[Bug 39406] Multiple kernel drivers crash due to missing 'ntoskrnl.SeExports' export (SE_EXPORTS structure)(LabVIEW 201x CVI 'cvintdrv.sys', F-Secure BlackLight Engine 2.2 'fsbldrv.sys')

WineHQ Bugzilla wine-bugs at winehq.org
Sat Jan 16 10:15:35 CST 2021 

https://bugs.winehq.org/show_bug.cgi?id=39406

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|LabVIEW 201x CVI kernel     |Multiple kernel drivers
                   |driver 'cvintdrv.sys'       |crash due to missing
                   |crashes due to missing      |'ntoskrnl.SeExports' export
                   |'ntoskrnl.SeExports' export |(SE_EXPORTS
                   |(SE_EXPORTS structure)      |structure)(LabVIEW 201x CVI
                   |                            |'cvintdrv.sys', F-Secure
                   |                            |BlackLight Engine 2.2
                   |                            |'fsbldrv.sys')
                URL|https://web.archive.org/web |https://web.archive.org/web
                   |/20181022065706/http://down |/20210116145628/ftp://ftp.f
                   |load.ni.com/evaluation/labv |-secure.com/anti-virus/tool
                   |iew/ekit/other/downloader/2 |s/fsbl.exe
                   |014LV-WinEng.exe            |

--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

I've found another much smaller download for reproduce:

F-Secure BlackLight Engine 2.2.x (Rootkit scanner) from bug 21038

Stable download via Internet Archive:

https://web.archive.org/web/20210116145628/ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

To extract/debug the driver standalone, set a breakpoint on StartServiceA() and
force quit. This prevents the "temp" rootkit detection helper driver/service
binary from getting deleted immediately upon failure/unload.

Service registry entry:

--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fsbl-standalone]
"DisplayName"="F-Secure BlackLight Beta Engine Driver"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000003
"Type"=dword:00000001
"WOW64"=dword:00000001
--- snip ---

Manually start:

--- snip ----
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+loaddll wine net start fsbl-standalone
>>log.txt 2>&1
...
0108:trace:ntoskrnl:load_driver loading driver
L"C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys"
0108:Call KERNEL32.LoadLibraryW(000433b0
L"C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys") ret=0032606e 
...
0108:trace:loaddll:build_module Loaded
L"C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys" at
0000000000D60000: native
0108:Call LDR notification callback
(proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000)
...
0108:trace:ntoskrnl:ldr_notify_callback loading L"fsbldrv.sys"
...
0108:trace:ntoskrnl:ldr_notify_callback relocating from
0000000000010000-000000000001D000 to 0000000000D60000-0000000000D6D000
...
0108:Ret  LDR notification callback
(proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000)
0108:Ret  ntdll.LdrLoadDll() retval=00000000 ret=7b020b30
...
0108:Ret  KERNEL32.LoadLibraryW() retval=00d60000 ret=0032606e 
...
0108:Call driver init 0000000000D6A010
(obj=0000000000043200,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\fsbl-standalone")
0108:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000D6A03C
ip=0000000000D6A03C tid=0108
0108:trace:seh:dispatch_exception  info[0]=0000000000000000
0108:trace:seh:dispatch_exception  info[1]=0000000000000320
0108:trace:seh:dispatch_exception  rax=0000000000000320 rbx=0000000000d6a010
rcx=0000000000043200 rdx=0000000000043368
0108:trace:seh:dispatch_exception  rsi=000000007b6038a8 rdi=00000000000433b0
rbp=0000000000c3f890 rsp=0000000000c3f808
0108:trace:seh:dispatch_exception   r8=0000000000d66108  r9=000000002ddfa232
r10=0000000000000028 r11=0000000000000000
0108:trace:seh:dispatch_exception  r12=0000000000043200 r13=0000000000043368
r14=0000000000041908 r15=0000000000000000
0108:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=c0000005 flags=0 
...
0108:fixme:ntoskrnl:MmGetSystemRoutineAddress L"IoCreateDeviceSecure" not found 
...
0108:trace:ntoskrnl:MmGetSystemRoutineAddress
L"IoValidateDeviceIoControlAccess" -> 0000000000312F98 
...
0108:Call ntoskrnl.exe._wcsnicmp(00d653c0 L"A;;GA;;;SY)(A;;GA;;;BA)",00d65824
L"A",00000001) ret=00d68f7f 
...
0108:Ret  ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00d68f7f
0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d6581c
L"RC",00000002) ret=00d68fef
...
0108:Ret  ntoskrnl.exe._wcsnicmp() retval=fffffff5 ret=00d68fef
0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d65814
L"WD",00000002) ret=00d68fef
...
0108:Ret  ntoskrnl.exe._wcsnicmp() retval=fffffff0 ret=00d68fef
0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d6580c
L"WO",00000002) ret=00d68fef 
...
0108:Call ntoskrnl.exe._wcsnicmp(00d653d0 L"SY)(A;;GA;;;BA)",00d66164
L"BA",00000002) ret=00d69174 
...
0108:Ret  ntoskrnl.exe._wcsnicmp() retval=00000011 ret=00d69174
0108:Call ntoskrnl.exe._wcsnicmp(00d653d0 L"SY)(A;;GA;;;BA)",00d6617c
L"SY",00000002) ret=00d69174 
...
0108:Ret  ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00d69174
0108:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000D691C8
ip=0000000000D691C8 tid=0108
0108:trace:seh:dispatch_exception  info[0]=0000000000000000
0108:trace:seh:dispatch_exception  info[1]=00000000ffffffff
0108:trace:seh:dispatch_exception  rax=0000000000315338 rbx=0000000000d653d4
rcx=0000000028ec8348 rdx=0000000000000108
0108:trace:seh:dispatch_exception  rsi=0000000000d66184 rdi=0000000000000006
rbp=0000000000000002 rsp=0000000000c3f520
0108:trace:seh:dispatch_exception   r8=0000000000000000  r9=0000000000000000
r10=0000000000c3f06b r11=0000000000000000
0108:trace:seh:dispatch_exception  r12=0000000010000000 r13=0000000000d66140
r14=00000000c000000d r15=0000000000c3f5c8
0108:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=c0000005 flags=0
0108:trace:seh:call_vectored_handlers handler at 000000000031D2F0 returned 0
0108:trace:seh:call_vectored_handlers calling handler at 000000007B011BA0
code=c0000005 flags=0
0108:trace:seh:call_vectored_handlers handler at 000000007B011BA0 returned 0 
...
0108:trace:seh:start_debugger Starting debugger L"winedbg --auto 252 68" 
...
wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address
0000000000D691C8 (thread 0108), starting debugger... 
--- snip ---

Crash site using x64dbg (winedbg doesn't work here which is a different issue)

--- snip ---
0000000000D6916F | call <JMP.&_wcsnicmp>                          |
0000000000D69174 | test eax,eax                                   |
0000000000D69176 | je fsbldrv.D69191                              |
0000000000D69178 | inc edi                                        |
0000000000D6917A | inc rbp                                        |
0000000000D6917D | add rsi,18                                     |
0000000000D69181 | cmp edi,C                                      |
0000000000D69184 | jb fsbldrv.D69160                              |
0000000000D69186 | mov r13d,C0000073                              |
0000000000D6918C | jmp fsbldrv.D6927B                             |
0000000000D69191 | lea rdi,qword ptr ss:[rbp+rbp*2]               |
0000000000D69196 | cmp dword ptr ds:[r13+rdi*8+8],1               |
0000000000D6919C | mov eax,dword ptr ds:[r13+rdi*8+14]            |
0000000000D691A1 | lea rbx,qword ptr ds:[rbx+rax*2]               |
0000000000D691A5 | jne fsbldrv.D691B9                             |
0000000000D691A7 | mov dl,20                                      |
0000000000D691A9 | mov cl,1                                       |
0000000000D691AB | call qword ptr ds:[<&IoIsWdmVersionAvailable>] |
0000000000D691B1 | test al,al                                     |
0000000000D691B3 | jne fsbldrv.D691B9                             |
0000000000D691B5 | xor ecx,ecx                                    |
0000000000D691B7 | jmp fsbldrv.D691CC                             |
0000000000D691B9 | mov rax,qword ptr ds:[<&__wine_stub_SeExports> |
0000000000D691C0 | mov rdx,qword ptr ds:[r13+rdi*8]               |
0000000000D691C5 | mov rcx,qword ptr ds:[rax]                     |
0000000000D691C8 | mov rcx,qword ptr ds:[rdx+rcx]                 |
0000000000D691CC | xor r13d,r13d                                  |
0000000000D691CF | test rbx,rbx                                   |
0000000000D691D2 | je fsbldrv.D6925C                              |
--- snip ---

virustotal.com scans:

'fsbl.exe' app:

https://www.virustotal.com/gui/file/9f366a024370ed1c559f327db5266d3a27343d401324b57acdcbfccd9125bd01/details

'fsbldrv.sys' driver:

https://www.virustotal.com/gui/file/2a4426c59dac979b357f1d080bd3f63662d8513fc0d05006ddc342ca5d146b70/details

$ sha1sum fsbl.exe 
b91cc97353117ed488acee290b39ef63ded7f5e4  fsbl.exe

$ du -sh fsbl.exe 
1.1M    fsbl.exe

$ wine --version
wine-6.0-40-g00401d22782

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list