] GuardAddressTakenIatEntryTable 0x46AC88:02000011 | Count
0x46AE9C02000011 (463222033554449)
[LoadConfig] GuardLongJumpTargetTable 0x46AF38:08000011 | Count
0x46AFE008000011 (4632544134217745)
[LoadConfig] HybridMetadataPointer 0x46A66C:08000011 | DynamicValueRelocTable
0x8000011:0046B0A8
[LoadConfig] FailFastIndirectProc 0x8000011:0046B264 | FailFastPointer
0x8000011:0046B2FC
[LoadConfig] UnknownZero1 0x8000011  46B448
[File Heuristics] -> Flag #1 : 00000000000000011100000000010111 (0x0001C017)
[Entrypoint Section Entropy] : 4.38 (section #7) ".init   " | Size : 0x1600
(5632) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 8 (0x8) | ImageSize 0x4F600 (325120) byte(s)
[VersionInfo] Company Name : SafeNet Inc.
[VersionInfo] Product Name : Sentinel Hardlock Device Driver for Windows x64
[VersionInfo] Product Version : 3.83
[VersionInfo] File Description : Sentinel Hardlock Device Driver for Windows
x64
[VersionInfo] File Version : 3.83
[VersionInfo] Original FileName : hardlock.sys
[VersionInfo] Internal Name : hardlock.sys
[VersionInfo] Legal Copyrights : © 2013 SafeNet. Inc. All rights reserved.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.321 Second(s) [000000141h (321) tick(s)] [134 of 580 scan(s)
done]
--- snip ---

With that fix in place the driver loads successfully (at least it doesn't
crash) but the HASP installer runs into next problem with another 64-bit kernel
driver.

$ sha1sum HASPUserSetup.*
fa5f85d8dfbef3188087f1b6fb0ec81a16e6a26d  HASPUserSetup.exe
d486f63c0444e3a42b81a74ab52f99c45432e9e1  HASPUserSetup.zip

$ du -sh HASPUserSetup.*
14M    HASPUserSetup.exe
14M    HASPUserSetup.zip

$ wine --version
wine-3.13

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list