[Bug 49165] Multiple kernel drivers crash in entry point due to 'IoGetDeviceObjectPointer' returning a stub device when the device object doesn't exist (VeraCrypt 1.24 'veracrypt_x64.sys', NAV 2010 'ccHPx64.sys')

WineHQ Bugzilla wine-bugs at winehq.org
Thu Dec 31 13:16:31 CST 2020 

https://bugs.winehq.org/show_bug.cgi?id=49165

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|https://launchpad.net/verac |https://web.archive.org/web
                   |rypt/trunk/1.24-update6/+do |/20200319114317/https://lau
                   |wnload/VeraCrypt%20Portable |nchpadlibrarian.net/4686578
                   |%201.24-Update6.exe         |62/VeraCrypt%20Portable%201
                   |                            |.24-Update6.exe
            Summary|VeraCrypt 1.24 filter       |Multiple kernel drivers
                   |driver 'veracrypt_x64.sys'  |crash in entry point due to
                   |crashes in entry point      |'IoGetDeviceObjectPointer'
                   |('IoGetDeviceObjectPointer' |returning a stub device
                   |must not return a stub      |when the device object
                   |device if the device object |doesn't exist (VeraCrypt
                   |doesn't exist)              |1.24 'veracrypt_x64.sys',
                   |                            |NAV 2010 'ccHPx64.sys')

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

adding another driver and refining summary for collecting.

Symantec Hash Provider driver 'ccHP' from Norton Antivirus 2010.

https://web.archive.org/web/20111104092310/http://spftrl.digitalriver.com/pub/symantec/tbyb/NAM/NAV10TBEN.exe

NOTE: Needs multiple prerequisite bugs fixed or worked around before coming to
this place.

* bug 34083 ("Norton/Symantec AntiVirus 10.x installers fail to validate
embedded certificate (CERT with multiple OU fields, crypt32.CertGetNameStringW
must return RDNs in reverse order)")

* bug 50431 ("SCM erroneously tries to start 64-bit kernel drivers as 32-bit
service when 'ImagePath' contains '\\SystemRoot\\system32\\drivers' and
'WOW64=1')"

To debug driver crashes it's best to disable autostart.
Change start type to "manual" (3).

--- snip ---
[System\\CurrentControlSet\\Services\\ccHP]
...
"Start"=dword:00000003
--- snip ---

--- snip ---
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl wine net start ccHP >>log.txt 2>&1
...
0054:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys"
0054:Call KERNEL32.LoadLibraryW(00041490
L"C:\\windows\\system32\\drivers\\NAVx64\\1100000.088\\ccHPx64.sys")
ret=0032606e 
...
0054:Ret  KERNEL32.LoadLibraryW() retval=00d60000 ret=0032606e
...
0054:Call driver init 0000000000DF8008
(obj=0000000000042DD0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\ccHP") 
...
0054:Call ntoskrnl.exe.IoWMIRegistrationControl(00def6c8,80010001) ret=00d61775
0054:fixme:ntoskrnl:IoWMIRegistrationControl (0000000000DEF6C8 2147549185) stub
0054:Ret  ntoskrnl.exe.IoWMIRegistrationControl() retval=00000000 ret=00d61775
0054:Call
ntoskrnl.exe.IoGetDeviceObjectPointer(00c3f710,001f01ff,00c3f708,00c3f700)
ret=00d61c9f
...
0054:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\\Device\\SYMEFA" 1f01ff
0000000000C3F708 0000000000C3F700
0054:Ret  ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=00d61c9f
0054:Call
ntoskrnl.exe.IoBuildSynchronousFsdRequest(0000001b,0034d5c8,00000000,00000000,00000000,00c3f720,00c3f738)
ret=00d61d1b
0054:trace:ntoskrnl:IoBuildSynchronousFsdRequest (27 000000000034D5C8
0000000000000000 0 0000000000000000 0000000000C3F738)
0054:trace:ntoskrnl:IoBuildAsynchronousFsdRequest (27 000000000034D5C8
0000000000000000 0 0000000000000000 0000000000C3F738)
0054:trace:ntoskrnl:IoAllocateIrp -128, 0
0054:Call ntdll.RtlAllocateHeap(009c0000,00000000,00000310) ret=0031fab9
0054:Ret  ntdll.RtlAllocateHeap() retval=009c03b0 ret=0031fab9
0054:trace:ntoskrnl:ExAllocatePoolWithTag 784 pool 0 -> 00000000009C03B0
0054:trace:ntoskrnl:IoInitializeIrp 00000000009C03B0, 784, -128
0054:Call msvcrt.memset(009c03b0,00000000,00000310) ret=0031fb53
0054:Ret  msvcrt.memset() retval=009c03b0 ret=0031fb53
0054:trace:seh:dispatch_exception code=c0000005 flags=0 addr=000000000032069E
ip=000000000032069E tid=0054
0054:trace:seh:dispatch_exception  info[0]=0000000000000001
0054:trace:seh:dispatch_exception  info[1]=00000000009be038
0054:trace:seh:dispatch_exception  rax=00000000009c03b0 rbx=000000000000001b
rcx=00000000e421390f rdx=0000000000000037
0054:trace:seh:dispatch_exception  rsi=000000000034d5c8 rdi=00000000009c03b0
rbp=0000000000c3f560 rsp=0000000000c3f510
0054:trace:seh:dispatch_exception   r8=0000000000000000  r9=0000000000000000
r10=0000000000c3efe2 r11=0000000000000000
0054:trace:seh:dispatch_exception  r12=00000000009be080 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
0054:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=c0000005 flags=0
0054:trace:seh:call_vectored_handlers handler at 000000000031D2F0 returned 0
0054:trace:seh:call_vectored_handlers calling handler at 000000007B011BA0
code=c0000005 flags=0
0054:trace:seh:call_vectored_handlers handler at 000000007B011BA0 returned 0 
--- snip ---

Virustotal.com scan of the installer binary:

https://www.virustotal.com/gui/file/b8110fba782df5f9bfc25d39315b5ccd1f375b20da60e08e68966788eb5258a1/details

$ sha1sum NAV10TBEN.exe 
eadfb9c860146186c548aba695a9be87607f5586  NAV10TBEN.exe

$ du -sh NAV10TBEN.exe 
74M    NAV10TBEN.exe

$ wine --version
wine-6.0-rc4

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list