[Bug 51375] New: SCM erroneously tries to start 64-bit kernel drivers as 32-bit service due to incorrect handling of 'IMAGE_FILE_DLL' image characteristics in 'kernel32.dll.GetBinaryTypeW' (Protect DiSC 'acedrv11.sys')

WineHQ Bugzilla wine-bugs at winehq.org
Thu Jul 1 03:40:10 CDT 2021 

https://bugs.winehq.org/show_bug.cgi?id=51375

            Bug ID: 51375
           Summary: SCM erroneously tries to start 64-bit kernel drivers
                    as 32-bit service due to incorrect handling of
                    'IMAGE_FILE_DLL' image characteristics in
                    'kernel32.dll.GetBinaryTypeW' (Protect DiSC
                    'acedrv11.sys')
           Product: Wine
           Version: 6.11
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: kernel32
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says.

https://web.archive.org/web/20210701055235/https://dl.4players.de/f1/pc/cobra_11_nitro/BurningWheelsDemo.exe

'acedrv11.sys' kernel service from 'Protect DiSC' DRM scheme (continuation of
bug 39734) fails to load. It's a 64-bit driver with 'WOW64=1' service entry
value set by 32-bit driver installer.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/windows/system32/drivers

$ winedump acedrv11.sys 
Contents of acedrv11.sys: 335288 bytes

File Header
  Machine:                      8664 (AMD64)
  Number of Sections:           7
  TimeDateStamp:                4890016E (Wed Jul 30 07:51:42 2008) offset 256
  PointerToSymbolTable:         00000000
  NumberOfSymbols:              00000000
  SizeOfOptionalHeader:         00F0
  Characteristics:              0022
    EXECUTABLE_IMAGE
    LARGE_ADDRESS_AWARE

Optional Header (64bit)
  Magic                              0x20B          523
  linker version                     8.00
  size of code                       0x24200        147968
  size of initialized data           0x2a00         10752
  size of uninitialized data         0x0            0
  entrypoint RVA                     0x29008        167944
  base of code                       0x1000         4096
  image base                         0x300000
  section align                      0x1000         4096
  file align                         0x200          512
  required OS version                6.00
  image version                      6.00
  subsystem version                  5.02
  Win32 Version                      0x0            0
  size of image                      0x56000        352256
  size of headers                    0x400          1024
  checksum                           0x5db88        383880
  Subsystem                          0x1 (Native)
  DLL characteristics:               0x0000
  stack reserve size                 0x40000
  stack commit size                  0x1000
  heap reserve size                  0x100000
  heap commit size                   0x1000
  loader flags                       0x0            0
  RVAs & sizes                       0x10           16
...
--- snip ---

--- snip ---
$ WINEDEBUG=+seh,+relay,+server,+ntoskrnl,+loaddll,+module wine net start
acedrv11 >>log.txt 2>&1
...
00d8:Call KERNEL32.GetBinaryTypeW(00168450
L"C:\\windows\\system32\\drivers\\acedrv11.sys",013df330) ret=140006426 
...
00d8:trace:module:GetBinaryTypeW
L"C:\\windows\\system32\\drivers\\acedrv11.sys" 
...
00d8:Call ntdll.NtQuerySection(00000158,00000001,013df0f0,00000040,00000000)
ret=7b61b6dd
00d8: get_mapping_info( handle=0158, access=00000001 )
00d8: get_mapping_info() = 0 { size=00056000, flags=01800000, shared_file=0000,
total=176,
image={base=00300000,entry_point=00329008,map_size=00056000,stack_size=00040000,stack_commit=00001000,zerobits=00000000,subsystem=00000001,subsystem_minor=0002,subsystem_major=0005,osversion_major=0006,osversion_minor=0000,image_charact=0022,dll_charact=0000,machine=8664,contains_code=1,image_flags=00,loader_flags=00000000,header_size=00000400,file_size=00051db8,checksum=0005db88},
name=L"" }
00d8:Ret  ntdll.NtQuerySection() retval=00000000 ret=7b61b6dd
...
00d8:Ret  KERNEL32.GetBinaryTypeW() retval=00000000 ret=140006426
00d8:Call KERNEL32.GetSystemDirectoryW(013df390,00000104) ret=1400065ed
00d8:Ret  KERNEL32.GetSystemDirectoryW() retval=00000013 ret=1400065ed 
...
00d8:Call KERNEL32.CreateProcessW(00000000,00168630
L"C:\\windows\\syswow64\\winedevice.exe",00000000,00000000,100000000,00000400,00176aa0,00000000,013df080,013df020)
ret=140006b7e 
...
00d8:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=140006b7e
...
0114:trace:ntoskrnl:open_driver opened service for driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\acedrv11" 
...
0114:trace:ntoskrnl:load_driver loading driver
L"C:\\windows\\system32\\drivers\\acedrv11.sys"
...
0114:Call KERNEL32.LoadLibraryExW(0042df50
L"C:\\windows\\system32\\drivers\\acedrv11.sys",00000000,00001100) ret=00394979
...
0114:Call kernelbase.LoadLibraryExW(0042df50 L"C:\\windows\\system32\\drivers
...
0114:Call ntdll.LdrLoadDll(0042e290
L"C:\\windows\\system32\\drivers;C:\\windows\\syswow64;C:\\windows\\system32\\",00001100,00fcfb14,00fcfafc)
ret=7b01c045
0034:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7bc42e5f
0114:trace:module:load_dll looking for
L"C:\\windows\\system32\\drivers\\acedrv11.sys" in
L"C:\\windows\\system32\\drivers;C:\\windows\\syswow64;C:\\windows\\system32\\" 
...
0114:warn:module:load_dll Failed to load module
L"C:\\windows\\system32\\drivers\\acedrv11.sys"; status=c0000135
...
0114:Ret  ntdll.LdrLoadDll() retval=c0000135 ret=7b01c045
...
0114:Ret  kernelbase.LoadLibraryExW() retval=00000000 ret=7bc3aa34
...
0114:Ret  KERNEL32.LoadLibraryExW() retval=00000000 ret=00394979
...
0114:err:ntoskrnl:ZwLoadDriver failed to create driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\acedrv11": c0000142 
--- snip ---

Workaround: Remove 'WOW64=1' registry key from service (leads to fallback with
'false' setting).

This is actually a regression:

https://source.winehq.org/git/wine.git/commitdiff/1e1f110c99fba4c33ebe85bf112c9d37899d3a0c
("kernel32: Return failure in GetBinaryType() for DLL files.")

--- snip ---
 166 BOOL WINAPI GetBinaryTypeW( LPCWSTR name, LPDWORD type )
 167 {
 168     HANDLE hfile, mapping;
 169     NTSTATUS status;
 170     const WCHAR *ptr;
 171 
 172     TRACE("%s\n", debugstr_w(name) );
 173 
 174     if (type == NULL) return FALSE;
 175 
 176     hfile = CreateFileW( name, GENERIC_READ, FILE_SHARE_READ, NULL,
OPEN_EXISTING, 0, 0 );
 177     if ( hfile == INVALID_HANDLE_VALUE )
 178         return FALSE;
 179 
 180     status = NtCreateSection( &mapping, STANDARD_RIGHTS_REQUIRED |
SECTION_QUERY,
 181                               NULL, NULL, PAGE_READONLY, SEC_IMAGE, hfile
);
 182     CloseHandle( hfile );
 183 
 184     switch (status)
 185     {
 186     case STATUS_SUCCESS:
 187         {
 188             SECTION_IMAGE_INFORMATION info;
 189 
 190             status = NtQuerySection( mapping, SectionImageInformation,
&info, sizeof(info), NULL );
 191             CloseHandle( mapping );
 192             if (status) return FALSE;
 193             if (!(info.ImageCharacteristics & IMAGE_FILE_DLL)) return
FALSE;
 194             switch (info.Machine)
...
--- snip ---

The condition is reversed. The function shall fail if the driver binary has
'IMAGE_FILE_DLL' image characteristics set.

$ sha1sum BurningWheelsDemo.exe 
6dc03653b97a0336a5c57fc4b04af61e3ebcee5e  BurningWheelsDemo.exe

$ du -sh BurningWheelsDemo.exe 
286M    BurningWheelsDemo.exe

$ wine --version
wine-6.11-235-g7f1623bc626

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list