[Bug 49089] New: nProtect Anti-Virus/Spyware 4.0 'tkpl2k64.sys' crashes on unimplemented function 'fltmgr.sys.FltBuildDefaultSecurityDescriptor'
WineHQ Bugzilla
wine-bugs at winehq.org
Sun May 3 09:30:44 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=49089
Bug ID: 49089
Summary: nProtect Anti-Virus/Spyware 4.0 'tkpl2k64.sys' crashes
on unimplemented function
'fltmgr.sys.FltBuildDefaultSecurityDescriptor'
Product: Wine
Version: 5.7
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
encountered while revisiting bug 47170
Download:
https://web.archive.org/web/20160510225518/http://avsd.nprotect.net/avs40/setup/nProtectSetup_AVS40.exe
--- snip ---
$ WINEDEBUG=+seh,+loaddll,+process wine ./nProtectSetup_AVS40.exe
...
0244:trace:loaddll:load_native_dll Loaded L"C:\\windows\\system32\\FLTMGR.SYS"
at 0xe50000: PE builtin
0244:trace:loaddll:load_native_dll Loaded
L"C:\\windows\\system32\\tkpl2k64.sys" at 0xe10000: native
0244:trace:seh:raise_exception code=c0000005 flags=0 addr=0xe38108 ip=e38108
tid=0244
0244:trace:seh:raise_exception info[0]=0000000000000000
0244:trace:seh:raise_exception info[1]=fffff78000000320
0244:trace:seh:raise_exception rax=fffff78000000320 rbx=0000000000e380dc
rcx=00000000007d5050 rdx=00000000007d51b8
0244:trace:seh:raise_exception rsi=0000000000cef94c rdi=00000000007d3ea8
rbp=00000000000fbff8 rsp=0000000000cef8f8
0244:trace:seh:raise_exception r8=0000000000e26100 r9=00002b992ddfa232
r10=000000000023584c r11=00000000000fc0c0
0244:trace:seh:raise_exception r12=00000000007d5050 r13=00007fffffea4000
r14=00000000007d51b8 r15=0000000000000000
0244:trace:seh:call_vectored_handlers calling handler at 0x22cde0 code=c0000005
flags=0
0244:trace:seh:call_vectored_handlers handler at 0x22cde0 returned ffffffff
0244:trace:seh:raise_exception code=c0000096 flags=0 addr=0xe12eb0 ip=e12eb0
tid=0244
0244:trace:seh:raise_exception rax=fffffffffe537b79 rbx=0000000000e380dc
rcx=00000000007d5050 rdx=00000000007d51b8
0244:trace:seh:raise_exception rsi=0000000000cef94c rdi=00000000007d3ea8
rbp=00000000000fbff8 rsp=0000000000cef838
0244:trace:seh:raise_exception r8=0000ffffffffffff r9=00002b992ddfa232
r10=000000000023584c r11=00000000000fc0c0
0244:trace:seh:raise_exception r12=00000000007d5050 r13=00007fffffea4000
r14=00000000007d51b8 r15=0000000000000000
0244:trace:seh:call_vectored_handlers calling handler at 0x22cde0 code=c0000096
flags=0
0244:trace:seh:call_vectored_handlers handler at 0x22cde0 returned ffffffff
0244:trace:seh:raise_exception code=c0000096 flags=0 addr=0xe12eb0 ip=e12eb0
tid=0244
0244:trace:seh:raise_exception rax=0000000000950330 rbx=0000000000e380dc
rcx=0000000000000000 rdx=0000000000e222a0
0244:trace:seh:raise_exception rsi=0000000000cef94c rdi=00000000007d3ea8
rbp=00000000000fbff8 rsp=0000000000cef7d8
0244:trace:seh:raise_exception r8=00000000009503a2 r9=0000000000000016
r10=0000000000000000 r11=00000000009503d0
0244:trace:seh:raise_exception r12=00000000007d5050 r13=00007fffffea4000
r14=00000000007d51b8 r15=0000000000000000
0244:trace:seh:call_vectored_handlers calling handler at 0x22cde0 code=c0000096
flags=0
0244:trace:seh:call_vectored_handlers handler at 0x22cde0 returned ffffffff
0244:fixme:ntdll:NtQuerySystemInformation info_class SystemModuleInformation
stub!
0244:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutine stub: 0000000000E19C30 0
0244:fixme:fltmgr:FltRegisterFilter
(00000000007D5050,0000000000E24D30,0000000000E26228): stub
0244:fixme:fltmgr:FltStartFiltering (00000000DEADBEAF): stub
0244:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b00f665
ip=7b00f665 tid=0244
0244:trace:seh:raise_exception info[0]=0000000000e59000
0244:trace:seh:raise_exception info[1]=0000000000e59119
wine: Call from 0x7b00f665 to unimplemented function
fltmgr.sys.FltBuildDefaultSecurityDescriptor, aborting
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltbuilddefaultsecuritydescriptor
--- snip ---
$ winedump -j import ~/.wine/drive_c/windows/system32/tkpl2k64.sys
Contents of /home/focht/.wine/drive_c/windows/system32/tkpl2k64.sys: 98056
bytes
Import Table size: 0000003c
offset 00014738 ntoskrnl.exe
Hint/Name Table: 000281E8
TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970)
ForwarderChain: 00000000
First thunk RVA: 00014070
Thunk Ordn Name
00014070 332 IoCreateDevice
00014078 1490 towlower
00014080 870 ProbeForRead
00014088 1452 _wcsnicmp
00014090 633 KeSetEvent
00014098 1322 ZwCreateFile
000140a0 1504 wcsrchr
000140a8 722 MmMapLockedPagesSpecifyCache
000140b0 143 ExSystemTimeToLocalTime
000140b8 964 PsTerminateSystemThread
000140c0 661 KeWaitForSingleObject
000140c8 1006 RtlCopyUnicodeString
000140d0 1360 ZwOpenProcess
000140d8 710 MmIsAddressValid
000140e0 850 ObfDereferenceObject
000140e8 1502 wcsncmp
000140f0 1428 ZwWriteFile
000140f8 49 DbgPrint
00014100 1450 _wcsicmp
00014108 558 KeInitializeEvent
00014110 613 KeReleaseSpinLock
00014118 524 KeAcquireSpinLockRaiseToDpc
00014120 531 KeBugCheckEx
00014128 885 PsGetCurrentProcessId
00014130 890 PsGetCurrentThreadId
00014138 341 IoCreateSymbolicLink
00014140 965 PsThreadType
00014148 842 ObReferenceObjectByHandle
00014150 1317 ZwClose
00014158 84 ExEventObjectType
00014160 878 PsCreateSystemThread
00014168 952 PsSetCreateProcessNotifyRoutine
00014170 402 IoIs32bitProcess
00014178 351 IoDeleteDevice
00014180 1086 RtlInitUnicodeString
00014188 1192 RtlTimeToTimeFields
00014190 353 IoDeleteSymbolicLink
00014198 1208 RtlUnicodeToMultiByteN
000141a0 974 RtlAnsiCharToUnicodeChar
000141a8 751 MmUnmapLockedPages
000141b0 1441 _stricmp
000141b8 1443 _strnicmp
000141c0 70 ExAllocatePoolWithTag
000141c8 88 ExFreePoolWithTag
000141d0 976 RtlAnsiStringToUnicodeString
000141d8 95 ExInitializeNPagedLookasideList
000141e0 937 PsLookupProcessByProcessId
000141e8 1390 ZwQuerySymbolicLinkObject
000141f0 160 ExpInterlockedPushEntrySList
000141f8 706 MmGetSystemRoutineAddress
00014200 1082 RtlInitAnsiString
00014208 1202 RtlUnicodeStringToAnsiString
00014210 1391 ZwQuerySystemInformation
00014218 159 ExpInterlockedPopEntrySList
00014220 690 MmBuildMdlForNonPagedPool
00014228 1364 ZwOpenSymbolicLinkObject
00014230 370 IoFreeMdl
00014238 655 KeUnstackDetachProcess
00014240 1061 RtlFreeUnicodeString
00014248 840 ObQueryNameString
00014250 1483 strncpy
00014258 1392 ZwQueryValueKey
00014260 377 IoGetCurrentProcess
00014268 502 IofCompleteRequest
00014270 114 ExQueryDepthSList
00014278 1057 RtlFreeAnsiString
00014280 928 PsGetVersion
00014288 647 KeStackAttachProcess
00014290 74 ExDeleteNPagedLookasideList
00014298 307 IoAllocateMdl
000142a0 1359 ZwOpenKey
000142a8 1430 __C_specific_handler
offset 0001474c FLTMGR.SYS
Hint/Name Table: 00028178
TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970)
ForwarderChain: 00000000
First thunk RVA: 00014000
Thunk Ordn Name
00014000 55 FltEnumerateVolumes
00014008 109 FltObjectDereference
00014010 152 FltStartFiltering
00014018 130 FltRegisterFilter
00014020 12 FltBuildDefaultSecurityDescriptor
00014028 29 FltCloseCommunicationPort
00014030 160 FltUnregisterFilter
00014038 121 FltQueryInformationFile
00014040 62 FltFreeSecurityDescriptor
00014048 33 FltCreateCommunicationPort
00014050 28 FltCloseClientPort
00014058 13 FltCancelFileOpen
00014060 95 FltGetVolumeName
Done dumping /home/focht/.wine/drive_c/windows/system32/tkpl2k64.sys
--- snip ---
$ sha1sum nProtectSetup_AVS40.exe
913b33ab5c9477539d4d65b9f89e67be1a6b6c13 nProtectSetup_AVS40.exe
$ du -sh nProtectSetup_AVS40.exe
36M nProtectSetup_AVS40.exe
$ wine --version
wine-5.7-177-gad1fad8a94
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list