[Bug 46969] New: Multiple 64-bit WDM kernel drivers want Windows 8+ ' ntdll.RtlQueryRegistryValuesEx' (WIBUKEY)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Apr 6 04:14:42 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=46969

            Bug ID: 46969
           Summary: Multiple 64-bit WDM kernel drivers want Windows 8+
                    'ntdll.RtlQueryRegistryValuesEx' (WIBUKEY)
           Product: Wine
           Version: 4.5
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says. It's not critical as most kernel drivers fall back to
'ntdll.RtlQueryRegistryValues' if the entry point can't be resolved.

It still produces considerable 'fixme:ntoskrnl:MmGetSystemRoutineAddress
L"RtlQueryRegistryValuesEx" not found' spam in some cases for every registry
value read. Additionally it might lead people to draw incorrect conclusions as
the fallback can't be seen without additional debug channels.

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl wineboot >>log.txt 2>&1
...
0025:trace:ntoskrnl:open_driver opened service for driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\WIBUKEY" 
...
0025:trace:ntoskrnl:load_driver loading driver
L"SYSTEM32\\DRIVERS\\WibuKey64.sys"
0025:Call KERNEL32.LoadLibraryW(00026460 L"SYSTEM32\\DRIVERS\\WibuKey64.sys")
ret=7f0a3ebbbe25 
...
0025:Call driver init 0x10004ee0
(obj=0x27980,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\WIBUKEY") 
...
0025:Call ntoskrnl.exe.RtlInitUnicodeString(0032f260,10012210
L"RtlQueryRegistryValuesEx") ret=10005f5f
0025:Call ntdll.RtlInitUnicodeString(0032f260,10012210
L"RtlQueryRegistryValuesEx") ret=7bd10e87
0025:Ret  ntdll.RtlInitUnicodeString() retval=0032f260 ret=7bd10e87
0025:Ret  ntoskrnl.exe.RtlInitUnicodeString() retval=0032f260 ret=10005f5f
0025:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0032f260) ret=10005f6a
0025:Call ntdll.RtlUnicodeStringToAnsiString(0032f0a0,0032f260,00000001)
ret=7f0a3ebb9187
0025:Ret  ntdll.RtlUnicodeStringToAnsiString() retval=00000000 ret=7f0a3ebb9187
0025:Call KERNEL32.GetModuleHandleW(7f0a3ebcd1e0 L"ntoskrnl.exe")
ret=7f0a3ebb91a5
0025:Ret  KERNEL32.GetModuleHandleW() retval=7f0a3eb90000 ret=7f0a3ebb91a5
0025:Call KERNEL32.GetProcAddress(7f0a3eb90000,00026460
"RtlQueryRegistryValuesEx") ret=7f0a3ebb91c3
0025:Ret  KERNEL32.GetProcAddress() retval=00000000 ret=7f0a3ebb91c3
0025:Call KERNEL32.GetModuleHandleW(7f0a3ebcd200 L"hal.dll") ret=7f0a3ebb91e6
0025:Ret  KERNEL32.GetModuleHandleW() retval=7f0a4cf80000 ret=7f0a3ebb91e6
0025:Call KERNEL32.GetProcAddress(7f0a4cf80000,00026460
"RtlQueryRegistryValuesEx") ret=7f0a3ebb920c
0025:Ret  KERNEL32.GetProcAddress() retval=00000000 ret=7f0a3ebb920c
...
0025:fixme:ntoskrnl:MmGetSystemRoutineAddress L"RtlQueryRegistryValuesEx" not
found
0025:Ret  ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=10005f6a
0025:Call
ntoskrnl.exe.RtlQueryRegistryValues(00000000,100122e0,000266f0,00000000,00000000)
ret=10005f87
0025:Call
ntdll.RtlQueryRegistryValues(00000000,100122e0,000266f0,00000000,00000000)
ret=7bd10e87
0025:Ret  ntdll.RtlQueryRegistryValues() retval=c0000034 ret=7bd10e87
0025:Ret  ntoskrnl.exe.RtlQueryRegistryValues() retval=c0000034 ret=10005f87 
...
<repeated dozen times>
...
0025:Ret  driver init 0x10004ee0
(obj=0x27980,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\WIBUKEY")
retval=00000000
0025:Call KERNEL32.IsBadStringPtrW(00027918,ffffffffffffffff) ret=7f0a3ebaa4a8
0025:Ret  KERNEL32.IsBadStringPtrW() retval=00000000 ret=7f0a3ebaa4a8
0025:trace:ntoskrnl:init_driver init done for L"WIBUKEY" obj 0x27980
0025:trace:ntoskrnl:init_driver - DriverInit = 0x10004ee0
0025:trace:ntoskrnl:init_driver - DriverStartIo = (nil)
0025:trace:ntoskrnl:init_driver - DriverUnload = 0x10005110
0025:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x10005170
0025:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x10005170
0025:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x10005170
0025:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x7f0a3ebb04dd
0025:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f0a3ebb04dd 
--- snip ---

The prototype seems to be the same as 'ntdll.RtlQueryRegistryValues'

https://github.com/Gbps/gbhv/blob/master/gbhv/phnt/ntrtl.h#L6903

--- snip ---
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryRegistryValues(
    _In_ ULONG RelativeTo,
    _In_ PWSTR Path,
    _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable,
    _In_ PVOID Context,
    _In_opt_ PVOID Environment
    );

// rev
NTSYSAPI
NTSTATUS
NTAPI
RtlQueryRegistryValuesEx(
    _In_ ULONG RelativeTo,
    _In_ PWSTR Path,
    _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable,
    _In_ PVOID Context,
    _In_opt_ PVOID Environment
);
--- snip ---

https://www.geoffchappell.com/studies/windows/win32/ntdll/api/index.htm

https://www.geoffchappell.com/studies/windows/win32/ntdll/history/names62.htm

--- quote ---
RtlQueryRegistryValuesEx     6.2 and higher 
--- quote ---

The purpose of this function is mentioned here (which also explains why the
prototype is the same):

http://www.powerofcommunity.net/poc2012/mj0011.pdf ("Using a Patched
Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement")

Slide 15 "Windows8 Kernel Security Improvements":

--- quote ---
Kernel Security Improvements on Windows 8:
...
Introducingthe new RtlQueryRegistryValuesEx function.

Windows 8 drivers use this new function as much as possible. If driver calls
new function and the registy key is untrusted, it would cause BugCheck =
KERNEL_SECURITY_CHECK_FAILURE.
--- quote ---

Wine source:

https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntdll/reg.c#l1218

--- snip ---
1218 /*************************************************************************
1219  * RtlQueryRegistryValues   [NTDLL.@]
1220  *
1221  * Query multiple registry values with a single call.
1222  *
1223  * PARAMS
1224  *  RelativeTo  [I] Registry path that Path refers to
1225  *  Path        [I] Path to key
1226  *  QueryTable  [I] Table of key values to query
1227  *  Context     [I] Parameter to pass to the application defined
QueryRoutine function
1228  *  Environment [I] Optional parameter to use when performing expansion
1229  *
1230  * RETURNS
1231  *  STATUS_SUCCESS or an appropriate NTSTATUS error code.
1232  */
1233 NTSTATUS WINAPI RtlQueryRegistryValues(IN ULONG RelativeTo, IN PCWSTR
Path,
1234                                        IN PRTL_QUERY_REGISTRY_TABLE
QueryTable, IN PVOID Context,
1235                                        IN PVOID Environment OPTIONAL)
1236 {
...
--- snip ---
$ sha1sum ARCHICAD-22-USA-3006-1.4.exe 
981ffe19e9b03b2736dddc335c9dfc8a7cfe0750  ARCHICAD-22-USA-3006-1.4.exe

$ du -sh ARCHICAD-22-USA-3006-1.4.exe 
1.9G    ARCHICAD-22-USA-3006-1.4.exe

$ wine --version
wine-4.5-227-g6552b7144e

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list