[Bug 50431] New: SCM erroneously tries to start 64-bit kernel drivers as 32-bit service when 'ImagePath' contains '\\SystemRoot\\system32\\drivers' and 'WOW64=1'

WineHQ Bugzilla wine-bugs at winehq.org
Thu Dec 31 12:52:20 CST 2020 

https://bugs.winehq.org/show_bug.cgi?id=50431

            Bug ID: 50431
           Summary: SCM erroneously tries to start 64-bit kernel drivers
                    as 32-bit service when 'ImagePath' contains
                    '\\SystemRoot\\system32\\drivers' and 'WOW64=1'
           Product: Wine
           Version: 6.0-rc4
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: programs
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says. Bug 47175 (https://bugs.winehq.org/show_bug.cgi?id=47175#c4) is
kinda related but the mistake is not in the service creation part.

Norton AntiVirus 2010 installer creates several 32-bit and 64-bit services. The
kernel driver services are 64-bit by design (64-bit WINEPREFIX).

The registry entries for these services contain a mix of different styles.
'WOW64' is always set because the services were created by a 32-bit installer
process. Wine uses this flag only in case of failure to determine the binary
type. 64-bit kernel drivers should be always started as 64-bit.

Registry:

--- snip ---
...

[System\\CurrentControlSet\\Services\\BHDrvx64] 1609425565
"Description"="SONAR Engine Driver"
"DisplayName"="BHDrvx64"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NAV_17.0.0.136\\Definitions\\BASHDefs\\20090829.001\\BHDrvx64.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000003
"Type"=dword:00000001
"WOW64"=dword:00000001

...

[System\\CurrentControlSet\\Services\\IDSVia64] 1609419518
"Description"="Symantec Intrusion Prevention Driver"
"DisplayName"="IDSVia64"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NAV_17.0.0.136\\Definitions\\IPSDefs\\20090828.002\\IDSVia64.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000001
"Type"=dword:00000001
"WOW64"=dword:00000001

...

[System\\CurrentControlSet\\Services\\ccHP] 1609437834
#time=1d6df9f4d82eda4
"DisplayName"="Symantec Hash Provider"
"ErrorControl"=dword:00000001
"ImagePath"="\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000001
"Type"=dword:00000001
"WOW64"=dword:00000001

...
--- snip ---

'ccHP' kernel service doesn't work here. SCM erroneously starts 'winedevice'
hosting process as 32-bit hence loading the 64-bit kernel driver binary will
obviously fail.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/windows/system32/drivers/NAVx64/1100000.088

$ file *

cchpx64.cat:   data
ccHPx64.inf:   Windows setup INFormation
ccHPx64.sys:   PE32+ executable (native) x86-64, for MS Windows
iron.cat:      data
Iron.inf:      Windows setup INFormation
Ironx64.sys:   PE32+ executable (native) x86-64, for MS Windows
isolate.ini:   Little-endian UTF-16 Unicode text, with CRLF line terminators
srtsp64.cat:   data
srtsp64.inf:   Windows setup INFormation
srtsp64.sys:   PE32+ executable (native) x86-64, for MS Windows
srtspx64.cat:  data
srtspx64.inf:  Windows setup INFormation
srtspx64.sys:  PE32+ executable (native) x86-64, for MS Windows
SymDS64.cat:   data
SymDS64.sys:   PE32+ executable (native) x86-64, for MS Windows
SymDS.inf:     Windows setup INFormation
SymEFA64.cat:  data
SymEFA64.sys:  PE32+ executable (native) x86-64, for MS Windows
SymEFA.inf:    Windows setup INFormation
symnet64.cat:  data
SymNet.inf:    Windows setup INFormation
symnetv64.cat: data
SymNetV.inf:   Windows setup INFormation
symtdiv.sys:   PE32+ executable (native) x86-64, for MS Windows
--- snip ---

Trace log:

--- snip ---
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl,+ntdll,+server,+service wineboot
>>log.txt 2>&1
...
003c:trace:service:load_service_config Image path           =
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
003c:trace:service:load_service_config Group                = (null)
...
003c:trace:service:load_service_config Service account name = L"LocalSystem"
...
003c:trace:service:load_service_config Display name         = L"Symantec Hash
Provider"
003c:trace:service:load_service_config Service dependencies : (none)
003c:trace:service:load_service_config Group dependencies   : (none) 
...
003c:Call KERNEL32.ExpandEnvironmentStringsW(0003b9d0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",000439c0,0000003c)
ret=1400062de
003c:Call kernelbase.ExpandEnvironmentStringsW(0003b9d0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",000439c0,0000003c)
ret=7bc4429f
003c:Call ntdll.RtlInitUnicodeString(0021f628,0003b9d0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=7b042c06
003c:Ret  ntdll.RtlInitUnicodeString() retval=00000078 ret=7b042c06
003c:Call
ntdll.RtlExpandEnvironmentStrings_U(00000000,0021f628,0021f618,0021f614)
ret=7b042c47
003c:Ret  ntdll.RtlExpandEnvironmentStrings_U() retval=00000000 ret=7b042c47
003c:Ret  kernelbase.ExpandEnvironmentStringsW() retval=0000003c ret=7bc4429f
003c:Ret  KERNEL32.ExpandEnvironmentStringsW() retval=0000003c ret=1400062de
003c:Call KERNEL32.GetBinaryTypeW(000439c0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",0021f7c0)
ret=140006473
003c:Call kernelbase.CreateFileW(000439c0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",80000000,00000001,00000000,7fd700000003,00000000,00000000)
ret=7b61b63d
...
003c:Call ntdll.RtlDosPathNameToNtPathName_U(000439c0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",0021f458,00000000,00000000)
ret=7b0160a0
003c:Ret  ntdll.RtlDosPathNameToNtPathName_U() retval=00000001 ret=7b0160a0
003c:Call
ntdll.NtCreateFile(0021f3e8,80100080,0021f428,0021f418,00000000,00000000,00000001,00000001,00000060,00000000,00000000)
ret=7b01623a
003c:Ret  ntdll.NtCreateFile() retval=c000003a ret=7b01623a
003c:Call ntdll.RtlNtStatusToDosError(c000003a) ret=7b01633c
003c:Ret  ntdll.RtlNtStatusToDosError() retval=00000003 ret=7b01633c
...
003c:Ret  kernelbase.CreateFileW() retval=ffffffffffffffff ret=7b61b63d
003c:Ret  KERNEL32.GetBinaryTypeW() retval=00000000 ret=140006473
...
0054:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
...
0054:Call KERNEL32.LoadLibraryW(0012d578
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=0036490e
0054:Call kernelbase.LoadLibraryW(0012d578
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=7bc3ab84
...
0054:Call ntdll.LdrGetDllPath(0012d578
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",00000000,00d5faf0,00d5fae8)
ret=7b01bc26
0054:Ret  ntdll.LdrGetDllPath() retval=00000000 ret=7b01bc26
...
0054:Call ntdll.LdrLoadDll(0012d958
L"C:\\windows\\syswow64;C:\\windows\\system32;C:\\windows\\system;C:\\windows;.;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem;C:\\windows\\system32\\WindowsPowershell\\v1.0",00000000,00d5fb10,00d5faf8)
ret=7b01bdfc
...
0054: create_file( access=80100000, sharing=00000005, create=1,
options=00000060, attrs=00000000,
objattr={rootdir=0000,attributes=00000000,sd={},name=L""},
filename="/home/focht/projects/wine/mainline-install-x86_64/lib/wine/cchpx64.sys"
)
...
0054: create_file() = NO_SUCH_FILE { handle=0000 }
...
0054:Ret  ntdll.LdrLoadDll() retval=c0000135 ret=7b01bdfc
...
0054:Ret  kernelbase.LoadLibraryW() retval=00000000 ret=7bc3ab84
...
0054:err:ntoskrnl:ZwLoadDriver failed to create driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\ccHP": c0000142 
--- snip ---

'\\SystemRoot\\system32\\drivers' is a valid path for REG_EXPAND_SZ type
'ImagePath' as well. It doesn't need to be '%SystemRoot%\\xxx'.

Due to 'GetBinaryTypeW' failure, the "else" path is taken which uses 'WOW64'
flag. All services created by 32-bit installer have 'WOW64' set by design,
including the 64-bit services which leads to the incorrect "fallback" choice.

Wine source:

https://source.winehq.org/git/wine.git/blob/784cb2060ab63076adc349dcb1d15a6cb5eb2bc4:/programs/services/services.c#l856

--- snip ---
 856 static DWORD get_winedevice_binary_path(struct service_entry
*service_entry, WCHAR **path, BOOL *is_wow64)
 857 {
 858     static const WCHAR winedeviceW[] =
{'\\','w','i','n','e','d','e','v','i','c','e','.','e','x','e',0};
 859     WCHAR system_dir[MAX_PATH];
 860     DWORD type;
 861 
 862     if (!is_win64)
 863         *is_wow64 = FALSE;
 864     else if (GetBinaryTypeW(*path, &type))
 865         *is_wow64 = (type == SCS_32BIT_BINARY);
 866     else
 867         *is_wow64 = service_entry->is_wow64;
 868 
 869     GetSystemDirectoryW(system_dir, MAX_PATH);
 870     HeapFree(GetProcessHeap(), 0, *path);
 871     if (!(*path = HeapAlloc(GetProcessHeap(), 0, lstrlenW(system_dir) *
sizeof(WCHAR) + sizeof(winedeviceW))))
 872        return ERROR_NOT_ENOUGH_SERVER_MEMORY;
 873 
 874     lstrcpyW(*path, system_dir);
 875     lstrcatW(*path, winedeviceW);
 876     return ERROR_SUCCESS;
 877 }
--- snip ---

Virustotal.com scan of the binary:

https://www.virustotal.com/gui/file/b8110fba782df5f9bfc25d39315b5ccd1f375b20da60e08e68966788eb5258a1/details

$ sha1sum NAV10TBEN.exe 
eadfb9c860146186c548aba695a9be87607f5586  NAV10TBEN.exe

$ du -sh NAV10TBEN.exe 
74M    NAV10TBEN.exe

$ wine --version
wine-6.0-rc4

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list