[Bug 50208] Multiple kernel drivers need NtQuerySystemInformation(SystemModuleInformation) to return correct ImageBaseAddress and ImageSize for modules (Sentinel HASP 'hardlock.sys', SmartGaga 'AndroidKernelX64.sys')

WineHQ Bugzilla wine-bugs at winehq.org
Mon Jan 3 14:57:22 CST 2022 

https://bugs.winehq.org/show_bug.cgi?id=50208

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Multiple kernel drivers     |Multiple kernel drivers
                   |need                        |need
                   |NtQuerySystemInformation(Sy |NtQuerySystemInformation(Sy
                   |stemModuleInformation) to   |stemModuleInformation) to
                   |return correct              |return correct
                   |ImageBaseAddress and        |ImageBaseAddress and
                   |ImageSize for modules       |ImageSize for modules
                   |(Sentinel HASP              |(Sentinel HASP
                   |'hardlock.sys')             |'hardlock.sys', SmartGaga
                   |                            |'AndroidKernelX64.sys')

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

revisiting, still present.

Also encountered with SmartGaga (Android Emulator) v1.1.x

'androidkernelx64.sys' driver

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+server wine wineboot >>log.txt 2>&1
...
005c:Call
ntoskrnl.exe.ZwQuerySystemInformation(0000000b,00c5f390,00000000,00c5f390)
ret=00e4afa6
005c:Call ntdll.NtQuerySystemInformation(0000000b,00c5f390,00000000,00c5f390)
ret=17004226f
005c:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=17004226f
005c:Ret  ntoskrnl.exe.ZwQuerySystemInformation() retval=c0000004 ret=00e4afa6
005c:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000001,00000380,2154554e)
ret=00e4afd5
005c:Call ntdll.RtlAllocateHeap(009e0000,00000000,00000380) ret=003e2ede
005c:Ret  ntdll.RtlAllocateHeap() retval=009e1640 ret=003e2ede
005c:trace:ntoskrnl:ExAllocatePoolWithTag 896 pool 1 -> 00000000009E1640
005c:Ret  ntoskrnl.exe.ExAllocatePoolWithTag() retval=009e1640 ret=00e4afd5
005c:Call
ntoskrnl.exe.ZwQuerySystemInformation(0000000b,009e1640,00000380,00c5f390)
ret=00e4aff5
005c:Call ntdll.NtQuerySystemInformation(0000000b,009e1640,00000380,00c5f390)
ret=17004226f
005c:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=17004226f
005c:Ret  ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=00e4aff5
005c:Call ntoskrnl.exe.ExFreePoolWithTag(009e1640,00000000) ret=00e4b040
005c:trace:ntoskrnl:ExFreePoolWithTag 00000000009E1640
005c:Call KERNEL32.HeapFree(009e0000,00000000,009e1640) ret=17004226f
005c:Ret  KERNEL32.HeapFree() retval=00000001 ret=17004226f
005c:Ret  ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e4b040
005c:trace:seh:dispatch_exception code=c0000005 flags=0 addr=0000000000E4B0BB
ip=0000000000E4B0BB tid=005c
005c:warn:seh:dispatch_exception EXCEPTION_ACCESS_VIOLATION exception
(code=c0000005) raised
005c:trace:seh:dispatch_exception  rax=0000000000005a4d rbx=0000000000e8c3b8
rcx=000000017000e254 rdx=0000000000000000
005c:trace:seh:dispatch_exception  rsi=00000000c0000001 rdi=0000000010000000
rbp=0000000000c5f5f0 rsp=0000000000c5f390
005c:trace:seh:dispatch_exception   r8=0000000000000000  r9=0000000000000040
r10=00007ffbeaa02680 r11=0000000000000000
005c:trace:seh:dispatch_exception  r12=0000000000173ef8 r13=000000000000ffff
r14=0000000000173d90 r15=0000000000000000
005c:trace:seh:call_vectored_handlers calling handler at 00000000003DD440
code=c0000005 flags=0
005c:trace:seh:call_vectored_handlers handler at 00000000003DD440 returned 0
005c:trace:seh:call_handler calling handler 0000000000DA140C
(rec=0000000000C5F160, frame=0000000000C5F4F0 context=0000000000C5E750,
dispatch=0000000000C5E618)
005c:trace:seh:call_handler handler at 0000000000DA140C returned 1
005c:trace:seh:call_stack_handlers found wine frame 0000000000C5FE90 rsp
0000000000C5FFE0 handler 000000017005FE00
005c:trace:seh:call_teb_handler calling TEB handler 000000017005FE00
(rec=0000000000C5F160, frame=0000000000C5FE90 context=0000000000C5E750,
dispatch=0000000000C5E618) 
--- snip ---

--- snip ---
0000000000E4B0B6 | mov eax,5A4D                  |
0000000000E4B0BB | cmp ax,word ptr ds:[rdi]      | ImageBaseAddress *boom*
0000000000E4B0BE | jne androidkernelx64.E4B1F6   |
0000000000E4B0C4 | mov eax,dword ptr ds:[rdi+3C] |
0000000000E4B0C7 | add rax,rdi                   |
0000000000E4B0CA | cmp dword ptr ds:[rax],4550   |
0000000000E4B0D0 | jne androidkernelx64.E4B1F6   |
--- snip ---

--- snip ---
Base             Module               Path  

0000000000250000 sechost.dll          Z:\home\focht\projects\wine\mainline...
0000000000280000 ucrtbase.dll         Z:\home\focht\projects\wine\mainline...
0000000000340000 msvcrt.dll           Z:\home\focht\projects\wine\mainline...
00000000003D0000 ntoskrnl.exe         Z:\home\focht\projects\wine\mainline...
0000000000AF0000 rpcrt4.dll           Z:\home\focht\projects\wine\mainline...
0000000000DA0000 androidkernelx64.sys C:\Program Files (x86)\SmartGaGa\Pro...
0000000000EB0000 hal.dll              Z:\home\focht\projects\wine\mainline...
000000007B000000 kernelbase.dll       Z:\home\focht\projects\wine\mainline...
000000007B600000 kernel32.dll         Z:\home\focht\projects\wine\mainline...
0000000140000000 winedevice.exe       Z:\home\focht\projects\wine\mainline...
0000000170000000 ntdll.dll            Z:\home\focht\projects\wine\mainline...
0000000180000000 advapi32.dll         Z:\home\focht\projects\wine\mainline...
--- snip ---

The driver tries to access the PE header struct for each module returned by
'NtQuerySystemInformation(SystemModuleInformation)'. This causes a page fault
because nothing is mapped at the hard-coded defaults.

rdi=0x10000000 = hard-coded ImageBaseAddress 'ntoskrnl.exe'

'AndroidKernel.log':

--- snip ---
[424][436][21:20:10.566]: DriverEntry: PsCalcProcessMD5 C:\Program Files
(x86)\SmartGaGa\ProjectTitan\Engine\AndroidKernelX64.sys Fail! 
--- snip ---

Stable download link via Internet Archive for documentation.

https://web.archive.org/web/20210212083145/https://dl.filehorse.com/win/desktop-enhancements/smartgaga/SmartGaGa-1.1.646.1.exe?st=UXb-Ylz8he_QMz7inrvzTA&e=1613205052&fn=Setup_AndroidFs442_1.1.646.1.exe

https://www.virustotal.com/gui/file/a2928782e205ebe45317c54378136263fb69a4ead4a630d4ba458039272ae359

$ sha1sum Setup_AndroidFs442_1.1.646.1.exe 
8cec18338e1e931433ac37f63d26a701dfcbd0dd  Setup_AndroidFs442_1.1.646.1.exe

$ du -sh Setup_AndroidFs442_1.1.646.1.exe 
203M    Setup_AndroidFs442_1.1.646.1.exe

$ wine --version
wine-7.0-rc4

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list