[Bug 45926] New: Windows Sysinternals ProcessExplorer v12-16+ crashes due to missing advapi32.I_QueryTagInformation () stub
wine-bugs at winehq.org
wine-bugs at winehq.org
Wed Oct 3 07:03:12 CDT 2018
https://bugs.winehq.org/show_bug.cgi?id=45926
Bug ID: 45926
Summary: Windows Sysinternals ProcessExplorer v12-16+ crashes
due to missing advapi32.I_QueryTagInformation() stub
Product: Wine
Version: 3.17
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: advapi32
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says.
--- snip ---
$ WINEDEBUG=+seh,+relay wine ./procexp64.exe >>log.txt 2>&1
...
002d:Call KERNEL32.LoadLibraryW(1400d20a8 L"advapi32.dll") ret=140080b4a
002d:Ret KERNEL32.LoadLibraryW() retval=7f4d2a1a0000 ret=140080b4a
002d:Call KERNEL32.GetProcAddress(7f4d2a1a0000,1400ecf08
"I_QueryTagInformation") ret=140080b5a
002d:Ret KERNEL32.GetProcAddress() retval=00000000 ret=140080b5a
...
002d:trace:seh:NtRaiseException code=c0000005 flags=0 addr=(nil) ip=0 tid=002d
002d:trace:seh:NtRaiseException info[0]=0000000000000008
002d:trace:seh:NtRaiseException info[1]=0000000000000000
002d:trace:seh:NtRaiseException rax=0000000000000001 rbx=000000014012c9c8
rcx=0000000000000000 rdx=0000000000000003
002d:trace:seh:NtRaiseException rsi=000000014012c9c0 rdi=000000014012c9d0
rbp=0000000000000000 rsp=000000000023f9b8
002d:trace:seh:NtRaiseException r8=000000000023f9e0 r9=000000014012c9c8
r10=0000000000000000 r11=0000000000000246
002d:trace:seh:NtRaiseException r12=0000000140126560 r13=0000000000000000
r14=000000000000000a r15=0000000140000000
002d:trace:seh:RtlVirtualUnwind type 1 rip 14006377a rsp 23f9c0
002d:trace:seh:dump_unwind_info **** func 63720-637a6
--- snip ---
Disassembly at crash site (running under x64dbg):
--- snip ---
0000000140063720 | mov qword ptr ss:[rsp+8],rbx |
0000000140063725 | mov qword ptr ss:[rsp+10],rbp |
000000014006372A | mov qword ptr ss:[rsp+18],rsi |
000000014006372F | push rdi |
0000000140063730 | sub rsp,30 |
0000000140063734 | mov rsi,rcx |
0000000140063737 | mov rcx,qword ptr ds:[rcx] |
000000014006373A | mov rbx,r9 |
000000014006373D | mov rdi,r8 |
0000000140063740 | mov rbp,rdx |
0000000140063743 | test rcx,rcx |
0000000140063746 | je procexp64.14006375B |
0000000140063748 | call qword ptr ds:[1400D0958] |
000000014006374E | mov qword ptr ds:[rbx],0 |
0000000140063755 | mov dword ptr ds:[rdi],0 |
000000014006375B | lea r8,qword ptr ss:[rsp+20] |
0000000140063760 | mov edx,3 |
0000000140063765 | xor ecx,ecx |
0000000140063767 | mov dword ptr ss:[rsp+20],ebp |
000000014006376B | mov qword ptr ss:[rsp+28],0 |
0000000140063774 | call qword ptr ds:[14012CC68] | NULL *boom*
000000014006377A | test eax,eax |
000000014006377C | jne procexp64.140063791 |
000000014006377E | mov rdx,qword ptr ss:[rsp+28] |
0000000140063783 | mov ecx,dword ptr ds:[rdx] |
0000000140063785 | mov dword ptr ds:[rdi],ecx |
0000000140063787 | mov rcx,qword ptr ds:[rdx+8] |
000000014006378B | mov qword ptr ds:[rbx],rcx |
000000014006378E | mov qword ptr ds:[rsi],rdx |
0000000140063791 | mov rbx,qword ptr ss:[rsp+40] |
0000000140063796 | mov rbp,qword ptr ss:[rsp+48] |
000000014006379B | mov rsi,qword ptr ss:[rsp+50] |
00000001400637A0 | add rsp,30 |
00000001400637A4 | pop rdi |
00000001400637A5 | ret |
--- snip ---
Using the "find references to address" method for 0x14012CC68 one comes across
this:
--- snip ---
0000000140080B4A | lea rdx,qword ptr ds:[1400ECF08] | "I_QueryTagInformation"
0000000140080B51 | mov rcx,rax |
0000000140080B54 | call qword ptr ds:[1400D0968] |
0000000140080B5A | lea rcx,qword ptr ds:[1400ECF30] | L"wow64cpu"
0000000140080B61 | mov qword ptr ds:[14012CC68],rax |
--- snip ---
which corresponds to the trace log snippet earlier.
At one point Wine might implement service process tags as well for mapping
service hosting threads with their owner service. Service tags were introduced
with Windows Vista. The tag is contained in the TEB of every thread
(sub-process tag) and is used in threads owned by service processes as a way
to link them with their owning service name.
https://github.com/processhacker/processhacker/blob/master/phlib/svcsup.c#L431
--- snip ---
PPH_STRING PhGetServiceNameFromTag(
_In_ HANDLE ProcessId,
_In_ PVOID ServiceTag
)
{
static PQUERY_TAG_INFORMATION I_QueryTagInformation = NULL;
PPH_STRING serviceName = NULL;
TAG_INFO_NAME_FROM_TAG nameFromTag;
if (!I_QueryTagInformation)
{
I_QueryTagInformation = PhGetDllProcedureAddress(L"advapi32.dll",
"I_QueryTagInformation", 0);
if (!I_QueryTagInformation)
return NULL;
}
memset(&nameFromTag, 0, sizeof(TAG_INFO_NAME_FROM_TAG));
nameFromTag.InParams.dwPid = HandleToUlong(ProcessId);
nameFromTag.InParams.dwTag = PtrToUlong(ServiceTag);
I_QueryTagInformation(NULL, eTagInfoLevelNameFromTag, &nameFromTag);
if (nameFromTag.OutParams.pszName)
{
serviceName = PhCreateString(nameFromTag.OutParams.pszName);
LocalFree(nameFromTag.OutParams.pszName);
}
return serviceName;
}
--- snip ---
https://github.com/processhacker/processhacker/blob/2bb718f36a702fde6cb346e9179696bb8c758d1f/phnt/include/subprocesstag.h
--- snip ---
_Must_inspect_result_
DWORD
WINAPI
I_QueryTagInformation(
_In_opt_ LPCWSTR pszMachineName,
_In_ TAG_INFO_LEVEL eInfoLevel,
_Inout_ PVOID pTagInfo
);
--- snip ---
$ sha1sum ProcessExplorer.zip
97d882b15890471ea9942c80997c180fbfcbba26 ProcessExplorer.zip
$ du -sh ProcessExplorer.zip
1.9M ProcessExplorer.zip
$wine --version
wine-3.17-39-gc96eba60e3
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list