[Bug 48235] New: Multiple applications need 'ntdll.NtWow64QueryInformationProcess64' (IP Camera Viewer 4.x)

WineHQ Bugzilla wine-bugs at winehq.org
Fri Dec 6 04:27:06 CST 2019 

https://bugs.winehq.org/show_bug.cgi?id=48235

            Bug ID: 48235
           Summary: Multiple applications need
                    'ntdll.NtWow64QueryInformationProcess64' (IP Camera
                    Viewer 4.x)
           Product: Wine
           Version: 4.21
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

crash was reported in https://bugs.winehq.org/show_bug.cgi?id=44456#c7

Trace log:

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files (x86)/Deskshare/IP Camera Viewer 4

$ WINEDEBUG=+seh,+relay wine ./IP\ Camera\ Viewer.exe >>log.txt 2>&1
...
0041:Call KERNEL32.IsWow64Process(ffffffff,0032f64c) ret=004034fc
0041:Call
ntdll.NtQueryInformationProcess(ffffffff,0000001a,0032f5fc,00000004,00000000)
ret=71276334
0041:Ret  ntdll.NtQueryInformationProcess() retval=00000000 ret=71276334
0041:Ret  KERNEL32.IsWow64Process() retval=00000001 ret=004034fc
0041:trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000
tid=0041
0041:trace:seh:raise_exception  info[0]=00000000
0041:trace:seh:raise_exception  info[1]=00000000
0041:trace:seh:raise_exception  eax=0032f658 ebx=00000000 ecx=00000000
edx=00000001 esi=00000000 edi=00000003
0041:trace:seh:raise_exception  ebp=0032f690 esp=0032f640 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010202
0041:trace:seh:call_stack_handlers calling handler at 0x7b4740b0 code=c0000005
flags=0
...
wine: Unhandled page fault on read access to 00000000 at address 00000000
(thread 0041), starting debugger... 
...
--- snip ---

Disassembly of crash site:

--- snip ---
004034C6 | lea eax,dword ptr ss:[ebp-4]  |
004034C9 | push eax                      |
004034CA | push 30                       |
004034CC | lea eax,dword ptr ss:[ebp-38] |
004034CF | push eax                      |
004034D0 | push 0                        |
004034D2 | push FFFFFFFF                 |
004034D4 | call dword ptr ds:[406024]    | *boom* (NULL)
004034DA | mov ecx,dword ptr ss:[ebp-30] |
004034DD | xor edx,edx                   |
004034DF | test eax,eax                  |
004034E1 | cmovne ecx,edx                |
004034E4 | mov eax,ecx                   |
004034E6 | leave                         |
004034E7 | ret                           |
--- snip ---

Walking backwards by using 'Find reference to address' in debugger:

--- snip ---
Address  Disassembly

004023A7 mov dword ptr ds:[406024],eax
004034D4 call dword ptr ds:[406024]
--- snip ---

Code around 004023A7 -> part of custom imports resolver:

--- snip ---
00402391 | push ip camera viewer.401138  | "NtWow64QueryInformationProcess64"
00402396 | push ebx                      |
00402397 | mov dword ptr ds:[406028],eax |
0040239C | call edi                      |
0040239E | push eax                      |
0040239F | call esi                      |
004023A1 | push ip camera viewer.40115C  | "memcpy"
004023A6 | push ebx                      |
004023A7 | mov dword ptr ds:[406024],eax |
004023AC | call edi                      |
...
--- snip ---

Finding the corresponding part of trace log:

--- snip ---
...
0041:Call KERNEL32.GetModuleHandleW(004010c0 L"ntdll") ret=0040239e
0041:Call ntdll.RtlInitUnicodeString(0032f5f8,004010c0 L"ntdll") ret=7125a3f6
0041:Ret  ntdll.RtlInitUnicodeString() retval=0000000c ret=7125a3f6
0041:Call ntdll.LdrGetDllHandle(00000000,00000000,0032f5f8,0032f5f0)
ret=7125a41c
0041:Ret  ntdll.LdrGetDllHandle() retval=00000000 ret=7125a41c
0041:Ret  KERNEL32.GetModuleHandleW() retval=7bc30000 ret=0040239e
0041:Call KERNEL32.GetProcAddress(7bc30000,00401138
"NtWow64QueryInformationProcess64") ret=004023a1
0041:Ret  KERNEL32.GetProcAddress() retval=00000000 ret=004023a1 
...
--- snip ---

Example code:

https://github.com/giampaolo/psutil/blob/master/psutil/arch/windows/process_info.c#L555

VirusTotal info:

https://www.virustotal.com/gui/file/190493c2c25d07cefc0b131f7afc162ab04a7850ed68c5423230dd276de639ff/details

https://www.virustotal.com/gui/file/190493c2c25d07cefc0b131f7afc162ab04a7850ed68c5423230dd276de639ff/behavior/VirusTotal%20Jujubox

$ sha1sum IPCameraViewer.exe 
373a8311265ee8980e4ceb7b1d55524430add2fc  IPCameraViewer.exe

$ du -sh IPCameraViewer.exe 
20M    IPCameraViewer.exe

$ wine --version
wine-4.21-138-g7ca1c4900e

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list