[Bug 45521] New: 64-bit Sentinel HASP hardlock.sys kernel driver crashes due ntoskrnl emulate_instruction not handling 'cli' and 'sti'
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Jul 27 15:47:59 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45521
Bug ID: 45521
Summary: 64-bit Sentinel HASP hardlock.sys kernel driver
crashes due ntoskrnl emulate_instruction not handling
'cli' and 'sti'
Product: Wine
Version: 3.13
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
originally reported in bug 45510 (which now covers a different issue) and
extracted here.
Prerequisite:
* 64-bit WINEPREFIX (otherwise you run into bug 45510)
Download:
https://www.uwerk.de/en/images/UWerkDownLoads/HASP/GUI/HASPUserSetup.zip
--- snip ---
...
0051:Call ntoskrnl.exe.RtlAppendUnicodeToString(0002a240,006bfc98
L"\\Parameters") ret=006c6b88
0051:Call ntdll.RtlAppendUnicodeToString(0002a240,006bfc98 L"\\Parameters")
ret=7bcfdc7b
0051:Ret ntdll.RtlAppendUnicodeToString() retval=00000000 ret=7bcfdc7b
0051:Ret ntoskrnl.exe.RtlAppendUnicodeToString() retval=00000000 ret=006c6b88
0051:Call
ntoskrnl.exe.RtlQueryRegistryValues(80000000,0002a250,0055f5e0,00000000,00000000)
ret=006c6bec
0051:Call
ntdll.RtlQueryRegistryValues(80000000,0002a250,0055f5e0,00000000,00000000)
ret=7bcfdc7b
0051:Ret ntdll.RtlQueryRegistryValues() retval=c0000034 ret=7bcfdc7b
0051:Ret ntoskrnl.exe.RtlQueryRegistryValues() retval=c0000034 ret=006c6bec
0051:Call ntoskrnl.exe.ExFreePoolWithTag(0002a240,00000000) ret=006c6bfe
0051:trace:ntoskrnl:ExFreePoolWithTag 0x2a240
0051:Call ntdll.RtlFreeHeap(00010000,00000000,0002a240) ret=7faa2ee4dfb1
0051:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7faa2ee4dfb1
0051:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=006c6bfe
0051:trace:seh:NtRaiseException code=c0000096 flags=0 addr=0x6cc5f6 ip=6cc5f6
tid=0051
0051:trace:seh:NtRaiseException rax=0000000000000000 rbx=0000000000027ca8
rcx=000000000055f6b4 rdx=000000000055f6b0
0051:trace:seh:NtRaiseException rsi=0000000000026ee0 rdi=0000000000027d58
rbp=0000000000027d04 rsp=000000000055f660
0051:trace:seh:NtRaiseException r8=0000000000000000 r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
0051:trace:seh:NtRaiseException r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00000000000271b0
0051:trace:seh:call_vectored_handlers calling handler at 0x7faa2ee458d8
code=c0000096 flags=0
0051:trace:seh:call_vectored_handlers handler at 0x7faa2ee458d8 returned 0
...
0051:trace:seh:dwarf_virtual_unwind next function rip=0000000000000000
0051:trace:seh:dwarf_virtual_unwind rax=0000000000000000 rbx=0000000000000000
rcx=00007faa2ee80fa0 rdx=00000000000c0155
0051:trace:seh:dwarf_virtual_unwind rsi=0000000000000000 rdi=0000000000000000
rbp=0000000000000000 rsp=000000000055ffe0
0051:trace:seh:dwarf_virtual_unwind r8=0000000000000000 r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
0051:trace:seh:dwarf_virtual_unwind r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00007faa2ee30000
0051:trace:seh:call_stack_handlers found wine frame 0x55fe00 rsp 55ffe0 handler
0x7bd57b2b
0051:trace:seh:call_teb_handler calling TEB handler 0x7bd57b2b (rec=0x55f520,
frame=0x55fe00 context=0x55e7c0, dispatch=0x55ec90)
0051:Call KERNEL32.UnhandledExceptionFilter(0055e700) ret=7bd57b85
wine: Unhandled privileged instruction at address 0x6cc5f6 (thread 0051),
starting debugger...
--- snip ---
Disassembly after decryption of 64-bit driver:
--- snip ---
...
00000000006CC5B3 | E8 38 A5 FF FF | call hardlock.6C6AF0
00000000006CC5B8 | 84 C0 | test al, al
00000000006CC5BA | 74 04 | je hardlock.6CC5C0
00000000006CC5BC | 83 4B 58 01 | or dword ptr ds:[rbx+58], 1
00000000006CC5C0 | 4C 8D 44 24 4C | lea r8, qword ptr ss:[rsp+4C]
00000000006CC5C5 | 48 8D 15 94 35 FF FF | lea rdx, qword ptr ds:[6BFB60]
00000000006CC5CC | 49 8B CF | mov rcx, r15
00000000006CC5CF | E8 1C A5 FF FF | call hardlock.6C6AF0
00000000006CC5D4 | 84 C0 | test al, al
00000000006CC5D6 | 74 0E | je hardlock.6CC5E6
00000000006CC5D8 | 44 39 6C 24 4C | cmp dword ptr ss:[rsp+4C], r13d
00000000006CC5DD | 74 07 | je hardlock.6CC5E6
00000000006CC5DF | 81 4B 58 80 00 00 00 | or dword ptr ds:[rbx+58], 80
00000000006CC5E6 | 48 8D 54 24 50 | lea rdx, qword ptr ss:[rsp+50]
00000000006CC5EB | 48 8D 4C 24 54 | lea rcx, qword ptr ss:[rsp+54]
00000000006CC5F0 | 45 33 C9 | xor r9d, r9d
00000000006CC5F3 | 45 33 C0 | xor r8d, r8d
00000000006CC5F6 | FB | sti ; problem!
00000000006CC5F7 | E8 6A E4 FE FF | call hardlock.6BAA66
00000000006CC5FC | 44 8B 5C 24 54 | mov r11d, dword ptr ss:[rsp+54]
00000000006CC601 | 41 C1 E3 08 | shl r11d, 8
00000000006CC605 | 44 03 5C 24 50 | add r11d, dword ptr ss:[rsp+50]
...
--- snip ---
'cli' and 'sti' are handled in 32-bit case:
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#l438
--- snip ---
266 /***********************************************************************
267 * emulate_instruction
268 *
269 * Emulate a privileged instruction.
270 * Returns exception continuation status.
271 */
272 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
273 {
...
437
438 case 0xfa: /* cli */
439 case 0xfb: /* sti */
440 context->Eip += prefixlen + 1;
441 return ExceptionContinueExecution;
442 }
443 return ExceptionContinueSearch; /* Unable to emulate it */
444 }
--- snip ---
but not in 64-bit:
Source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/instr.c#l589
--- snip ---
588
589 /***********************************************************************
590 * emulate_instruction
591 *
592 * Emulate a privileged instruction.
593 * Returns exception continuation status.
594 */
595 static DWORD emulate_instruction( EXCEPTION_RECORD *rec, CONTEXT *context
)
596 {
...
802 case 0xa0: /* mov Ob, AL */
803 case 0xa1: /* mov Ovqp, rAX */
...
818 }
819 return ExceptionContinueSearch; /* Unable to emulate it */
820 }
--- snip ---
ProtectionID scan for documentation:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Scanning -> Z:\home\focht\Downloads\HASPUserSetup.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 14533512 (0DDC388h)
Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x4B96E621 -> Wed 10th Mar 2010 00:21:53 (GMT)
[!] Digital Signature signed by a known DRM provider -> SafeNet, Inc.
[TimeStamp] 0x4B96E621 -> Wed 10th Mar 2010 00:21:53 (GMT) | PE Header | - |
Offset: 0x000000F8 | VA: 0x004000F8 | -
[TimeStamp] 0x4B96E620 -> Wed 10th Mar 2010 00:21:52 (GMT) | Export | - |
Offset: 0x00012ED4 | VA: 0x004146D4 | -
-> File Appears to be Digitally Signed @ Offset 0DDAA00h, size : 01988h / 06536
byte(s)
[LoadConfig] Struct determined as v8 (Expected size 140 | Actual size 64)
[!] Executable uses SEH Tables (/SAFESEH) (3 calculated 3 recorded... 0 invalid
addresses)
[LoadConfig] CodeIntegrity -> Flags 0x0 | Catalog 0x0 (0) | Catalog Offset 0x0
| Reserved 0x0
[LoadConfig] GuardAddressTakenIatEntryTable 0x0 | Count 0x0 (0)
[LoadConfig] GuardLongJumpTargetTable 0xFFFFFFFE | Count 0x0 (0)
[LoadConfig] HybridMetadataPointer 0xFFFFFF88 | DynamicValueRelocTable 0x0
[LoadConfig] FailFastIndirectProc 0xFFFFFFFE | FailFastPointer 0x407A0A
[LoadConfig] UnknownZero1 0x407A0E
[File Heuristics] -> Flag #1 : 00000000000001001100000100000100 (0x0004C104)
[Entrypoint Section Entropy] : 6.53 (section #0) ".text " | Size : 0xF208
(61960) byte(s)
[DllCharacteristics] -> Flag : (0x8000) -> TSA
[SectionCount] 5 (0x5) | ImageSize 0xDEF000 (14610432) byte(s)
[Export] 100% of function(s) (6 of 6) are in file | 0 are forwarded | 6 code |
0 data | 0 uninit data | 0 unknown |
[VersionInfo] Company Name : SafeNet Inc.
[VersionInfo] File Description : Sentinel Runtime
[VersionInfo] File Version : 6.60.1.36770
[VersionInfo] Legal Copyrights : SafeNet Inc.
[ModuleReport] [IAT] Modules -> WSOCK32.dll | VERSION.dll | KERNEL32.dll |
USER32.dll | GDI32.dll | ADVAPI32.dll | SHELL32.dll
[CdKeySerial] found "Evaluation period" @ VA: 0x00D99B54 / Offset: 0x00D85B54
[CdKeySerial] found "Evaluation period" @ VA: 0x00D99BEC / Offset: 0x00D85BEC
[CdKeySerial] found "Evaluation version" @ VA: 0x00DCE8DC / Offset: 0x00DBA8DC
[CdKeySerial] found "Serial Number" @ VA: 0x00DCF3C9 / Offset: 0x00DBB3C9
[CompilerDetect] -> Visual C++ 9.0 (Visual Studio 2008)
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 2.518 Second(s) [0000009B2h (2482) tick(s)] [506 of 580 scan(s)
done]
--- snip ---
--- snip ---
Scanning -> Z:\home\focht\Downloads\hardlock.sys
File Type : 64-Bit Driver (good checksum) (Subsystem : Native / 1), Size :
331328 (050E40h) Byte(s) | Machine: 0x8664 (AMD64)
Compilation TimeStamp : 0x51A349DA -> Mon 27th May 2013 11:56:10 (GMT)
[!] Digital Signature signed by a known DRM provider -> SafeNet, Inc.
[TimeStamp] 0x51A349DA -> Mon 27th May 2013 11:56:10 (GMT) | PE Header | - |
Offset: 0x00000000:000000E8 | VA: 0x00000000:000100E8 | -
-> File Appears to be Digitally Signed @ Offset 04F600h, size : 01840h / 06208
byte(s)
[LoadConfig] CodeIntegrity -> Flags 0xAA60 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46AB40
[LoadConfig] GuardAddressTakenIatEntryTable 0x46AC88:02000011 | Count
0x46AE9C02000011 (463222033554449)
[LoadConfig] GuardLongJumpTargetTable 0x46AF38:08000011 | Count
0x46AFE008000011 (4632544134217745)
[LoadConfig] HybridMetadataPointer 0x46A66C:08000011 | DynamicValueRelocTable
0x8000011:0046B0A8
[LoadConfig] FailFastIndirectProc 0x8000011:0046B264 | FailFastPointer
0x8000011:0046B2FC
[LoadConfig] UnknownZero1 0x8000011 46B448
[File Heuristics] -> Flag #1 : 00000000000000011100000000010111 (0x0001C017)
[Entrypoint Section Entropy] : 4.38 (section #7) ".init " | Size : 0x1600
(5632) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 8 (0x8) | ImageSize 0x4F600 (325120) byte(s)
[VersionInfo] Company Name : SafeNet Inc.
[VersionInfo] Product Name : Sentinel Hardlock Device Driver for Windows x64
[VersionInfo] Product Version : 3.83
[VersionInfo] File Description : Sentinel Hardlock Device Driver for Windows
x64
[VersionInfo] File Version : 3.83
[VersionInfo] Original FileName : hardlock.sys
[VersionInfo] Internal Name : hardlock.sys
[VersionInfo] Legal Copyrights : © 2013 SafeNet. Inc. All rights reserved.
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.321 Second(s) [000000141h (321) tick(s)] [134 of 580 scan(s)
done]
--- snip ---
With that fix in place the driver loads successfully (at least it doesn't
crash) but the HASP installer runs into next problem with another 64-bit kernel
driver.
$ sha1sum HASPUserSetup.*
fa5f85d8dfbef3188087f1b6fb0ec81a16e6a26d HASPUserSetup.exe
d486f63c0444e3a42b81a74ab52f99c45432e9e1 HASPUserSetup.zip
$ du -sh HASPUserSetup.*
14M HASPUserSetup.exe
14M HASPUserSetup.zip
$ wine --version
wine-3.13
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list