[Bug 44496] Custom imports resolver used by multiple kernel drivers can' t cope with 'ntoskrnl.exe' low-level (wc)string/ copy helpers being forwarded to 'msvcrt.dll' (BattlEye 'BEDaisy', Sentinel HASP 'hardlock.sys')

Fri Mar 16 13:15:49 CDT 2018

https://bugs.winehq.org/show_bug.cgi?id=44496

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|BattlEye 'BEDaisy' kernel   |Custom imports resolver
                   |service custom imports      |used by multiple kernel
                   |resolved can't cope with    |drivers can't cope with
                   |'ntoskrnl.exe' low-level    |'ntoskrnl.exe' low-level
                   |(wc)string/copy helpers     |(wc)string/copy helpers
                   |being forwarded to          |being forwarded to
                   |'msvcrt.dll'                |'msvcrt.dll' (BattlEye
                   |                            |'BEDaisy', Sentinel HASP
                   |                            |'hardlock.sys')
         Depends on|37355                       |

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

also encountered by Sentinel HASP 'hardlock.sys' kernel driver after fixing bug
44641 and bug 44749

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/Minitab/Minitab 16

$ WINEDEBUG=+seh,+relay,+winedevice,+ntoskrnl,+ntdll wine ./Mtb.exe >>log.txt
2>&1
...
0018:Call ntdll.RtlCheckRegistryKey(00000001,0065fb20) ret=7bc7e547
001b:trace:ntdll:NtReadFile
(0x4,(nil),(nil),(nil),0x33e92c,0x33e937,0x00000055,0x33e920,(nil)),partial
stub!
0018:Ret  ntdll.RtlCheckRegistryKey() retval=00000000 ret=7bc7e547
001b:trace:ntdll:NtReadFile = SUCCESS (85)
0018:Ret  ntoskrnl.exe.RtlCheckRegistryKey() retval=00000000 ret=007a8edd
0018:Call ntoskrnl.exe.PsSetCreateProcessNotifyRoutine(007a0a6c,00000000)
ret=007a8f4e
0018:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutine stub: 0x7a0a6c 0
0018:Ret  ntoskrnl.exe.PsSetCreateProcessNotifyRoutine() retval=00000000
ret=007a8f4e
0018:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000090,6c766f48)
ret=007add79
...
0018:trace:ntoskrnl:ExAllocatePoolWithTag 144 pool 1 -> 0x11f6f0
0018:Ret  ntoskrnl.exe.ExAllocatePoolWithTag() retval=0011f6f0 ret=007add79
0018:trace:seh:raise_exception code=c0000096 flags=0 addr=0x7ed059b5
ip=7ed059b5 tid=0018
0018:trace:seh:raise_exception  eax=0011f6f0 ebx=0011d2a0 ecx=00000078
edx=00662f54 esi=0011ca28 edi=7ecc0000
0018:trace:seh:raise_exception  ebp=0065fbb8 esp=0065fb90 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0018:trace:seh:call_vectored_handlers calling handler at 0x7ecd7f51
code=c0000096 flags=0
0018:trace:seh:call_vectored_handlers handler at 0x7ecd7f51 returned 0
0018:trace:seh:call_stack_handlers calling handler at 0x7bcb057c code=c0000096
flags=0
0018:Call KERNEL32.UnhandledExceptionFilter(0065f694) ret=7bcb05b7
wine: Unhandled privileged instruction at address 0x7ed059b5 (thread 0018),
starting debugger... 
--- snip ---

Disassembly:

--- snip ---
...
007ADD65  68 486F766C    PUSH 6C766F48
007ADD6A  33C0           XOR EAX,EAX
007ADD6C  66:8B45 F6     MOV AX,WORD PTR SS:[EBP-A]
007ADD70  50             PUSH EAX
007ADD71  A 01           PUSH 1
007ADD73  FF15 50F47E00  CALL DWORD PTR DS:[7EF450] ; ExAllocatePoolWithTag
007ADD79  8945 F8        MOV DWORD PTR SS:[EBP-8],EAX
007ADD7C  837D F8 00     CMP DWORD PTR SS:[EBP-8],0
007ADD80  0F84 50000000  JE hardlock.007ADDD6
007ADD86  8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]
007ADD89  33C9           XOR ECX,ECX
007ADD8B  66:8B08        MOV CX,WORD PTR DS:[EAX]
007ADD8E  51             PUSH ECX
007ADD8F  8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]
007ADD92  8B40 04        MOV EAX,DWORD PTR DS:[EAX+4]
007ADD95  50             PUSH EAX
007ADD96  8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]
007ADD99  50             PUSH EAX
007ADD9A  E8 A70F0400    CALL hardlock.007EED46     ; *boom*
007ADD9F  83C4 0C        ADD ESP,0C
...
--- snip ---

Driver's "IAT":

--- snip ---
...
007EED46  FF25 88F47E00    JMP DWORD PTR DS:[7EF488] ; ntoskrnl.7ED059B5
007EED4C  FF25 8CF47E00    JMP DWORD PTR DS:[7EF48C] ; ntoskrnl.7ECD6504
007EED52  FF25 90F47E00    JMP DWORD PTR DS:[7EF490] ; ntoskrnl.7ECDBD4F
007EED58  FF25 94F47E00    JMP DWORD PTR DS:[7EF494] ; ntoskrnl.7ECDD5A6
007EED5E  FF25 98F47E00    JMP DWORD PTR DS:[7EF498] ; ntoskrnl.7ECD6294
...
--- snip ---

--- snip ---
7ED059B5  6376736D  msvc
7ED059B9  6D2E7472  rt.m
7ED059BD  6F6D6D65  emmo
7ED059C1  6D006576  ve.m
7ED059C5  72637673  svcr
7ED059C9  656D2E74  t.me
7ED059CD  7465736D  mset
7ED059D1  76736D00  .msv
7ED059D5  2E747263  crt.
7ED059D9  726F7371  qsor
7ED059DD  736D0074  t.ms
--- snip ---

$ wine --version
wine-3.3-263-gbf7b21ec7b

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.