[Bug 39406] LabVIEW 201x CVI kernel driver 'cvintdrv.sys' crashes due to missing 'ntoskrnl.SeExports' export (SE_EXPORTS structure)
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Jan 10 12:50:49 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=39406
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
URL|http://www.ni.com/download/ |https://web.archive.org/web
|labview-development-system- |/20181022065706/http://down
|2014/4735/en/ |load.ni.com/evaluation/labv
| |iew/ekit/other/downloader/2
| |014LV-WinEng.exe
Summary|LabVIEW 2014: Errors during |LabVIEW 201x CVI kernel
|installation block the |driver 'cvintdrv.sys'
|process (continue to accept |crashes due to missing
|them) (cvintdrv.sys) |'ntoskrnl.SeExports' export
| |(SE_EXPORTS structure)
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming, still present
Stable download links via Internet Archive:
https://web.archive.org/web/20181022065706/http://download.ni.com/evaluation/labview/ekit/other/downloader/2014LV-WinEng.exe
https://web.archive.org/web/20181010222337/http://download.ni.com/evaluation/labview/ekit/other/downloader/2015LV-WinEng.exe
https://web.archive.org/web/20181001215929/http://download.ni.com/evaluation/labview/ekit/other/downloader/2016LV-WinEng.exe
https://web.archive.org/web/20181022081430/http://download.ni.com/evaluation/labview/ekit/other/downloader/2017LV-WinEng.exe
https://web.archive.org/web/20181020184420/http://download.ni.com/evaluation/labview/ekit/other/downloader/2018LV-WinEng.exe
Relevant part of trace log (after setting driver to manual start):
--- snip ---
$ WINEDEBUG=+seh,+relay,+service,+ntoskrnl wine net start cvintdrv >>log.txt
2>&1
0560:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\system32\\drivers\\cvintdrv.sys"
0560:Call KERNEL32.LoadLibraryW(0012d328
L"C:\\windows\\system32\\drivers\\cvintdrv.sys") ret=0036490e
...
0560:Call LDR notification callback
(proc=00365B80,reason=1,data=00D5F860,context=00000000)
...
0560:trace:ntoskrnl:ldr_notify_callback loading L"cvintdrv.sys"
...
0560:trace:ntoskrnl:ldr_notify_callback relocating from 00010000-00018000 to
00E80000-00E88000
...
0560:Ret KERNEL32.LoadLibraryW() retval=00e80000 ret=0036490e
...
0560:Call driver init 00E8603E
(obj=0012D250,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\cvintdrv")
...
0560:Call ntoskrnl.exe.MmGetSystemRoutineAddress(00d5fb38) ret=00e8402b
...
0560:fixme:ntoskrnl:MmGetSystemRoutineAddress L"IoCreateDeviceSecure" not found
0560:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=00e8402b
...
0560:Call ntoskrnl.exe.MmGetSystemRoutineAddress(00d5fb38) ret=00e8404f
...
0560:trace:ntoskrnl:MmGetSystemRoutineAddress
L"IoValidateDeviceIoControlAccess" -> 00353A20
0560:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00353a20 ret=00e8404f
0560:Call ntoskrnl.exe.wcschr(00e8218e L"(A;;GA;;;SY)(A;;GA;;;BA)",0000003a)
ret=00e84a52
0560:Call msvcrt.wcschr(00e8218e L"(A;;GA;;;SY)(A;;GA;;;BA)",0000003a)
ret=7bc3ab64
0560:Ret msvcrt.wcschr() retval=00000000 ret=7bc3ab64
0560:Ret ntoskrnl.exe.wcschr() retval=00000000 ret=00e84a52
...
0560:Call ntoskrnl.exe._wcsnicmp(00e82190 L"A;;GA;;;SY)(A;;GA;;;BA)",00e825d4
L"A",00000001) ret=00e84bb9
0560:Call msvcrt._wcsnicmp(00e82190 L"A;;GA;;;SY)(A;;GA;;;BA)",00e825d4
L"A",00000001) ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=00000000 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00e84bb9
0560:Call ntoskrnl.exe._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825cc
L"RC",00000002) ret=00e8486d
0560:Call msvcrt._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825cc
L"RC",00000002) ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=fffffff5 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff5 ret=00e8486d
0560:Call ntoskrnl.exe._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825c4
L"WD",00000002) ret=00e8486d
0560:Call msvcrt._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825c4
L"WD",00000002) ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=fffffff0 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff0 ret=00e8486d
0560:Call ntoskrnl.exe._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825bc
L"WO",00000002) ret=00e8486d
0560:Call msvcrt._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825bc
L"WO",00000002) ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=fffffff0 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff0 ret=00e8486d
0560:Call ntoskrnl.exe._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825b4
L"SD",00000002) ret=00e8486d
0560:Call msvcrt._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825b4
L"SD",00000002) ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=fffffff4 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff4 ret=00e8486d
0560:Call ntoskrnl.exe._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825ac
L"GA",00000002) ret=00e8486d
0560:Call msvcrt._wcsnicmp(00e82196 L"GA;;;SY)(A;;GA;;;BA)",00e825ac
L"GA",00000002) ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=00000000 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00e8486d
0560:Call ntoskrnl.exe._wcsnicmp(00e821a0 L"SY)(A;;GA;;;BA)",00e83040
L"WD",00000002) ret=00e847d3
0560:Call msvcrt._wcsnicmp(00e821a0 L"SY)(A;;GA;;;BA)",00e83040 L"WD",00000002)
ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=fffffffc ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=fffffffc ret=00e847d3
0560:Call ntoskrnl.exe._wcsnicmp(00e821a0 L"SY)(A;;GA;;;BA)",00e83054
L"BA",00000002) ret=00e847d3
0560:Call msvcrt._wcsnicmp(00e821a0 L"SY)(A;;GA;;;BA)",00e83054 L"BA",00000002)
ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=00000011 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=00000011 ret=00e847d3
0560:Call ntoskrnl.exe._wcsnicmp(00e821a0 L"SY)(A;;GA;;;BA)",00e83068
L"SY",00000002) ret=00e847d3
0560:Call msvcrt._wcsnicmp(00e821a0 L"SY)(A;;GA;;;BA)",00e83068 L"SY",00000002)
ret=7bc3ab64
...
0560:Ret msvcrt._wcsnicmp() retval=00000000 ret=7bc3ab64
0560:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00e847d3
0560:trace:seh:dispatch_exception code=c0000005 flags=0 addr=00E8483B
ip=00e8483b tid=0560
0560:trace:seh:dispatch_exception info[0]=00000000
0560:trace:seh:dispatch_exception info[1]=90909170
0560:trace:seh:dispatch_exception eax=000000e0 ebx=00e821a0 ecx=90909090
edx=0000000c esi=00000028 edi=00e83068
0560:trace:seh:dispatch_exception ebp=00d5fa4c esp=00d5fa3c cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010297
0560:trace:seh:call_vectored_handlers calling handler at 0035DA00 code=c0000005
flags=0
0560:trace:seh:call_vectored_handlers handler at 0035DA00 returned 0
0560:trace:seh:call_vectored_handlers calling handler at 7B00F270 code=c0000005
flags=0
0560:trace:seh:call_vectored_handlers handler at 7B00F270 returned 0
0560:trace:seh:call_stack_handlers calling handler at 7BC52730 code=c0000005
flags=0
0560:Call ntdll.NtCreateEvent(00d5f310,001f0003,00d5f384,00000000,00000000)
ret=7b010402
0560:Ret ntdll.NtCreateEvent() retval=00000000 ret=7b010402
wine: Unhandled page fault on read access to 90909170 at address 00E8483B
(thread 0560), starting debugger...
--- snip ---
Trace doesn't reveal much but debugging the crash site does:
--- snip ---
00E847B3 | mov edi,edi |
00E847B5 | push ebp |
00E847B6 | mov ebp,esp |
00E847B8 | push ecx |
00E847B9 | push ebx |
00E847BA | mov ebx,dword ptr ss:[ebp+8] |
00E847BD | push esi |
00E847BE | xor esi,esi |
00E847C0 | push edi |
00E847C1 | mov edi,cvintdrv.E83040 |
00E847C6 | mov dword ptr ss:[ebp-4],esi |
00E847C9 | push dword ptr ds:[edi+8] |
00E847CC | push edi |
00E847CD | push ebx |
00E847CE | call <JMP.&__wcsnicmp> |
00E847D3 | add esp,C |
00E847D6 | test eax,eax |
00E847D8 | je cvintdrv.E847FD |
00E847DA | add dword ptr ss:[ebp-4],14 |
00E847DE | inc esi |
00E847DF | add edi,14 |
00E847E2 | cmp dword ptr ss:[ebp-4],F0 |
00E847E9 | jb cvintdrv.E847C9 |
00E847EB | mov eax,dword ptr ss:[ebp+C] |
00E847EE | and dword ptr ds:[eax],0 |
00E847F1 | mov eax,C0000073 |
00E847F6 | pop edi |
00E847F7 | pop esi |
00E847F8 | pop ebx |
00E847F9 | leave |
00E847FA | ret C |
00E847FD | mov ecx,dword ptr ss:[ebp+10] |
00E84800 | imul esi,esi,14 |
00E84803 | mov eax,dword ptr ds:[esi+E83048] |
00E84809 | lea eax,dword ptr ds:[ebx+eax*2] |
00E8480C | mov dword ptr ds:[ecx],eax |
00E8480E | cmp dword ptr ds:[esi+E8303C],1 |
00E84815 | jne cvintdrv.E8482D |
00E84817 | push 20 |
00E84819 | push 1 |
00E8481B | call dword ptr ds:[<&_IoIsWdmVersionAvailable at 8>] |
00E84821 | test al,al |
00E84823 | jne cvintdrv.E8482D |
00E84825 | mov eax,dword ptr ss:[ebp+C] |
00E84828 | and dword ptr ds:[eax],0 |
00E8482B | jmp cvintdrv.E84843 |
00E8482D | mov ecx,dword ptr ds:[<&___wine_stub_SeExports>] |
00E84833 | mov ecx,dword ptr ds:[ecx] |
00E84835 | mov eax,dword ptr ds:[esi+E83038] | 0xE0
00E8483B | mov eax,dword ptr ds:[eax+ecx] | *boom*
00E8483E | mov ecx,dword ptr ss:[ebp+C] |
00E84841 | mov dword ptr ds:[ecx],eax |
00E84843 | xor eax,eax |
00E84845 | jmp cvintdrv.E847F6 |
--- snip ---
dword ptr ds:[eax+ecx*1] = [0xE0+0x90909090] = 0x90909170
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_se_exports
--- quote ---
The SeExports structure is a large external static SE_EXPORTS structure that
defines a number of well-known security constants for privilege values and
security identifiers.
--- quote ---
Wine source:
https://source.winehq.org/git/wine.git/blob/7d3186e029fb4cf417fab59483a37d8aece95b5d:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l1326
--- snip ---
1326 @ stub SeExports
--- snip ---
ProtectionID scan:
--- snip ---
-=[ ProtectionID v0.6.9.0 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/17-21:05:42
Ready...
Scanning -> C:\windows\system32\drivers\cvintdrv.sys
File Type : 32-Bit Driver (good checksum) (Subsystem : Native / 1), Size :
21792 (05520h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x4E937FD8 -> Mon 10th Oct 2011 23:29:28 (GMT)
[TimeStamp] 0x4E937FD8 -> Mon 10th Oct 2011 23:29:28 (GMT) | PE Header | - |
Offset: 0x000000C8 | VA: 0x000100C8 | -
[TimeStamp] 0x4E937FD8 -> Mon 10th Oct 2011 23:29:28 (GMT) | DebugDirectory | -
| Offset: 0x00000AC4 | VA: 0x000120C4 | -
-> File Appears to be Digitally Signed @ Offset 03200h, size : 02320h / 08992
byte(s)
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00000100000001001100000000000111 (0x0404C007)
[Entrypoint Section Entropy] : 5.40 (section #4) "INIT " | Size : 0x516
(1302) byte(s)
[DllCharacteristics] -> Flag : (0x0400) -> NOSEH
[SectionCount] 6 (0x6) | ImageSize 0x8000 (32768) byte(s)
[ModuleReport] [IAT] Modules -> ntoskrnl.exe | HAL.dll
[Debug Info] (record 1 of 1) (file offset 0xAC0)
Characteristics : 0x0 | TimeDateStamp : 0x4E937FD8 (Mon 10th Oct 2011 23:29:28
(GMT)) | MajorVer : 0 / MinorVer : 0 -> (0.0)
Type : 2 (0x2) -> CodeView | Size : 0x4E (78)
AddressOfRawData : 0x25D8 | PointerToRawData : 0xFD8
CvSig : 0x53445352 | SigGuid 01BFF930-BFF0-4554-937CAF4FAB5F7A02
Age : 0x17 (23) | Pdb : c:\winddk\7600.16385.1\lib\wxp\i386\i386\CVINTDRV.pdb
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.347 Second(s) [00000015Bh (347) tick(s)] [135 of 580 scan(s)
done]
Scanning -> C:\windows\system32\drivers\CVINTDrv.ver
[!] File does not have any imports
[!] File does not have an entrypoint
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1536 (0600h) Byte(s) |
Machine: 0x14C (I386)
Compilation TimeStamp : 0x52D6B97A -> Wed 15th Jan 2014 16:38:18 (GMT)
[TimeStamp] 0x52D6B97A -> Wed 15th Jan 2014 16:38:18 (GMT) | PE Header | - |
Offset: 0x000000B8 | VA: 0x100000B8 | -
[LoadConfig] CodeIntegrity -> Flags 0xA3F0 | Catalog 0x46 (70) | Catalog Offset
0x2000001 | Reserved 0x46A4A0
[LoadConfig] GuardAddressTakenIatEntryTable 0x8000011 | Count 0x46A558
(4629848)
[LoadConfig] GuardLongJumpTargetTable 0x8000001 | Count 0x46A5F8 (4630008)
[LoadConfig] HybridMetadataPointer 0x8000011 | DynamicValueRelocTable 0x46A66C
[LoadConfig] FailFastIndirectProc 0x8000011 | FailFastPointer 0x46C360
[LoadConfig] UnknownZero1 0x8000011
[File Heuristics] -> Flag #1 : 00010000000001001000010001000000 (0x10048440)
[DllCharacteristics] -> Flag : (0x0400) -> NOSEH
[SectionCount] 1 (0x1) | ImageSize 0x2000 (8192) byte(s)
[VersionInfo] Company Name : National Instruments
[VersionInfo] Product Name : LabWindows/CVI 2013
[VersionInfo] Product Version : 13.0.1.201
[VersionInfo] File Description : LabWindows/CVI Version Resource File
[VersionInfo] File Version : 13.0.1.201
[VersionInfo] Original FileName : versionResource.dll
[VersionInfo] Internal Name : CVIVersionResource
[VersionInfo] Legal Copyrights : Copyright © 1987-2014 National Instruments.
All rights reserved.
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.250 Second(s) [0000000FAh (250) tick(s)] [246 of 580 scan(s)
done]
--- snip ---
virustotal.com scan:
https://www.virustotal.com/gui/file/fb224b34081efdcf34f43901cfc423635e176206faed2f860b55acf159cdb0dd/details
$ sha1sum 201*-WinEng*
b16e80402d7567b49e0f47a673fe53accbd1e029 2014LV-WinEng.exe
6e67bff38ea397df8317e5d9b4895c25d0674186 2015LV-WinEng.exe
15f2845122cedd53715bc96cf93afa6890c5d0fc 2016LV-WinEng.exe
8ffb9bb144d6e4071999f333a19c2ef266e4ec68 2017LV-WinEng.exe
4365d9beca39f743b31a87a1b44b2e456b290b86 2018LV-WinEng.exe
$ du -sh 201*-WinEng*
1.4G 2014LV-WinEng.exe
1.4G 2015LV-WinEng.exe
1.5G 2016LV-WinEng.exe
1.4G 2017LV-WinEng.exe
1.6G 2018LV-WinEng.exe
$ wine --version
wine-6.0-rc6
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list