[Bug 52059] TestMem5 v0.12 reports 'To enable AWE, you must run with Administrator privileges!' on startup (unable to add 'SeLockMemoryPrivilege' due to 'LsaAddAccountRights' stub)
WineHQ Bugzilla
wine-bugs at winehq.org
Sun Nov 28 14:00:32 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=52059
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |focht at gmx.net
Component|-unknown |advapi32
Status|UNCONFIRMED |NEW
URL| |https://web.archive.org/web
| |/20211009060326/https://tes
| |tmem.tz.ru/tm5.rar
Keywords| |obfuscation
Ever confirmed|0 |1
Summary|Non-installable program |TestMem5 v0.12 reports 'To
|needs Admin rights. |enable AWE, you must run
| |with Administrator
| |privileges!' on startup
| |(unable to add
| |'SeLockMemoryPrivilege' due
| |to 'LsaAddAccountRights'
| |stub)
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
the app seems legit, although the original 'testmem.tz.ru' site/domain is
flagged as dangerous by browsers/AV plugins.
https://www.virustotal.com/gui/file/b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe078b5c54857a16d37d480cc21/community
Relevant part of trace log:
--- snip ---
$ WINEDEBUG=+seh,+relay,+advapi,+server wine ./TM5.exe >>log.txt 2>&1
...
0104:Call KERNEL32.CreateProcessA(00448fe4
"Z:\\home\\focht\\Downloads\\TM5\\TM5.exe",004490e4 "
\r\x07",00000000,00000000,00000000,00000020,00000000,00000000,00448fa0,01fb8418)
ret=00403613
...
013c: init_first_thread() = 0 { pid=0138, tid=013c,
server_start=1d7e483224f8388 (-1.5113650), session_id=00000001,
info_size=15826, machines={8664,014c} }
...
0104:Ret KERNEL32.CreateProcessA() retval=00000001 ret=00403613
...
013c:Call
KERNEL32.CreateThread(00000000,00000000,00404481,00000007,00000000,0044920c)
ret=00404f68
...
0158: *fd* 14 <- 308
013c:Ret KERNEL32.CreateThread() retval=000000a0 ret=00404f68
...
0158:Call KERNEL32.LoadLibraryA(01f33c10 "bin\\MT0.dll") ret=00403cb2
...
0158:Ret KERNEL32.LoadLibraryA() retval=021f0000 ret=00403cb2
0158:Call KERNEL32.GetProcAddress(021f0000,01f33c28 "MemManager") ret=00403d6c
0158:Ret KERNEL32.GetProcAddress() retval=021f245d ret=00403d6c
...
0158:Call advapi32.OpenProcessToken(ffffffff,00000020,021cfba0) ret=021f121d
0158:Call ntdll.NtOpenProcessToken(ffffffff,00000020,021cfba0) ret=7b044236
0158: open_token( handle=ffffffff, access=00000020, attributes=00000000,
flags=00000000 )
0158: open_token() = 0 { token=00a4 }
0158:Ret ntdll.NtOpenProcessToken() retval=00000000 ret=7b044236
0158:Ret advapi32.OpenProcessToken() retval=00000001 ret=021f121d
0158:Call advapi32.LookupPrivilegeValueA(00000000,021f40f3,021cfb94)
ret=021f1234
...
0158:trace:advapi:LookupPrivilegeValueW
--- snip ---
The log/trace was corrupted here - even in append mode.
It tried to look up 'SeLockMemoryPrivilege'.
--- snip ---
0158:Ret advapi32.LookupPrivilegeValueA() retval=00000001 ret=021f1234
0158:Call
advapi32.AdjustTokenPrivileges(000000a4,00000000,021cfb90,00000010,00000000,00000000)
ret=021f124f
0158:Call
ntdll.NtAdjustPrivilegesToken(000000a4,00000000,021cfb90,00000010,00000000,00000000)
ret=7b043d85
0158: adjust_token_privileges( handle=00a4, disable_all=0,
get_modified_state=0, privileges={{luid=0000000000000004,attr=2}} )
0158: adjust_token_privileges() = NOT_ALL_ASSIGNED { len=00000000,
privileges={} }
0158:Ret ntdll.NtAdjustPrivilegesToken() retval=00000106 ret=7b043d85
0158:Call ntdll.RtlNtStatusToDosError(00000106) ret=7b043d8e
0158:Ret ntdll.RtlNtStatusToDosError() retval=00000514 ret=7b043d8e
0158:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=021f124f
0158:Call KERNEL32.CloseHandle(000000a4) ret=021f1257
0158:Call ntdll.NtClose(000000a4) ret=7b038140
0158: close_handle( handle=00a4 )
0158: close_handle() = 0
0158:Ret ntdll.NtClose() retval=00000000 ret=7b038140
0158:Ret KERNEL32.CloseHandle() retval=00000001 ret=021f1257
0158:Call KERNEL32.GetLastError() ret=021f125c
0158:Ret KERNEL32.GetLastError() retval=00000514 ret=021f125c
...
--- snip ---
This obviously fails because 'SeLockMemoryPrivilege' is by default not present
in the token. The call to AdjustTokenPrivileges() can only enable privileges
that you already have (but are masked).
https://source.winehq.org/git/wine.git/blob/f03933fbb73152c7a54383fba411a611af7aaa55:/server/token.c#l836
The app then tries to add the privilege to the current user account:
--- snip ---
...
0158:Call advapi32.OpenProcessToken(ffffffff,00000028,021cfb6c) ret=021f1061
0158:Call ntdll.NtOpenProcessToken(ffffffff,00000028,021cfb6c) ret=7b044236
0158: open_token( handle=ffffffff, access=00000028, attributes=00000000,
flags=00000000 )
0158: open_token() = 0 { token=00a4 }
0158:Ret ntdll.NtOpenProcessToken() retval=00000000 ret=7b044236
0158:Ret advapi32.OpenProcessToken() retval=00000001 ret=021f1061
0158:Call
advapi32.GetTokenInformation(000000a4,00000001,00000000,00000000,021cfb60)
ret=021f107b
0158:Call
ntdll.NtQueryInformationToken(000000a4,00000001,00000000,00000000,021cfb60)
ret=7b0443d4
0158: get_token_sid( handle=00a4, which_sid=00000001 )
0158: get_token_sid() = BUFFER_TOO_SMALL { sid_len=28<invalid sid> }
0158:Ret ntdll.NtQueryInformationToken() retval=c0000023 ret=7b0443d4
0158:Call ntdll.RtlNtStatusToDosError(c0000023) ret=7b0443e1
0158:Ret ntdll.RtlNtStatusToDosError() retval=0000007a ret=7b0443e1
0158:Ret advapi32.GetTokenInformation() retval=00000000 ret=021f107b
0158:Call KERNEL32.GetProcessHeap() ret=021f1088
0158:Ret KERNEL32.GetProcessHeap() retval=00450000 ret=021f1088
0158:Call ntdll.RtlAllocateHeap(00450000,00000040,00000024) ret=021f1098
0158:Ret ntdll.RtlAllocateHeap() retval=00492fb0 ret=021f1098
0158:Call
advapi32.GetTokenInformation(000000a4,00000001,00492fb0,00000024,021cfb60)
ret=021f10af
0158:Call
ntdll.NtQueryInformationToken(000000a4,00000001,00492fb0,00000024,021cfb60)
ret=7b0443d4
0158: get_token_sid( handle=00a4, which_sid=00000001 )
0158: get_token_sid() = 0 { sid_len=28, sid={S-1-5-21-0-0-0-1000} }
0158:Ret ntdll.NtQueryInformationToken() retval=00000000 ret=7b0443d4
0158:Ret advapi32.GetTokenInformation() retval=00000001 ret=021f10af
0158:Call advapi32.LsaAddAccountRights(0000cafe,00492fb8,021cfb74,00000001)
ret=021f10c6
0158:fixme:advapi:LsaAddAccountRights (0000CAFE,00492FB8,021CFB74,0x00000001)
stub
0158:Ret advapi32.LsaAddAccountRights() retval=00000000 ret=021f10c6
0158:Call advapi32.LookupPrivilegeValueA(00000000,021f4009,021cfb98)
ret=021f10da
0158:trace:advapi:LookupPrivilegeValueW L"",L"SeLockMemoryPrivilege",021CFB98
...
0158:trace:advapi:LookupPrivilegeValueW L"" -> 00000000-00000004
0158:Ret advapi32.LookupPrivilegeValueA() retval=00000001 ret=021f1234
0158:Call
advapi32.AdjustTokenPrivileges(000000a4,00000000,021cfb90,00000010,00000000,00000000)
ret=021f124f
0158:Call
ntdll.NtAdjustPrivilegesToken(000000a4,00000000,021cfb90,00000010,00000000,00000000)
ret=7b043d85
0158: adjust_token_privileges( handle=00a4, disable_all=0,
get_modified_state=0, privileges={{luid=0000000000000004,attr=2}} )
0158: adjust_token_privileges() = NOT_ALL_ASSIGNED { len=00000000,
privileges={} }
0158:Ret ntdll.NtAdjustPrivilegesToken() retval=00000106 ret=7b043d85
0158:Call ntdll.RtlNtStatusToDosError(00000106) ret=7b043d8e
0158:Ret ntdll.RtlNtStatusToDosError() retval=00000514 ret=7b043d8e
0158:Ret advapi32.AdjustTokenPrivileges() retval=00000001 ret=021f124f
0158:Call KERNEL32.CloseHandle(000000a4) ret=021f1257
0158:Call ntdll.NtClose(000000a4) ret=7b038140
0158: close_handle( handle=00a4 )
0158: close_handle() = 0
0158:Ret ntdll.NtClose() retval=00000000 ret=7b038140
0158:Ret KERNEL32.CloseHandle() retval=00000001 ret=021f1257
0158:Call KERNEL32.GetLastError() ret=021f125c
0158:Ret KERNEL32.GetLastError() retval=00000514 ret=021f125c
0158:Call user32.MessageBoxA(00000000,021f4060 "To enable AWE, you must run
with\r\nAdministrator privileges!",021f404b "TestMem5, AWE module",00200040)
ret=021f24dd
---- snip ---
Since 'LsaAddAccountRights' is a stub, the privilege can't be added to the user
account.
https://source.winehq.org/git/wine.git/blob/f03933fbb73152c7a54383fba411a611af7aaa55:/dlls/advapi32/lsa.c#l165
--- snip ---
165
/******************************************************************************
166 * LsaAddAccountRights [ADVAPI32.@]
167 *
168 */
169 NTSTATUS WINAPI LsaAddAccountRights(
170 LSA_HANDLE policy,
171 PSID sid,
172 PLSA_UNICODE_STRING rights,
173 ULONG count)
174 {
175 FIXME("(%p,%p,%p,0x%08x) stub\n", policy, sid, rights, count);
176 return STATUS_SUCCESS;
177 }
--- snip ---
The sequence is pretty similar what is described here:
https://web.archive.org/web/20211128192224/https://stackoverflow.com/questions/42354504/enable-large-pages-in-windows-programmatically
Poking a bit more reveals that the app will later make use
AllocateUserPhysicalPages() API which requires this privilege.
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-allocateuserphysicalpages
--- quote ---
Remarks
The AllocateUserPhysicalPages function is used to allocate physical memory that
can later be mapped within the virtual address space of the process. The
SeLockMemoryPrivilege privilege must be enabled in the caller's token or the
function will fail with ERROR_PRIVILEGE_NOT_HELD. For more information, see
Privilege Constants.
...
--- quote ---
You could probably do a quick hack by adding this privilege to the default
(admin) token if you can build Wine from source but it won't get you far. AWS
APIs are stubs in Wine:
* AllocateUserPhysicalPages
* FreeUserPhysicalPages
* MapUserPhysicalPages
Stable download link via Internet Archive:
https://web.archive.org/web/20211009060326/https://testmem.tz.ru/tm5.rar
https://www.virustotal.com/gui/file/b7ed4b39de012e88ec9ad7f21b0ac68a4e863fe078b5c54857a16d37d480cc21
$ sha1sum tm5.rar
f141a919d7d1cfb1baaea671fb6dcd3bf213cdf7 tm5.rar
$ du -sh tm5.rar
24K tm5.rar
$ sha1sum TM5.exe
13122d07d828637943ca7e8043f77beca4e76928 TM5.exe
$
sha1sum bin/MT0.dll
21c3a60a648615317421be93432697253a3c7ff3 bin/MT0.dll
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list