[Bug 47014] New: Multiple kernel drivers need ' ntoskrnl.exe.ExInitializePagedLookasideList' implementation (Norton 360/ Symantec Eraser Control Driver)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Apr 14 12:52:20 CDT 2019
https://bugs.winehq.org/show_bug.cgi?id=47014
Bug ID: 47014
Summary: Multiple kernel drivers need
'ntoskrnl.exe.ExInitializePagedLookasideList'
implementation (Norton 360/Symantec Eraser Control
Driver)
Product: Wine
Version: 4.6
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 45819
--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl wineboot >>log.txt 2>&1
...
0016:trace:ntoskrnl:load_driver loading driver L"C:\\Program Files
(x86)\\Common Files\\Symantec Shared\\EENGINE\\eeCtrl64.sys"
0016:Call KERNEL32.LoadLibraryW(00027b00 L"C:\\Program Files (x86)\\Common
Files\\Symantec Shared\\EENGINE\\eeCtrl64.sys") ret=7f9a9cb4baec
...
0016:Ret KERNEL32.LoadLibraryW() retval=00450000 ret=7f9a9cb4baec
...
0016:trace:ntoskrnl:load_driver_module L"C:\\Program Files (x86)\\Common
Files\\Symantec Shared\\EENGINE\\eeCtrl64.sys": relocating from 0x10000 to
0x450000
...
0016:Call driver init 0x4b6118
(obj=0x278a0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\eeCtrl")
...
0016:Call ntoskrnl.exe.KeQueryActiveProcessors() ret=0046c4a7
0016:Call KERNEL32.GetProcessAffinityMask(ffffffffffffffff,0032f3b8,00000000)
ret=7f9a9cb52f10
0016:Ret KERNEL32.GetProcessAffinityMask() retval=00000001 ret=7f9a9cb52f10
0016:Ret ntoskrnl.exe.KeQueryActiveProcessors() retval=000000ff ret=0046c4a7
0016:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000000,00000440,56664343)
ret=0046c4e5
0016:Call ntdll.RtlAllocateHeap(00010000,00000000,00000440) ret=7f9a9cb4aff8
0016:Ret ntdll.RtlAllocateHeap() retval=00030120 ret=7f9a9cb4aff8
0016:trace:ntoskrnl:ExAllocatePoolWithTag 1088 pool 0 -> 0x30120
0016:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=00030120 ret=0046c4e5
0016:Call
ntoskrnl.exe.ExInitializePagedLookasideList(00030140,0046c6ac,0046c6f4,00000000,00000248,56664343,00000000)
ret=0046c54d
0016:fixme:ntoskrnl:ExInitializePagedLookasideList stub: 0x30140, 0x46c6ac,
0x46c6f4, 0, 584, 1449542467, 0
0016:Ret ntoskrnl.exe.ExInitializePagedLookasideList() retval=0000006c
ret=0046c54d
0016:Call
ntoskrnl.exe.ExInitializePagedLookasideList(000301c0,0046c6ac,0046c6f4,00000000,00000248,56664343,00000000)
ret=0046c54d
0016:fixme:ntoskrnl:ExInitializePagedLookasideList stub: 0x301c0, 0x46c6ac,
0x46c6f4, 0, 584, 1449542467, 0
0016:Ret ntoskrnl.exe.ExInitializePagedLookasideList() retval=0000006c
ret=0046c54d
0016:Call
ntoskrnl.exe.ExInitializePagedLookasideList(00030240,0046c6ac,0046c6f4,00000000,00000248,56664343,00000000)
ret=0046c54d
0016:fixme:ntoskrnl:ExInitializePagedLookasideList stub: 0x30240, 0x46c6ac,
0x46c6f4, 0, 584, 1449542467, 0
0016:Ret ntoskrnl.exe.ExInitializePagedLookasideList() retval=0000006c
ret=0046c54d
...
0016:Call ntoskrnl.exe.RtlInitUnicodeString(0032f3a0,004565b8 L"Started")
ret=00464bfe
0016:Call ntdll.RtlInitUnicodeString(0032f3a0,004565b8 L"Started") ret=7bc8de2f
0016:Ret ntdll.RtlInitUnicodeString() retval=00000010 ret=7bc8de2f
0016:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=00000010 ret=00464bfe
0016:Call
ntoskrnl.exe.ZwCreateKey(0032f328,000f003f,0032f370,00000000,00000000,00000001,00000000)
ret=0046cb6c
0016:Call
ntdll.NtCreateKey(0032f328,000f003f,0032f370,00000000,00000000,00000001,00000000)
ret=7bc8de2f
0016:Ret ntdll.NtCreateKey() retval=00000000 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ZwCreateKey() retval=00000000 ret=0046cb6c
0016:Call ntoskrnl.exe.ZwClose(0000003c) ret=0046c926
0016:Call ntdll.NtClose(0000003c) ret=7bc8de2f
0016:Ret ntdll.NtClose() retval=00000000 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ZwClose() retval=00000000 ret=0046c926
0016:Call ntoskrnl.exe.ZwClose(00000038) ret=0046c926
0016:Call ntdll.NtClose(00000038) ret=7bc8de2f
0016:Ret ntdll.NtClose() retval=00000000 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ZwClose() retval=00000000 ret=0046c926
0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(0002f880) ret=00466c3b
0016:Call ntdll.RtlInterlockedPopEntrySList(0002f880) ret=7bc8de2f
0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=00010310 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=00010310
ret=00466c3b
0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(0002f880) ret=00466c3b
0016:Call ntdll.RtlInterlockedPopEntrySList(0002f880) ret=7bc8de2f
0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=000309c0 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=000309c0
ret=00466c3b
0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(0002f880) ret=00466c3b
0016:Call ntdll.RtlInterlockedPopEntrySList(0002f880) ret=7bc8de2f
0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=000100f0 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=000100f0
ret=00466c3b
0016:Call ntoskrnl.exe.RtlInitUnicodeString(0032f2d0,004abc50 L"*.sys")
ret=004702ba
0016:Call ntdll.RtlInitUnicodeString(0032f2d0,004abc50 L"*.sys") ret=7bc8de2f
0016:Ret ntdll.RtlInitUnicodeString() retval=0000000c ret=7bc8de2f
0016:Ret ntoskrnl.exe.RtlInitUnicodeString() retval=0000000c ret=004702ba
0016:Call ntoskrnl.exe.RtlAppendUnicodeStringToString(0032f360,0032f2d0)
ret=00466d7c
0016:Call ntdll.RtlAppendUnicodeStringToString(0032f360,0032f2d0) ret=7bc8de2f
0016:Ret ntdll.RtlAppendUnicodeStringToString() retval=00000000 ret=7bc8de2f
0016:Ret ntoskrnl.exe.RtlAppendUnicodeStringToString() retval=00000000
ret=00466d7c
0016:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(00030140) ret=00470873
0016:Call ntdll.RtlInterlockedPopEntrySList(00030140) ret=7bc8de2f
0016:Ret ntdll.RtlInterlockedPopEntrySList() retval=00000000 ret=7bc8de2f
0016:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=00000000
ret=00470873
0016:trace:seh:NtRaiseException code=c0000005 flags=0 addr=(nil) ip=0 tid=0016
0016:trace:seh:NtRaiseException info[0]=0000000000000008
0016:trace:seh:NtRaiseException info[1]=0000000000000000
0016:trace:seh:NtRaiseException rax=0000000000000000 rbx=0000000000030140
rcx=0000000000000000 rdx=0000000000000000
0016:trace:seh:NtRaiseException rsi=000000000032f350 rdi=0000000000000120
rbp=00000000000100f0 rsp=000000000032f278
0016:trace:seh:NtRaiseException r8=0000000000000000 r9=000000000032ea82
r10=0000000000000000 r11=0000000000000000
0016:trace:seh:NtRaiseException r12=000000000002e3e0 r13=0000000000000000
r14=000000000002e320 r15=0000000000000100
...
--- snip ---
Annotated disassembly from driver crash site:
--- snip ---
0000000000470834 | push rbx |
0000000000470836 | sub rsp,20 |
000000000047083A | cmp qword ptr ds:[4602C8],0 |
0000000000470842 | je eectrl64.47088A |
0000000000470844 | mov al,byte ptr gs:[184] |
000000000047084C | xor edx,edx |
000000000047084E | movzx eax,al |
0000000000470851 | div dword ptr ds:[4602D4] |
0000000000470857 | imul edx,dword ptr ds:[4602D0]|
000000000047085E | mov ebx,edx |
0000000000470860 | add rbx,qword ptr ds:[4602C8] |
0000000000470867 | mov rcx,rbx | ListHead
000000000047086A | inc dword ptr ds:[rbx+14] |
Lookaside->L.TotalAllocates++
000000000047086D | call qword ptr ds:[452110] |
ExpInterlockedPopEntrySList()
0000000000470873 | test rax,rax |
0000000000470876 | jne eectrl64.4708C1 |
0000000000470878 | mov edx,dword ptr ds:[rbx+2C] | Lookaside->L.Size
000000000047087B | mov r8d,dword ptr ds:[rbx+28] | Lookaside->L.Tag
000000000047087F | mov ecx,dword ptr ds:[rbx+24] | Lookaside->L.Type
0000000000470882 | inc dword ptr ds:[rbx+18] |
Lookaside->L.AllocateMisses++
0000000000470885 | call qword ptr ds:[rbx+30] | Lookaside->L.Allocate() ->
*boom*
0000000000470888 | jmp eectrl64.4708C1 |
000000000047088A | inc dword ptr ds:[460254] |
Lookaside->L.TotalAllocates++
0000000000470890 | lea rcx,qword ptr ds:[460240] | ListHead
0000000000470897 | call qword ptr ds:[452110] |
ExpInterlockedPopEntrySList()
000000000047089D | test rax,rax |
00000000004708A0 | jne eectrl64.4708C1 |
00000000004708A2 | mov edx,dword ptr ds:[46026C] | Lookaside->L.Size
00000000004708A8 | mov r8d,dword ptr ds:[460268] | Lookaside->L.Tag
00000000004708AF | mov ecx,dword ptr ds:[460264] | Lookaside->L.Type
00000000004708B5 | inc dword ptr ds:[460258] |
Lookaside->L.AllocateMisses++
00000000004708BB | call qword ptr ds:[460270] | Lookaside->L.Allocate
00000000004708C1 | add rsp,20 |
00000000004708C5 | pop rbx |
00000000004708C6 | ret |
--- snip ---
Not sure if I got all the members/offsets correct (GENERAL_LOOKASIDE_LAYOUT)
but it should give you the idea.
https://source.winehq.org/git/wine.git/blob/HEAD:/include/ddk/wdm.h#l1302
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-exinitializepagedlookasidelist
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.c#l2407
--- snip ---
2407 /***********************************************************************
2408 * ExInitializePagedLookasideList (NTOSKRNL.EXE.@)
2409 */
2410 void WINAPI ExInitializePagedLookasideList(PPAGED_LOOKASIDE_LIST
Lookaside,
2411 PALLOCATE_FUNCTION Allocate,
2412 PFREE_FUNCTION Free,
2413 ULONG Flags,
2414 SIZE_T Size,
2415 ULONG Tag,
2416 USHORT Depth)
2417 {
2418 FIXME( "stub: %p, %p, %p, %u, %lu, %u, %u\n", Lookaside, Allocate,
Free, Flags, Size, Tag, Depth );
2419 }
--- snip ---
Likely needed for a lot of other drivers as well, hence keeping the summary
generic.
$ sha1sum N360-TW-21.1.0-EN.exe
aa05ccf9668e166ef28923d451f1c2ecad6f75f1 N360-TW-21.1.0-EN.exe
$ du -sh N360-TW-21.1.0-EN.exe
203M N360-TW-21.1.0-EN.exe
$ wine --version
wine-4.6
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list