[Bug 22797] 'Sample1_DLLEmbedding' example from BoxedApp SDK v3.3.x (native API application virtualization scheme) crashes (needs hookable NtXXXSection API entries / NT syscalls)
WineHQ Bugzilla
wine-bugs at winehq.org
Mon Oct 26 07:37:04 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=22797
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
Summary|BoxedApp (native API |'Sample1_DLLEmbedding'
|application virtualization |example from BoxedApp SDK
|scheme) SDK v3.3.x examples |v3.3.x (native API
|fail |application virtualization
| |scheme) crashes (needs
| |hookable NtXXXSection API
| |entries / NT syscalls)
Fixed by SHA1| |75e616d52b452d37cc93f492d47
| |eba641f9741c1
--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
reworking this meta-bug into something more useful.
Taking 'Sample1_DLLEmbedding.exe'.
--- snip ---
...
0009:Call KERNEL32.LoadLibraryA(00434704 "DLL1.dll") ret=0040120c
warn:ntdll:NtQueryAttributesFile
L"\\??\\Z:\\home\\focht\\Downloads\\DemoApplications\\DLL1.dll" not found
(c0000034)
warn:ntdll:NtQueryAttributesFile L"\\??\\C:\\windows\\system32\\DLL1.dll" not
found (c0000034)
warn:ntdll:NtQueryAttributesFile L"\\??\\C:\\windows\\system\\DLL1.dll" not
found (c0000034)
warn:ntdll:NtQueryAttributesFile L"\\??\\C:\\windows\\DLL1.dll" not found
(c0000034)
warn:ntdll:NtQueryAttributesFile
L"\\??\\Z:\\home\\focht\\Downloads\\DemoApplications\\DLL1.dll" not found
(c0000034)
warn:ntdll:NtQueryAttributesFile L"\\??\\C:\\windows\\system32\\DLL1.dll" not
found (c0000034)
warn:ntdll:NtQueryAttributesFile L"\\??\\C:\\windows\\DLL1.dll" not found
(c0000034)
warn:ntdll:NtQueryAttributesFile L"\\??\\C:\\windows\\system32\\wbem\\DLL1.dll"
not found (c0000034)
0009:Ret KERNEL32.LoadLibraryA() retval=00000000 ret=0040120c
0009:Call KERNEL32.GetProcAddress(00000000,00434890 "Function") ret=0040121a
0009:Ret KERNEL32.GetProcAddress() retval=00000000 ret=0040121a
trace:ntdll:NtQueryInformationProcess
(0xffffffff,0x00000022,0x32eb60,0x00000004,(nil))
trace:seh:raise_exception code=c0000005 flags=0 addr=(nil) ip=00000000 tid=0009
trace:seh:raise_exception info[0]=00000000
trace:seh:raise_exception info[1]=00000000
trace:seh:raise_exception eax=00000000 ebx=00000001 ecx=0032fd48 edx=c0000001
esi=00000000 edi=0032fd48
trace:seh:raise_exception ebp=0032eef0 esp=0032eedc cs=0023 ds=002b es=002b
fs=0063 gs=006b flags=00010206
trace:seh:call_vectored_handlers calling handler at 0x10013e10 code=c0000005
flags=0
trace:seh:call_vectored_handlers handler at 0x10013e10 returned 0
trace:seh:call_stack_handlers calling handler at 0x431851 code=c0000005 flags=0
--- snip ---
The sandbox scheme hooks a number of native API to virtualize filesystem,
registry etc.
original:
--- snip ---
<ntdll.LdrLoadDll>:
7BC56C30 8BFF MOV EDI,EDI
7BC56C32 55 PUSH EBP
7BC56C33 8BEC MOV EBP,ESP
7BC56C35 5D POP EBP
7BC56C36 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
7BC56C3A 83E4 F0 AND ESP,FFFFFFF0
...
--- snip ---
hooked:
--- snip ---
<ntdll.LdrLoadDll>:
7BC56C30 E9 CB9348FF JMP 7B0E0000
7BC56C35 5D POP EBP
7BC56C36 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
7BC56C3A 83E4 F0 AND ESP,FFFFFFF0
7BC56C3D FF71 FC PUSH DWORD PTR DS:[ECX-4]
7BC56C40 89C8 MOV EAX,ECX
7BC56C42 55 PUSH EBP
7BC56C43 89E5 MOV EBP,ESP
7BC56C45 57 PUSH EDI
7BC56C46 56 PUSH ESI
7BC56C47 53 PUSH EBX
7BC56C48 E8 0390FCFF CALL ntdll.__x86.get_pc_thunk.bx
...
7B0E0000 E9 1B0AF394 JMP bxsdk32.10010A20
...
7B0D0000 8BFF MOV EDI,EDI
7B0D0002 55 PUSH EBP
7B0D0003 8BEC MOV EBP,ESP
7B0D0005 E9 2B6CB800 JMP ntdll.7BC56C35
--- snip ---
--- snip ---
10010A20 55 PUSH EBP
10010A21 8BEC MOV EBP,ESP
10010A23 83E4 F8 AND ESP,FFFFFFF8
10010A26 83EC 4C SUB ESP,4C
10010A29 53 PUSH EBX
10010A2A 56 PUSH ESI
10010A2B 57 PUSH EDI
10010A2C FF15 54200C10 CALL DWORD PTR DS:[<&KERNEL32.GetLastError>]
10010A32 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
10010A35 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
10010A39 A1 60EA0D10 MOV EAX,DWORD PTR DS:[100DEA60]
10010A3E 57 PUSH EDI
10010A3F 8D7424 40 LEA ESI,DWORD PTR SS:[ESP+40]
10010A43 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
10010A47 E8 B405FFFF CALL bxsdk32.10001000
10010A4C 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]
10010A4F 8B0D 60EA0D10 MOV ECX,DWORD PTR DS:[100DEA60]
10010A55 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
10010A58 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
10010A5B 8B81 840C0000 MOV EAX,DWORD PTR DS:[ECX+C84]
10010A61 83C4 04 ADD ESP,4
10010A64 56 PUSH ESI
10010A65 57 PUSH EDI
10010A66 81C1 840C0000 ADD ECX,0C84
10010A6C 53 PUSH EBX
10010A6D 52 PUSH EDX
10010A6E 8B50 24 MOV EDX,DWORD PTR DS:[EAX+24]
10010A71 FFD2 CALL EDX
10010A73 FFD0 CALL EAX ; org API entry continuation 7B0D0000
...
--- snip ---
Some 'NtXXXSection' native API entries involved in module loading sequence were
not hot-patchable.
--- snip ---
load_native_dll:
7BC54720 55 PUSH EBP
7BC54721 89E5 MOV EBP,ESP
7BC54723 57 PUSH EDI
7BC54724 89D7 MOV EDI,EDX
7BC54726 56 PUSH ESI
7BC54727 89CE MOV ESI,ECX
7BC54729 53 PUSH EBX
7BC5472A E8 21B5FCFF CALL ntdll.__x86.get_pc_thunk.bx
7BC5472F 81C3 D1380800 ADD EBX,838D1
7BC54735 81EC DC010000 SUB ESP,1DC
7BC5473B 8985 40FEFFFF MOV DWORD PTR SS:[EBP-1C0],EAX
7BC54741 C785 54FEFFFF 00 MOV DWORD PTR SS:[EBP-1AC],0
7BC5474B F683 30990000 08 TEST BYTE PTR DS:[EBX+9930],8
7BC54752 0F85 D8000000 JNZ ntdll.7BC54830
7BC54758 83EC 04 SUB ESP,4
7BC5475B 8D85 50FEFFFF LEA EAX,DWORD PTR SS:[EBP-1B0]
7BC54761 C785 60FEFFFF 00 MOV DWORD PTR SS:[EBP-1A0],0
7BC5476B 56 PUSH ESI
7BC5476C 8DB5 60FEFFFF LEA ESI,DWORD PTR SS:[EBP-1A0]
7BC54772 68 00000001 PUSH 1000000
7BC54777 6A 20 PUSH 20
7BC54779 56 PUSH ESI
7BC5477A 6A 00 PUSH 0
7BC5477C 68 0D000F00 PUSH 0F000D
7BC54781 50 PUSH EAX
7BC54782 C785 64FEFFFF 00 MOV DWORD PTR SS:[EBP-19C],0
7BC5478C E8 FF2F0400 CALL ntdll.NtCreateSection ; problem
--- snip ---
Original:
--- snip ---
<ntdll.NtCreateSection>:
7BC97790 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
7BC97794 83E4 F0 AND ESP,FFFFFFF0
7BC97797 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7BC9779A 55 PUSH EBP
7BC9779B 89E5 MOV EBP,ESP
7BC9779D 57 PUSH EDI
7BC9779E 56 PUSH ESI
7BC9779F 53 PUSH EBX
7BC977A0 E8 AB84F8FF CALL ntdll.__x86.get_pc_thunk.bx
7BC977A5 81C3 5B080400 ADD EBX,4085B
--- snip ---
Hooked:
--- snip ---
<ntdll.NtCreateSection>:
7BC97790 E9 6B88E5FF JMP 7BAF0000
7BC97795 E4 F0 IN AL,0F0
7BC97797 FF71 FC PUSH DWORD PTR DS:[ECX-4]
7BC9779A 55 PUSH EBP
7BC9779B 89E5 MOV EBP,ESP
7BC9779D 57 PUSH EDI
7BC9779E 56 PUSH ESI
7BC9779F 53 PUSH EBX
7BC977A0 E8 AB84F8FF CALL ntdll.__x86.get_pc_thunk.bx
7BC977A5 81C3 5B080400 ADD EBX,4085B
7BC977AB 51 PUSH ECX
7BC977AC 81EC A8000000 SUB ESP,0A8
--- snip ---
Starting with commit
https://source.winehq.org/git/wine.git/commitdiff/e3e477e6a14fbcb153258b47d1905915dc4c1f22
("ntdll: Use syscall thunks for virtual memory functions.), these native API
became hook-able. Part of Wine 5.13 release.
Also referenced in bug 33162 ("Acrobat Reader 11 crashes on start (native API
application virtualization, NtProtectVirtualMemory removes execute page
protection on its own code)").
--- snip ---
7BC0B710 B8 18000000 MOV EAX,18
7BC0B715 BA 00C0C07B MOV EDX,7BC0C000
7BC0B71A FFD2 CALL EDX
7BC0B71C C2 1C00 RETN 1C
--- snip ---
--- snip ---
7BC0B710 E9 EB48EEFF JMP 7BAF0000
7BC0B715 BA 00C0C07B MOV EDX,7BC0C000
7BC0B71A FFD2 CALL EDX
7BC0B71C C2 1C00 RETN 1C
--- snip ---
--- snip ---
7BAF0000 E9 2B78E384 JMP 00927830
--- snip ---
The example still crashed after this. There was a bug which got fixed with
https://source.winehq.org/git/wine.git/commitdiff/75e616d52b452d37cc93f492d47eba641f9741c1
("ntdll: Clear the syscall frame on return instead of popping the previous
one."), part of Wine 5.16 release.
Thanks Alexandre.
After that, the example works as designed. Using that as resolution.
$ sha1sum boxedappsdk__demo__3_3_5_7.zip
bfbdd0df4526cd34615a8d13a788a6cdc8713041 boxedappsdk__demo__3_3_5_7.zip
$ du -sh boxedappsdk__demo__3_3_5_7.zip
25M boxedappsdk__demo__3_3_5_7.zip
$ wine --version
wine-5.20
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list