[Bug 50431] New: SCM erroneously tries to start 64-bit kernel drivers as 32-bit service when 'ImagePath' contains '\\SystemRoot\\system32\\drivers' and 'WOW64=1'
WineHQ Bugzilla
wine-bugs at winehq.org
Thu Dec 31 12:52:20 CST 2020
https://bugs.winehq.org/show_bug.cgi?id=50431
Bug ID: 50431
Summary: SCM erroneously tries to start 64-bit kernel drivers
as 32-bit service when 'ImagePath' contains
'\\SystemRoot\\system32\\drivers' and 'WOW64=1'
Product: Wine
Version: 6.0-rc4
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: programs
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says. Bug 47175 (https://bugs.winehq.org/show_bug.cgi?id=47175#c4) is
kinda related but the mistake is not in the service creation part.
Norton AntiVirus 2010 installer creates several 32-bit and 64-bit services. The
kernel driver services are 64-bit by design (64-bit WINEPREFIX).
The registry entries for these services contain a mix of different styles.
'WOW64' is always set because the services were created by a 32-bit installer
process. Wine uses this flag only in case of failure to determine the binary
type. 64-bit kernel drivers should be always started as 64-bit.
Registry:
--- snip ---
...
[System\\CurrentControlSet\\Services\\BHDrvx64] 1609425565
"Description"="SONAR Engine Driver"
"DisplayName"="BHDrvx64"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NAV_17.0.0.136\\Definitions\\BASHDefs\\20090829.001\\BHDrvx64.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000003
"Type"=dword:00000001
"WOW64"=dword:00000001
...
[System\\CurrentControlSet\\Services\\IDSVia64] 1609419518
"Description"="Symantec Intrusion Prevention Driver"
"DisplayName"="IDSVia64"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NAV_17.0.0.136\\Definitions\\IPSDefs\\20090828.002\\IDSVia64.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000001
"Type"=dword:00000001
"WOW64"=dword:00000001
...
[System\\CurrentControlSet\\Services\\ccHP] 1609437834
#time=1d6df9f4d82eda4
"DisplayName"="Symantec Hash Provider"
"ErrorControl"=dword:00000001
"ImagePath"="\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000001
"Type"=dword:00000001
"WOW64"=dword:00000001
...
--- snip ---
'ccHP' kernel service doesn't work here. SCM erroneously starts 'winedevice'
hosting process as 32-bit hence loading the 64-bit kernel driver binary will
obviously fail.
--- snip ---
$ pwd
/home/focht/.wine/drive_c/windows/system32/drivers/NAVx64/1100000.088
$ file *
cchpx64.cat: data
ccHPx64.inf: Windows setup INFormation
ccHPx64.sys: PE32+ executable (native) x86-64, for MS Windows
iron.cat: data
Iron.inf: Windows setup INFormation
Ironx64.sys: PE32+ executable (native) x86-64, for MS Windows
isolate.ini: Little-endian UTF-16 Unicode text, with CRLF line terminators
srtsp64.cat: data
srtsp64.inf: Windows setup INFormation
srtsp64.sys: PE32+ executable (native) x86-64, for MS Windows
srtspx64.cat: data
srtspx64.inf: Windows setup INFormation
srtspx64.sys: PE32+ executable (native) x86-64, for MS Windows
SymDS64.cat: data
SymDS64.sys: PE32+ executable (native) x86-64, for MS Windows
SymDS.inf: Windows setup INFormation
SymEFA64.cat: data
SymEFA64.sys: PE32+ executable (native) x86-64, for MS Windows
SymEFA.inf: Windows setup INFormation
symnet64.cat: data
SymNet.inf: Windows setup INFormation
symnetv64.cat: data
SymNetV.inf: Windows setup INFormation
symtdiv.sys: PE32+ executable (native) x86-64, for MS Windows
--- snip ---
Trace log:
--- snip ---
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl,+ntdll,+server,+service wineboot
>>log.txt 2>&1
...
003c:trace:service:load_service_config Image path =
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
003c:trace:service:load_service_config Group = (null)
...
003c:trace:service:load_service_config Service account name = L"LocalSystem"
...
003c:trace:service:load_service_config Display name = L"Symantec Hash
Provider"
003c:trace:service:load_service_config Service dependencies : (none)
003c:trace:service:load_service_config Group dependencies : (none)
...
003c:Call KERNEL32.ExpandEnvironmentStringsW(0003b9d0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",000439c0,0000003c)
ret=1400062de
003c:Call kernelbase.ExpandEnvironmentStringsW(0003b9d0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",000439c0,0000003c)
ret=7bc4429f
003c:Call ntdll.RtlInitUnicodeString(0021f628,0003b9d0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=7b042c06
003c:Ret ntdll.RtlInitUnicodeString() retval=00000078 ret=7b042c06
003c:Call
ntdll.RtlExpandEnvironmentStrings_U(00000000,0021f628,0021f618,0021f614)
ret=7b042c47
003c:Ret ntdll.RtlExpandEnvironmentStrings_U() retval=00000000 ret=7b042c47
003c:Ret kernelbase.ExpandEnvironmentStringsW() retval=0000003c ret=7bc4429f
003c:Ret KERNEL32.ExpandEnvironmentStringsW() retval=0000003c ret=1400062de
003c:Call KERNEL32.GetBinaryTypeW(000439c0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",0021f7c0)
ret=140006473
003c:Call kernelbase.CreateFileW(000439c0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",80000000,00000001,00000000,7fd700000003,00000000,00000000)
ret=7b61b63d
...
003c:Call ntdll.RtlDosPathNameToNtPathName_U(000439c0
L"\\SystemRoot\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",0021f458,00000000,00000000)
ret=7b0160a0
003c:Ret ntdll.RtlDosPathNameToNtPathName_U() retval=00000001 ret=7b0160a0
003c:Call
ntdll.NtCreateFile(0021f3e8,80100080,0021f428,0021f418,00000000,00000000,00000001,00000001,00000060,00000000,00000000)
ret=7b01623a
003c:Ret ntdll.NtCreateFile() retval=c000003a ret=7b01623a
003c:Call ntdll.RtlNtStatusToDosError(c000003a) ret=7b01633c
003c:Ret ntdll.RtlNtStatusToDosError() retval=00000003 ret=7b01633c
...
003c:Ret kernelbase.CreateFileW() retval=ffffffffffffffff ret=7b61b63d
003c:Ret KERNEL32.GetBinaryTypeW() retval=00000000 ret=140006473
...
0054:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
...
0054:Call KERNEL32.LoadLibraryW(0012d578
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=0036490e
0054:Call kernelbase.LoadLibraryW(0012d578
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=7bc3ab84
...
0054:Call ntdll.LdrGetDllPath(0012d578
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys",00000000,00d5faf0,00d5fae8)
ret=7b01bc26
0054:Ret ntdll.LdrGetDllPath() retval=00000000 ret=7b01bc26
...
0054:Call ntdll.LdrLoadDll(0012d958
L"C:\\windows\\syswow64;C:\\windows\\system32;C:\\windows\\system;C:\\windows;.;C:\\windows\\system32;C:\\windows;C:\\windows\\system32\\wbem;C:\\windows\\system32\\WindowsPowershell\\v1.0",00000000,00d5fb10,00d5faf8)
ret=7b01bdfc
...
0054: create_file( access=80100000, sharing=00000005, create=1,
options=00000060, attrs=00000000,
objattr={rootdir=0000,attributes=00000000,sd={},name=L""},
filename="/home/focht/projects/wine/mainline-install-x86_64/lib/wine/cchpx64.sys"
)
...
0054: create_file() = NO_SUCH_FILE { handle=0000 }
...
0054:Ret ntdll.LdrLoadDll() retval=c0000135 ret=7b01bdfc
...
0054:Ret kernelbase.LoadLibraryW() retval=00000000 ret=7bc3ab84
...
0054:err:ntoskrnl:ZwLoadDriver failed to create driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\ccHP": c0000142
--- snip ---
'\\SystemRoot\\system32\\drivers' is a valid path for REG_EXPAND_SZ type
'ImagePath' as well. It doesn't need to be '%SystemRoot%\\xxx'.
Due to 'GetBinaryTypeW' failure, the "else" path is taken which uses 'WOW64'
flag. All services created by 32-bit installer have 'WOW64' set by design,
including the 64-bit services which leads to the incorrect "fallback" choice.
Wine source:
https://source.winehq.org/git/wine.git/blob/784cb2060ab63076adc349dcb1d15a6cb5eb2bc4:/programs/services/services.c#l856
--- snip ---
856 static DWORD get_winedevice_binary_path(struct service_entry
*service_entry, WCHAR **path, BOOL *is_wow64)
857 {
858 static const WCHAR winedeviceW[] =
{'\\','w','i','n','e','d','e','v','i','c','e','.','e','x','e',0};
859 WCHAR system_dir[MAX_PATH];
860 DWORD type;
861
862 if (!is_win64)
863 *is_wow64 = FALSE;
864 else if (GetBinaryTypeW(*path, &type))
865 *is_wow64 = (type == SCS_32BIT_BINARY);
866 else
867 *is_wow64 = service_entry->is_wow64;
868
869 GetSystemDirectoryW(system_dir, MAX_PATH);
870 HeapFree(GetProcessHeap(), 0, *path);
871 if (!(*path = HeapAlloc(GetProcessHeap(), 0, lstrlenW(system_dir) *
sizeof(WCHAR) + sizeof(winedeviceW))))
872 return ERROR_NOT_ENOUGH_SERVER_MEMORY;
873
874 lstrcpyW(*path, system_dir);
875 lstrcatW(*path, winedeviceW);
876 return ERROR_SUCCESS;
877 }
--- snip ---
Virustotal.com scan of the binary:
https://www.virustotal.com/gui/file/b8110fba782df5f9bfc25d39315b5ccd1f375b20da60e08e68966788eb5258a1/details
$ sha1sum NAV10TBEN.exe
eadfb9c860146186c548aba695a9be87607f5586 NAV10TBEN.exe
$ du -sh NAV10TBEN.exe
74M NAV10TBEN.exe
$ wine --version
wine-6.0-rc4
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list