[Bug 49165] Multiple kernel drivers crash in entry point due to 'IoGetDeviceObjectPointer' returning a stub device when the device object doesn't exist (VeraCrypt 1.24 'veracrypt_x64.sys', NAV 2010 'ccHPx64.sys', Protect DiSC 'acedrv11.sys')

WineHQ Bugzilla wine-bugs at winehq.org
Thu Jul 1 02:14:13 CDT 2021 

https://bugs.winehq.org/show_bug.cgi?id=49165

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Multiple kernel drivers     |Multiple kernel drivers
                   |crash in entry point due to |crash in entry point due to
                   |'IoGetDeviceObjectPointer'  |'IoGetDeviceObjectPointer'
                   |returning a stub device     |returning a stub device
                   |when the device object      |when the device object
                   |doesn't exist (VeraCrypt    |doesn't exist (VeraCrypt
                   |1.24 'veracrypt_x64.sys',   |1.24 'veracrypt_x64.sys',
                   |NAV 2010 'ccHPx64.sys')     |NAV 2010 'ccHPx64.sys',
                   |                            |Protect DiSC
                   |                            |'acedrv11.sys')
           Keywords|                            |obfuscation

--- Comment #5 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

revisiting, still present.

Adding another driver 'acedrv11.sys' from 'Protect DiSC' DRM scheme
(continuation of bug 39734)

https://web.archive.org/web/20210701055235/https://dl.4players.de/f1/pc/cobra_11_nitro/BurningWheelsDemo.exe

NOTE: The driver service startup suffers from bug 50431 (remove 'WOW64' driver
key).

--- snip ---
$ pwd
/home/focht/.wine/drive_c/windows/system32/drivers

$ file acedrv11.sys 
acedrv11.sys: PE32+ executable (native) x86-64, for MS Windows
--- snip ---

--- snip ---
$ WINEDEBUG=+seh,+relay,+server,+ntoskrnl,+loaddll,+module wine net start
acedrv11 >>log.txt 2>&1
...
0120:trace:loaddll:build_module Loaded
L"C:\\windows\\system32\\drivers\\acedrv11.sys" at 0000000000DC0000: native
...
0120:trace:module:process_attach (L"acedrv11.sys",0000000000000000) - START
0120:Call LDR notification callback
(proc=0000000000367A00,reason=1,data=0000000000C7F2A0,context=0000000000000000)
...
0120:trace:ntoskrnl:ldr_notify_callback loading L"acedrv11.sys" 
...
0120:Ret  LDR notification callback
(proc=0000000000367A00,reason=1,data=0000000000C7F2A0,context=0000000000000000)
0120:trace:module:process_attach (L"acedrv11.sys",0000000000000000) - END
0120:Ret  ntdll.LdrLoadDll() retval=00000000 ret=7b020d66
...
0120:Ret  kernelbase.LoadLibraryExW() retval=00dc0000 ret=7bc42e5f
0120:Ret  KERNEL32.LoadLibraryExW() retval=00dc0000 ret=003664b6
...
0120:Call driver init 0000000000DE9008
(obj=0000000000173930,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\acedrv11")
...
0120:Call
ntoskrnl.exe.IoCreateDevice(00173930,00000048,00c7f6c8,00000022,00000000,00000000,00c7f6c0)
ret=00e09947
...
0120:trace:ntoskrnl:IoCreateDevice (0000000000173930, 72,
L"\\Device\\PCDDRV11", 34, 0, 0, 0000000000C7F6C0)
0120:Call ntdll.RtlAllocateHeap(00140000,00000008,000001a8) ret=00361a7e
0120:Ret  ntdll.RtlAllocateHeap() retval=001742a0 ret=00361a7e
0120: create_device( rootdir=0000, user_ptr=001742b0, manager=0040,
name=L"\\Device\\PCDDRV11" )
0120: create_device() = 0
0034:Call ntdll.RtlEnterCriticalSection(7f9c6bdbea20) ret=7f9c6bd6bd9d
0120:Ret  ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=00e09947
...
0120:Call ntoskrnl.exe.IoCreateSymbolicLink(00c7f6f8,00c7f6c8) ret=00e0996f
...
0120:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\ACEDRV11" ->
L"\\Device\\PCDDRV11"
0120:Call ntdll.NtCreateSymbolicLinkObject(00c7f5b0,000f0001,00c7f5b8,00c7f6c8)
ret=00361ffd
0120: create_symlink( access=000f0001,
objattr={rootdir=0000,attributes=000000d0,sd={},name=L"\\DosDevices\\ACEDRV11"},
target_name=L"\\Device\\PCDDRV11" )
0120: create_symlink() = 0 { handle=0048 }
0120:Ret  ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=00361ffd
...
0120:Ret  ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=00e0996f
...
0120:Call
ntoskrnl.exe.IoGetDeviceObjectPointer(00c7f6c8,00000080,00c7f740,00c7f738)
ret=00dc86fe
...
0120:fixme:ntoskrnl:IoGetDeviceObjectPointer stub: L"\\DosDevices\\CdRom0" 80
0000000000C7F740 0000000000C7F738
0120:Ret  ntoskrnl.exe.IoGetDeviceObjectPointer() retval=00000000 ret=00dc86fe
0120:Call ntoskrnl.exe.ExAllocatePool(00000000,000000b8) ret=00de1064
0120:Call ntdll.RtlAllocateHeap(00a00000,00000000,000000b8) ret=0035ffc8
0120:Ret  ntdll.RtlAllocateHeap() retval=00a00470 ret=0035ffc8
0120:trace:ntoskrnl:ExAllocatePoolWithTag 184 pool 0 -> 0000000000A00470
0120:Ret  ntoskrnl.exe.ExAllocatePool() retval=00a00470 ret=00de1064
0120:Call ntoskrnl.exe.KeInitializeEvent(00a00478,00000000,00000000)
ret=00de1187
0120:trace:ntoskrnl:KeInitializeEvent event 0000000000A00478, type 0, state 0.
0120:Ret  ntoskrnl.exe.KeInitializeEvent() retval=00000029 ret=00de1187
0120:Call
ntoskrnl.exe.IoBuildSynchronousFsdRequest(00000003,0038d5c8,00de6ec0,00000060,00c7f650,00a00478,00c7f658)
ret=00e0bc4b
0120:trace:ntoskrnl:IoBuildSynchronousFsdRequest (3 000000000038D5C8
0000000000DE6EC0 96 0000000000C7F650 0000000000C7F658)
0120:trace:ntoskrnl:IoBuildAsynchronousFsdRequest (3 000000000038D5C8
0000000000DE6EC0 96 0000000000C7F650 0000000000C7F658)
0120:trace:ntoskrnl:IoAllocateIrp -128, 0
0120:Call ntdll.RtlAllocateHeap(00a00000,00000000,00000310) ret=0035fea9
0120:Ret  ntdll.RtlAllocateHeap() retval=00a00540 ret=0035fea9
0120:trace:ntoskrnl:ExAllocatePoolWithTag 784 pool 0 -> 0000000000A00540
0120:trace:ntoskrnl:IoInitializeIrp 0000000000A00540, 784, -128
0120:Call msvcrt.memset(00a00540,00000000,00000310) ret=0035ff43
0120:Ret  msvcrt.memset() retval=00a00540 ret=0035ff43
0120:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000360A9E
ip=0000000000360A9E tid=0120
0120:trace:seh:dispatch_exception  info[0]=0000000000000001
0120:trace:seh:dispatch_exception  info[1]=00000000009fe1c8
0120:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception
(code=c0000005) raised
0120:trace:seh:dispatch_exception  rax=0000000000a00540 rbx=0000000000000003
rcx=0000000000c9ea80 rdx=0000000000000000
0120:trace:seh:dispatch_exception  rsi=000000000038d5c8 rdi=0000000000a00540
rbp=0000000000c7f480 rsp=0000000000c7f430
0120:trace:seh:dispatch_exception   r8=0000000000000000  r9=0000000000000030
r10=00007f732f8a6768 r11=0000000000000000
0120:trace:seh:dispatch_exception  r12=00000000009fe210 r13=0000000000c7f650
r14=0000000000000060 r15=0000000000de6ec0
0120:trace:seh:call_vectored_handlers calling handler at 000000000035D380
code=c0000005 flags=0
0120:trace:seh:call_vectored_handlers handler at 000000000035D380 returned 0 
...
wine: Unhandled page fault on write access to 00000000009FE1C8 at address
0000000000360A9E (thread 0120), starting debugger... 
--- snip ---

$ sha1sum BurningWheelsDemo.exe 
6dc03653b97a0336a5c57fc4b04af61e3ebcee5e  BurningWheelsDemo.exe

$ du -sh BurningWheelsDemo.exe 
286M    BurningWheelsDemo.exe

$ wine --version
wine-6.11-235-g7f1623bc626

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list