[Bug 47062] New: Multiple E-Banking applications by KOBIL Systems GmbH crash on startup due to ntdll.NtQueryDirectoryObject '\\KnownDlls' failure (MigrosBank EBanking 8.2.x, Sparda Bank SecureApp 1.x)

wine-bugs at winehq.org wine-bugs at winehq.org
Mon Apr 22 11:13:36 CDT 2019 

https://bugs.winehq.org/show_bug.cgi?id=47062

            Bug ID: 47062
           Summary: Multiple E-Banking applications by KOBIL Systems GmbH
                    crash on startup due to ntdll.NtQueryDirectoryObject
                    '\\KnownDlls' failure (MigrosBank EBanking 8.2.x,
                    Sparda Bank SecureApp 1.x)
           Product: Wine
           Version: 4.6
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

continuation of bug 47061

Stable links for current installers:

Sparda Bank SecureApp:

https://web.archive.org/web/20190422125056/https://www.sparda.de/secureapp-pc/medien/spardasecureapp_p.exe

Corresponding VirusTotal scan:

https://www.virustotal.com/gui/file/444c501236d5704e43ff5238a03b2c66a08eeba046ac246613d605256f9d50db/details

---

MigrosBank EBanking app:

https://web.archive.org/web/20190422124354/https://download.migrosbank.ch/mid/MigrosBank-EBanking-Win-8.2.2205.exe

Corresponding VirusTotal scan:

https://www.virustotal.com/gui/file/9cd93cc70c6a8b24dbf47a3d20c9a1ed5f6341405b194eea008ded3e0b168b16/details

---

Trace log:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/users/focht/Application Data/Sparda/AST-Client

$ WINEDEBUG=+seh,+relay wine ./SpardaSecureApp.exe >>log.txt 2>&1
...
002b:Call TLS callback
(proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0)
002b:Call KERNEL32.VirtualAlloc(00000000,00000006,00003000,00000004)
ret=2001256a
002b:Ret  KERNEL32.VirtualAlloc() retval=00340000 ret=2001256a
002b:Call KERNEL32.VirtualAlloc(00000000,00000017,00003000,00000004)
ret=2001258d
002b:Ret  KERNEL32.VirtualAlloc() retval=00350000 ret=2001258d
002b:Call KERNEL32.GetModuleHandleA(00340000 "ntdll") ret=20012652
002b:Ret  KERNEL32.GetModuleHandleA() retval=7bc10000 ret=20012652
002b:Call KERNEL32.GetProcAddress(7bc10000,00350000 "NtSetInformationThread")
ret=20012659
002b:Ret  KERNEL32.GetProcAddress() retval=7bc24870 ret=20012659 
...
002b:Ret  KERNEL32.VirtualFree() retval=00000001 ret=20010706
002b:Ret  TLS callback
(proc=0x20010530,module=0x20000000,reason=PROCESS_ATTACH,reserved=0)
002b:Starting process L"C:\\users\\focht\\Application
Data\\Sparda\\AST-Client\\SpardaSecureApp.exe" (entryproc=0x2002954a)
...
002b:Call KERNEL32.LoadLibraryExW(20061890
L"api-ms-win-core-synch-l1-2-0",00000000,00000800) ret=2002e36c
002b:trace:ntdll:FILE_CreateFile handle=0x33f860 access=80100000
name=L"\\??\\C:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll"
objattr=00000040 root=(nil) sec=(nil) io=0x33f870 alloc_size=(nil)
attr=00000000 sharing=00000005 disp=1 options=00000060 ea=(nil).0x00000000
002b:Call LDR notification callback
(proc=0x20010d80,reason=1,data=0x33fc5c,context=(nil))
002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20015ced
002b:Ret  KERNEL32.VirtualAlloc() retval=00380000 ret=20015ced
002b:Call ntdll.RtlInitUnicodeString(0033fb30,00380112 L"\\KnownDlls")
ret=20015db1
002b:Ret  ntdll.RtlInitUnicodeString() retval=00000016 ret=20015db1
002b:Call ntdll.NtOpenDirectoryObject(0033fba8,00000003,0033fb64) ret=20015e36
002b:trace:ntdll:NtOpenDirectoryObject
(0x33fba8,0x00000003,{name=L"\\KnownDlls", attr=0x00000040, hRoot=(nil),
sd=(nil)}
)
002b:Ret  ntdll.NtOpenDirectoryObject() retval=c0000034 ret=20015e36
002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20015e48
002b:Ret  KERNEL32.VirtualFree() retval=00000001 ret=20015e48
002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20015ced
002b:Ret  KERNEL32.VirtualAlloc() retval=00380000 ret=20015ced
002b:Call ntdll.RtlInitUnicodeString(0033fae8,00380112 L"\\KnownDlls")
ret=20015db1
002b:Ret  ntdll.RtlInitUnicodeString() retval=00000016 ret=20015db1
002b:Call ntdll.NtOpenDirectoryObject(0033fb60,00000003,0033fb1c) ret=20015e36
002b:trace:ntdll:NtOpenDirectoryObject
(0x33fb60,0x00000003,{name=L"\\KnownDlls", attr=0x00000040, hRoot=(nil),
sd=(nil)}
)
002b:Ret  ntdll.NtOpenDirectoryObject() retval=c0000034 ret=20015e36
002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20015e48
002b:Ret  KERNEL32.VirtualFree() retval=00000001 ret=20015e48
002b:Call KERNEL32.VirtualAlloc(00000000,000001f4,00001000,00000004)
ret=20016641
002b:Ret  KERNEL32.VirtualAlloc() retval=00380000 ret=20016641
002b:Call KERNEL32.VirtualFree(00380000,00000000,00008000) ret=20016756
002b:Ret  KERNEL32.VirtualFree() retval=00000001 ret=20016756
002b:Call ntdll.wcslen(00000000) ret=2001675d
002b:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7bcb7c66
ip=7bcb7c66 tid=002b
002b:trace:seh:raise_exception  info[0]=00000000
002b:trace:seh:raise_exception  info[1]=00000000
002b:trace:seh:raise_exception  eax=7bcb7c60 ebx=7bc2c030 ecx=00000000
edx=00000000 esi=0033fbb8 edi=0033fb84
002b:trace:seh:raise_exception  ebp=0033fb78 esp=0033fb78 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
002b:trace:seh:call_stack_handlers calling handler at 0x2002e0e0 code=c0000005
flags=0
002b:trace:seh:call_stack_handlers handler at 0x2002e0e0 returned 1
002b:trace:seh:call_stack_handlers calling handler at 0x7b4a0c30 code=c0000005
flags=0 
...
Unhandled exception: page fault on read access to 0x00000000 in 32-bit code
(0x7bcb7c66).
...
Backtrace:
=>0 0x7bcb7c66 NTDLL_wcslen+0x6(str=0x0(nil))
[/home/focht/projects/wine/mainline-src/include/wine/unicode.h:201] in ntdll
(0x0033fb78)
  1 0x7bc7ef34 relay_call+0x43() in ntdll (0x0033fba0)
  2 0x7bc2c04a __wine_stub__fltused+0x97c1() in ntdll (0x0033fc08)
  3 0x2001675d EntryPoint+0xffffffff() in spardasecureapp (0x0033fc08)
  4 0x20010d9d EntryPoint+0xffffffff() in spardasecureapp (0x0033fc18)
  5 0x7bc5b5c4 call_ldr_notifications+0x83(reason=0x1, module=<is not
available>) [/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:371] in
ntdll (0x0033fc88)
  6 0x7bc6078f process_attach.part+0x10e() in ntdll (0x0033fcc8)
  7 0x7bc65777 LdrLoadDll+0x81(path_name=<couldn't compute location>,
flags=<couldn't compute location>, libname=<couldn't compute location>,
hModule=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/ntdll/loader.c:1288] in ntdll
(0x0033fd08)
  8 0x7b4689cc load_library+0xdb(libname=0x33fda8, flags=0x800)
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:975] in kernel32
(0x0033fd88)
  9 0x7b4690e1 LoadLibraryExW+0xdb()
[/home/focht/projects/wine/mainline-src/dlls/kernel32/module.c:1035] in
kernel32 (0x0033fdc8)
  10 0x7bc7ef34 relay_call+0x43() in ntdll (0x0033fdfc)
  11 0x7b429d56 __wine_stub___wine_call_from_16_regs+0x6515() in kernel32
(0x0033fe28)
  12 0x2002e36c in spardasecureapp (+0x2e36b) (0x0033fe28)
  13 0x2002e2d5 in spardasecureapp (+0x2e2d4) (0x0033fe40)
  14 0x2002e4b4 in spardasecureapp (+0x2e4b3) (0x0033fe5c)
  15 0x2002e894 in spardasecureapp (+0x2e893) (0x0033fe80)
  16 0x200293f5 EntryPoint+0xffffffff() in spardasecureapp (0x0033fec0)
  17 0x7b4729f2 call_process_entry+0x11() in kernel32 (0x0033fed8)
  18 0x7b47531a start_process+0x149(entry=<couldn't compute location>,
peb=<couldn't compute location>)
[/home/focht/projects/wine/mainline-src/dlls/kernel32/process.c:1256] in
kernel32 (0x0033ffd8)
  19 0x7b4729fe start_process_wrapper+0x9() in kernel32 (0x0033ffec)
0x7bcb7c66 NTDLL_wcslen+0x6
[/home/focht/projects/wine/mainline-src/include/wine/unicode.h:201] in ntdll:
cmpw    $0,0x0(%edx)
201        while (*s) s++;
Modules:
Module    Address            Debug info    Name (20 modules)
PE    20000000-200d8000    Export          spardasecureapp
ELF    7b400000-7b830000    Dwarf           kernel32<elf>
  \-PE    7b420000-7b830000    \               kernel32
ELF    7bc00000-7bd2a000    Dwarf           ntdll<elf>
  \-PE    7bc10000-7bd2a000    \               ntdll
ELF    7c000000-7c004000    Deferred        <wine-loader> 
...
Threads:
process  tid      prio (all id:s are in hex) 
...
0000002a (D) C:\users\focht\Application
Data\Sparda\AST-Client\SpardaSecureApp.exe
    0000002b    0 <==
--- snip ---

Some prerequisite info:
https://blogs.msdn.microsoft.com/larryosterman/2004/07/19/what-are-known-dlls-anyway/

Apparently the protection code wants to look at '\\KnownDlls' directory object
using 'ntdll.NtQueryDirectoryObject' to enumerate entries
(OBJECT_DIRECTORY_INFORMATION) which obviously fails under Wine.

$ sha1sum spardasecureapp_p.exe 
d579216a3a61555c68a75636893216b8a4233737  spardasecureapp_p.exe

$ du -sh spardasecureapp_p.exe 
9.6M    spardasecureapp_p.exe

$ wine --version
wine-4.6-108-g9d7d68747b

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list