[Bug 47062] New: Multiple E-Banking applications by KOBIL Systems GmbH crash on startup due to ntdll.NtQueryDirectoryObject '\\KnownDlls' failure (MigrosBank EBanking 8.2.x, Sparda Bank SecureApp 1.x)
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Apr 22 11:13:36 CDT 2019
https://bugs.winehq.org/show_bug.cgi?id=47062
Bug ID: 47062
Summary: Multiple E-Banking applications by KOBIL Systems GmbH
crash on startup due to ntdll.NtQueryDirectoryObject
'\\KnownDlls' failure (MigrosBank EBanking 8.2.x,
Sparda Bank SecureApp 1.x)
Product: Wine
Version: 4.6
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntdll
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 47061
Stable links for current installers:
Sparda Bank SecureApp:
https://web.archive.org/web/20190422125056/https://www.sparda.de/secureapp-pc/medien/spardasecureapp_p.exe
Corresponding VirusTotal scan:
https://www.virustotal.com/gui/file/444c501236d5704e43ff5238a03b2c66a08eeba046ac246613d605256f9d50db/details
---
MigrosBank EBanking app:
https://web.archive.org/web/20190422124354/https://download.migrosbank.ch/mid/MigrosBank-EBanking-Win-8.2.2205.exe
Corresponding VirusTotal scan:
https://www.virustotal.com/gui/file/9cd93cc70c6a8b24dbf47a3d20c9a1ed5f6341405b194eea008ded3e0b168b16/details
---
Trace log:
--- snip ---
$ pwd
/home/focht/.wine/drive_c/users/focht/Application Data/Sparda/AST-Client
$ WINEDEBUG=+seh,+relay wine ./SpardaSecureApp.exe >>log.txt 2>&1
...
002b:Call TLS callback
(proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0)
002b:Call KERNEL32.VirtualAlloc(00000000,00000006,00003000,00000004)
ret=2001256a
002b:Ret KERNEL32.VirtualAlloc() retval=00340000 ret=2001256a
002b:Call KERNEL32.VirtualAlloc(00000000,00000017,00003000,00000004)
ret=2001258d
002b:Ret KERNEL32.VirtualAlloc() retval=00350000 ret=2001258d
002b:Call KERNEL32.GetModuleHandleA(00340000 "ntdll") ret=20012652
002b:Ret KERNEL32.GetModuleHandleA() retval=7bc10000 ret=20012652
002b:Call KERNEL32.GetProcAddress(7bc10000,00350000 "NtSetInformationThread")
ret=20012659
002b:Ret KERNEL32.GetProcAddress() retval=7bc24870 ret=20012659
...
002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20010706
002b:Ret TLS callback
(proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0)
002b:Starting process L"C:\\users\\focht\\Application
Data\\Sparda\\AST-Client\\SpardaSecureApp.exe" (entryproc=0x2002954a)
...
002b:Call KERNEL32.LoadLibraryExW(20061890
L"api-ms-win-core-synch-l1-2-0",00000000,00000800) ret=2002e36c
002b:trace:ntdll:FILE_CreateFile handle=0x33f860 access=80100000
name=L"\\??\\C:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll"
objattr=00000040 root=(nil) sec=(nil) io=0x33f870 alloc_size=(nil)
attr=00000000 sharing=00000005 disp=1 options=00000060 ea=(nil).0x00000000
002b:Call LDR notification callback
(proc=0x20010d80,reason=1,data=0x33fc5c,context=(nil))
002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20015ced
002b:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=20015ced
002b:Call ntdll.RtlInitUnicodeString(0033fb30,00380112 L"\\KnownDlls")
ret=20015db1
002b:Ret ntdll.RtlInitUnicodeString() retval=00000016 ret=20015db1
002b:Call ntdll.NtOpenDirectoryObject(0033fba8,00000003,0033fb64) ret=20015e36
002b:trace:ntdll:NtOpenDirectoryObject
(0x33fba8,0x00000003,{name=L"\\KnownDlls", attr=0x00000040, hRoot=(nil),
sd=(nil)}
)
002b:Ret ntdll.NtOpenDirectoryObject() retval=c0000034 ret=20015e36
002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20015e48
002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20015e48
002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20015ced
002b:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=20015ced
002b:Call ntdll.RtlInitUnicodeString(0033fae8,00380112 L"\\KnownDlls")
ret=20015db1
002b:Ret ntdll.RtlInitUnicodeString() retval=00000016 ret=20015db1
002b:Call ntdll.NtOpenDirectoryObject(0033fb60,00000003,0033fb1c) ret=20015e36
002b:trace:ntdll:NtOpenDirectoryObject
(0x33fb60,0x00000003,{name=L"\\KnownDlls", attr=0x00000040, hRoot=(nil),
sd=(nil)}
)
002b:Ret ntdll.NtOpenDirectoryObject() retval=c0000034 ret=20015e36
002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20015e48
002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20015e48
002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20016641
002b:Ret KERNEL32.VirtualAlloc() retval=00380000 ret=20016641
002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20016756
002b:Ret KERNEL32.VirtualFree() retval=00000001 ret=20016756
002b:Call ntdll.wcslen(00000000) ret=2001675d
002b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bcb7c66
ip=7bcb7c66 tid=002b
002b:trace:seh:raise_exception info[0]=00000000
002b:trace:seh:raise_exception info[1]=00000000
002b:trace:seh:raise_exception eax=7bcb7c60 ebx=7bc2c030 ecx=00000000
edx=00000000 esi=0033fbb8 edi=0033fb84
002b:trace:seh:raise_exception ebp=0033fb78 esp=0033fb78 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
002b:trace:seh:call_stack_handlers calling handler at 0x2002e0e0 code=c0000005
flags=0
002b:trace:seh:call_stack_handlers handler at 0x2002e0e0 returned 1
002b:trace:seh:call_stack_handlers calling handler at 0x7b4a0c30 code=c0000005
flags=0
...
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code
(0x7bcb7c66).
...
Backtrace:
=>0 0x7bcb7c66 NTDLL_wcslen+0x6(str=0x0(nil))
[/home/focht/projects/wine/mainline-src/include/wine/unicode.h:201] in ntdll
(0x0033fb78)
1 0x7bc7ef34 relay_call+0x43() in ntdll (0x0033fba0)
2 0x7bc2c04a __wine_stub__fltused+0x97c1() in ntdll (0x0033fc08)
3 0x2001675d EntryPoint+0xffffffff() in spardasecureapp (0x0033fc08)
4 0x20010d9d EntryPoint+0xffffffff() in spardasecureapp (0x0033fc18)
5 0x7bc5b5c4 call_ldr_notifications+0x83(reason=0x1, module=<is not
available>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:371] in
ntdll (0x0033fc88)
6 0x7bc6078f process_attach.part+0x10e() in ntdll (0x0033fcc8)
7 0x7bc65777 LdrLoadDll+0x81(path_name=<couldn't compute location>,
flags=<couldn't compute location>, libname=<couldn't compute location>,
hModule=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:1288] in ntdll
(0x0033fd08)
8 0x7b4689cc load_library+0xdb(libname=0x33fda8, flags=0x800)
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:975] in kernel32
(0x0033fd88)
9 0x7b4690e1 LoadLibraryExW+0xdb()
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:1035] in
kernel32 (0x0033fdc8)
10 0x7bc7ef34 relay_call+0x43() in ntdll (0x0033fdfc)
11 0x7b429d56 __wine_stub___wine_call_from_16_regs+0x6515() in kernel32
(0x0033fe28)
12 0x2002e36c in spardasecureapp (+0x2e36b) (0x0033fe28)
13 0x2002e2d5 in spardasecureapp (+0x2e2d4) (0x0033fe40)
14 0x2002e4b4 in spardasecureapp (+0x2e4b3) (0x0033fe5c)
15 0x2002e894 in spardasecureapp (+0x2e893) (0x0033fe80)
16 0x200293f5 EntryPoint+0xffffffff() in spardasecureapp (0x0033fec0)
17 0x7b4729f2 call_process_entry+0x11() in kernel32 (0x0033fed8)
18 0x7b47531a start_process+0x149(entry=<couldn't compute location>,
peb=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1256] in
kernel32 (0x0033ffd8)
19 0x7b4729fe start_process_wrapper+0x9() in kernel32 (0x0033ffec)
0x7bcb7c66 NTDLL_wcslen+0x6
[/home/focht/projects/wine/mainline-src/include/wine/unicode.h:201] in ntdll:
cmpw $0,0x0(%edx)
201 while (*s) s++;
Modules:
Module Address Debug info Name (20 modules)
PE 20000000-200d8000 Export spardasecureapp
ELF 7b400000-7b830000 Dwarf kernel32<elf>
\-PE 7b420000-7b830000 \ kernel32
ELF 7bc00000-7bd2a000 Dwarf ntdll<elf>
\-PE 7bc10000-7bd2a000 \ ntdll
ELF 7c000000-7c004000 Deferred <wine-loader>
...
Threads:
process tid prio (all id:s are in hex)
...
0000002a (D) C:\users\focht\Application
Data\Sparda\AST-Client\SpardaSecureApp.exe
0000002b 0 <==
--- snip ---
Some prerequisite info:
https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/
Apparently the protection code wants to look at '\\KnownDlls' directory object
using 'ntdll.NtQueryDirectoryObject' to enumerate entries
(OBJECT_DIRECTORY_INFORMATION) which obviously fails under Wine.
$ sha1sum spardasecureapp_p.exe
d579216a3a61555c68a75636893216b8a4233737 spardasecureapp_p.exe
$ du -sh spardasecureapp_p.exe
9.6M spardasecureapp_p.exe
$ wine --version
wine-4.6-108-g9d7d68747b
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list