[Bug 39406] Multiple kernel drivers crash due to missing 'ntoskrnl.SeExports' export (SE_EXPORTS structure)(LabVIEW 201x CVI 'cvintdrv.sys', F-Secure BlackLight Engine 2.2 'fsbldrv.sys')
WineHQ Bugzilla
wine-bugs at winehq.org
Sat Jan 16 10:15:35 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=39406
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|LabVIEW 201x CVI kernel |Multiple kernel drivers
|driver 'cvintdrv.sys' |crash due to missing
|crashes due to missing |'ntoskrnl.SeExports' export
|'ntoskrnl.SeExports' export |(SE_EXPORTS
|(SE_EXPORTS structure) |structure)(LabVIEW 201x CVI
| |'cvintdrv.sys', F-Secure
| |BlackLight Engine 2.2
| |'fsbldrv.sys')
URL|https://web.archive.org/web |https://web.archive.org/web
|/20181022065706/http://down |/20210116145628/ftp://ftp.f
|load.ni.com/evaluation/labv |-secure.com/anti-virus/tool
|iew/ekit/other/downloader/2 |s/fsbl.exe
|014LV-WinEng.exe |
--- Comment #4 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
I've found another much smaller download for reproduce:
F-Secure BlackLight Engine 2.2.x (Rootkit scanner) from bug 21038
Stable download via Internet Archive:
https://web.archive.org/web/20210116145628/ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
To extract/debug the driver standalone, set a breakpoint on StartServiceA() and
force quit. This prevents the "temp" rootkit detection helper driver/service
binary from getting deleted immediately upon failure/unload.
Service registry entry:
--- snip ---
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fsbl-standalone]
"DisplayName"="F-Secure BlackLight Beta Engine Driver"
"ErrorControl"=dword:00000001
"ImagePath"="C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys"
"ObjectName"="LocalSystem"
"PreshutdownTimeout"=dword:0002bf20
"Start"=dword:00000003
"Type"=dword:00000001
"WOW64"=dword:00000001
--- snip ---
Manually start:
--- snip ----
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+loaddll wine net start fsbl-standalone
>>log.txt 2>&1
...
0108:trace:ntoskrnl:load_driver loading driver
L"C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys"
0108:Call KERNEL32.LoadLibraryW(000433b0
L"C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys") ret=0032606e
...
0108:trace:loaddll:build_module Loaded
L"C:\\users\\focht\\Temp\\F-Secure\\BlackLight\\fsbldrv.sys" at
0000000000D60000: native
0108:Call LDR notification callback
(proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000)
...
0108:trace:ntoskrnl:ldr_notify_callback loading L"fsbldrv.sys"
...
0108:trace:ntoskrnl:ldr_notify_callback relocating from
0000000000010000-000000000001D000 to 0000000000D60000-0000000000D6D000
...
0108:Ret LDR notification callback
(proc=00000000003274E0,reason=1,data=0000000000C3F2D0,context=0000000000000000)
0108:Ret ntdll.LdrLoadDll() retval=00000000 ret=7b020b30
...
0108:Ret KERNEL32.LoadLibraryW() retval=00d60000 ret=0032606e
...
0108:Call driver init 0000000000D6A010
(obj=0000000000043200,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\fsbl-standalone")
0108:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000D6A03C
ip=0000000000D6A03C tid=0108
0108:trace:seh:dispatch_exception info[0]=0000000000000000
0108:trace:seh:dispatch_exception info[1]=0000000000000320
0108:trace:seh:dispatch_exception rax=0000000000000320 rbx=0000000000d6a010
rcx=0000000000043200 rdx=0000000000043368
0108:trace:seh:dispatch_exception rsi=000000007b6038a8 rdi=00000000000433b0
rbp=0000000000c3f890 rsp=0000000000c3f808
0108:trace:seh:dispatch_exception r8=0000000000d66108 r9=000000002ddfa232
r10=0000000000000028 r11=0000000000000000
0108:trace:seh:dispatch_exception r12=0000000000043200 r13=0000000000043368
r14=0000000000041908 r15=0000000000000000
0108:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=c0000005 flags=0
...
0108:fixme:ntoskrnl:MmGetSystemRoutineAddress L"IoCreateDeviceSecure" not found
...
0108:trace:ntoskrnl:MmGetSystemRoutineAddress
L"IoValidateDeviceIoControlAccess" -> 0000000000312F98
...
0108:Call ntoskrnl.exe._wcsnicmp(00d653c0 L"A;;GA;;;SY)(A;;GA;;;BA)",00d65824
L"A",00000001) ret=00d68f7f
...
0108:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00d68f7f
0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d6581c
L"RC",00000002) ret=00d68fef
...
0108:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff5 ret=00d68fef
0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d65814
L"WD",00000002) ret=00d68fef
...
0108:Ret ntoskrnl.exe._wcsnicmp() retval=fffffff0 ret=00d68fef
0108:Call ntoskrnl.exe._wcsnicmp(00d653c6 L"GA;;;SY)(A;;GA;;;BA)",00d6580c
L"WO",00000002) ret=00d68fef
...
0108:Call ntoskrnl.exe._wcsnicmp(00d653d0 L"SY)(A;;GA;;;BA)",00d66164
L"BA",00000002) ret=00d69174
...
0108:Ret ntoskrnl.exe._wcsnicmp() retval=00000011 ret=00d69174
0108:Call ntoskrnl.exe._wcsnicmp(00d653d0 L"SY)(A;;GA;;;BA)",00d6617c
L"SY",00000002) ret=00d69174
...
0108:Ret ntoskrnl.exe._wcsnicmp() retval=00000000 ret=00d69174
0108:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000D691C8
ip=0000000000D691C8 tid=0108
0108:trace:seh:dispatch_exception info[0]=0000000000000000
0108:trace:seh:dispatch_exception info[1]=00000000ffffffff
0108:trace:seh:dispatch_exception rax=0000000000315338 rbx=0000000000d653d4
rcx=0000000028ec8348 rdx=0000000000000108
0108:trace:seh:dispatch_exception rsi=0000000000d66184 rdi=0000000000000006
rbp=0000000000000002 rsp=0000000000c3f520
0108:trace:seh:dispatch_exception r8=0000000000000000 r9=0000000000000000
r10=0000000000c3f06b r11=0000000000000000
0108:trace:seh:dispatch_exception r12=0000000010000000 r13=0000000000d66140
r14=00000000c000000d r15=0000000000c3f5c8
0108:trace:seh:call_vectored_handlers calling handler at 000000000031D2F0
code=c0000005 flags=0
0108:trace:seh:call_vectored_handlers handler at 000000000031D2F0 returned 0
0108:trace:seh:call_vectored_handlers calling handler at 000000007B011BA0
code=c0000005 flags=0
0108:trace:seh:call_vectored_handlers handler at 000000007B011BA0 returned 0
...
0108:trace:seh:start_debugger Starting debugger L"winedbg --auto 252 68"
...
wine: Unhandled page fault on read access to FFFFFFFFFFFFFFFF at address
0000000000D691C8 (thread 0108), starting debugger...
--- snip ---
Crash site using x64dbg (winedbg doesn't work here which is a different issue)
--- snip ---
0000000000D6916F | call <JMP.&_wcsnicmp> |
0000000000D69174 | test eax,eax |
0000000000D69176 | je fsbldrv.D69191 |
0000000000D69178 | inc edi |
0000000000D6917A | inc rbp |
0000000000D6917D | add rsi,18 |
0000000000D69181 | cmp edi,C |
0000000000D69184 | jb fsbldrv.D69160 |
0000000000D69186 | mov r13d,C0000073 |
0000000000D6918C | jmp fsbldrv.D6927B |
0000000000D69191 | lea rdi,qword ptr ss:[rbp+rbp*2] |
0000000000D69196 | cmp dword ptr ds:[r13+rdi*8+8],1 |
0000000000D6919C | mov eax,dword ptr ds:[r13+rdi*8+14] |
0000000000D691A1 | lea rbx,qword ptr ds:[rbx+rax*2] |
0000000000D691A5 | jne fsbldrv.D691B9 |
0000000000D691A7 | mov dl,20 |
0000000000D691A9 | mov cl,1 |
0000000000D691AB | call qword ptr ds:[<&IoIsWdmVersionAvailable>] |
0000000000D691B1 | test al,al |
0000000000D691B3 | jne fsbldrv.D691B9 |
0000000000D691B5 | xor ecx,ecx |
0000000000D691B7 | jmp fsbldrv.D691CC |
0000000000D691B9 | mov rax,qword ptr ds:[<&__wine_stub_SeExports> |
0000000000D691C0 | mov rdx,qword ptr ds:[r13+rdi*8] |
0000000000D691C5 | mov rcx,qword ptr ds:[rax] |
0000000000D691C8 | mov rcx,qword ptr ds:[rdx+rcx] |
0000000000D691CC | xor r13d,r13d |
0000000000D691CF | test rbx,rbx |
0000000000D691D2 | je fsbldrv.D6925C |
--- snip ---
virustotal.com scans:
'fsbl.exe' app:
https://www.virustotal.com/gui/file/9f366a024370ed1c559f327db5266d3a27343d401324b57acdcbfccd9125bd01/details
'fsbldrv.sys' driver:
https://www.virustotal.com/gui/file/2a4426c59dac979b357f1d080bd3f63662d8513fc0d05006ddc342ca5d146b70/details
$ sha1sum fsbl.exe
b91cc97353117ed488acee290b39ef63ded7f5e4 fsbl.exe
$ du -sh fsbl.exe
1.1M fsbl.exe
$ wine --version
wine-6.0-40-g00401d22782
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list