Closed Bug 1126185 Opened 9 years ago Closed 9 years ago

Support redirection of kernel32.dll for hooking function on Windows 8

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox35 --- unaffected
firefox36 --- unaffected
firefox37 + verified
firefox38 --- verified

People

(Reporter: avaida, Assigned: m_kato)

References

Details

Attachments

(1 file)

Need hook CreateFileA for Windows 8 RTM
4.33 KB, patch
benjamin
: review+
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
Note: this is a follow-up for Bug 1121829.

Testing performed on the fix pushed for Bug 1121829 proved that Windows 8 32bit is still affected on some environments.
Assignee: nobody → m_kato
I would like to analyze plugin-container process that this problem occurs.  So could you create dump file of this process by the following steps?

1. Launch Firefox Nightly and browse flash page.
2. Launch Task Manager by right click windows task bar
3. Click [More details] to expand process list
4. Select "Plugin Container for Nightly" in Background Processes
5. Right click, then select [Create dump file] menu

Dump file will be created into you temporary directory (see dialog of Dumping process).  So could you share this file such as Dropbox and email this link to me?
Flags: needinfo?(andrei.vaida)
(In reply to Makoto Kato (:m_kato) from comment #1)
> I would like to analyze plugin-container process that this problem occurs. 
> So could you create dump file of this process by the following steps?
> 
> 1. Launch Firefox Nightly and browse flash page.
> 2. Launch Task Manager by right click windows task bar
> 3. Click [More details] to expand process list
> 4. Select "Plugin Container for Nightly" in Background Processes
> 5. Right click, then select [Create dump file] menu
> 
> Dump file will be created into you temporary directory (see dialog of
> Dumping process).  So could you share this file such as Dropbox and email
> this link to me?

I sent you the dump file via email. Let me know if there's anything else I can help with here.
Flags: needinfo?(andrei.vaida)
I got dump file.

0:000> u kernelbase!CreateFileW
KERNELBASE!CreateFileW:
74d20afd ebf9            jmp     KERNELBASE!CreateFileDowngrade_Vista+0x3 (74d20af8)
74d20aff 55              push    ebp
...

0:000> u 74d20af8
KERNELBASE!CreateFileDowngrade_Vista+0x3:
74d20af8 e998ff82ec      jmp     xul!CreateFileHookFn (61550a95)

We can hook CreateFileW correctly.  BUT...

0:000> u poi(kernel32!_imp__CreateFileA)
KERNELBASE!CreateFileA:
74d241cf 8bff            mov     edi,edi
74d241d1 55              push    ebp
...
74d2425a 89442440        mov     dword ptr [esp+40h],eax
74d2425e e812c5ffff      call    KERNELBASE!CreateFileInternal (74d20775)
74d24263 8bf0            mov     esi,eax

AHHH, it means that kernel32!CreateFileA doesn't call kernelbase!CreateFileW....


I check file version.  It is just RTM version.

0:000> lmvm kernelbase
start    end        module name
74d10000 74dcd000   KERNELBASE   (pdb symbols)          c:\localsym\kernelbase.pdb\6798FD571EC44631BBBE7170B01EDBFB2\kernelbase.pdb
    Loaded symbol image file: KERNELBASE.dll
    Image path: C:\Windows\System32\KERNELBASE.dll
    Image name: KERNELBASE.dll
    Timestamp:        Thu Jul 26 11:35:38 2012 (5010ACFA)
    CheckSum:         000BDDC2
    ImageSize:        000BD000
    File version:     6.2.9200.16384
    Product version:  6.2.9200.16384
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      MicrosoftR WindowsR Operating System
    InternalName:     Kernelbase.dll
    OriginalFilename: Kernelbase.dll
    ProductVersion:   6.2.9200.16384
    FileVersion:      6.2.9200.16384 (win8_rtm.120725-1247)
    FileDescription:  Windows NT BASE API Client DLL
    LegalCopyright:   c Microsoft Corporation. All rights reserved.

So I will create image of RTM to check and fix this.
I want additional information.  Although you comments reproduced environments by Bug 1121829 comment 8, you cannot reproduce NVIDIA's PC.  What file version of kernelbase.dll on NVIDIA's PC?

About file version, you can check the following.
1. Launch Explorer.
2. Browser C:\windows\system32
3. Selelect kernelbase.dll into file lists
4. Right click, then select [Properties] - [Details]
Flags: needinfo?(andrei.vaida)
(In reply to Makoto Kato (:m_kato) from comment #4)
> I want additional information. Although you comments reproduced
> environments by Bug 1121829 comment 8, you cannot reproduce NVIDIA's PC. 
> What file version of kernelbase.dll on NVIDIA's PC?
> 
> About file version, you can check the following.
> 1. Launch Explorer.
> 2. Browser C:\windows\system32
> 3. Selelect kernelbase.dll into file lists
> 4. Right click, then select [Properties] - [Details]

The file version of kernelbase.dll is: 6.2.9200.16864.
Flags: needinfo?(andrei.vaida)
If using Windows 8 RTM (not apply all hotfixes), this issue occurs.  kernel32!CreateFileA will call kernelbase!CreateFileInternal, not kernelbase!CreateFileW.   So we must hook CreateFileA to call CreateFileW (for hooking mms.cfg) or read mms.cfg directly.
Also, although we can hook NtCreateFile, but some code (xpcom and sandbox) already hooks it.  Multiple hook may be more dangerous.
(In reply to Makoto Kato (:m_kato) from comment #6)
> Andrei, if possible, could you test this issue the following package?
> 
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/m_kato@ga2.so-net.
> ne.jp-72d3428615f7/try-win32/firefox-38.0a1.en-US.win32.installer.exe

I'm no longer seeing the issue on Windows 8 32bit with this try build and flash 16.0.0.296. Here's an overview:
- with the pref set to true (default), there are 2 "Plugin Container for Nightly" processes active
- with the pref set to false, there are 2 "Adobe Flash Player 16.0 r0" and 2 "Plugin Container for Nightly" processes active
On non-patched version of Windows 8, CreateFileA of kernel32.dll doesn't call CreateFileW of kernel32.dll/kernelbase.dll.

Since Flash 16 opens mms.cfg by CreateFileA, we have to hook CreateFileA to call CreateFileW and our hooked function.
Attachment #8557718 - Flags: review?(benjamin)
Attachment #8557718 - Flags: review?(benjamin) → review+
https://hg.mozilla.org/mozilla-central/rev/d220925b1467
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox38: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Verified fixed on Nightly 38.0a1 (2015-02-04) using Windows 8 (32 bit) with flash plug-in version 16.0.0.296.
Status: RESOLVED → VERIFIED
status-firefox38: fixedverified
[Tracking Requested - why for this release]: This prevents the protected-mode block from working correctly for a small set of win8 users.
status-firefox37: --- → affected
tracking-firefox37: --- → ?
Comment on attachment 8557718 [details] [diff] [review]
Need hook CreateFileA for Windows 8 RTM

Approval Request Comment
[Feature/regressing bug #]: unfinished part of bug 1108035
[User impact if declined]: Some win8 users won't have the same settings as everyone else
[Describe test coverage new/current, TreeHerder]: Manual QA verification
[Risks and why]: it's a hooking change, so not completely no-risk, but I think the risk is fairly low
[String/UUID change made/needed]: none
Attachment #8557718 - Flags: approval-mozilla-aurora?
Tracking as we need protected mode to work consistently across platforms.
status-firefox35: --- → unaffected
status-firefox36: --- → unaffected
tracking-firefox37: ?+
Comment on attachment 8557718 [details] [diff] [review]
Need hook CreateFileA for Windows 8 RTM

Nice to see that this change has already been verified on Nightly. Aurora+
Attachment #8557718 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Verified fixed on Aurora 37.0a2 (2015-02-05), using Windows 8 x86.
status-firefox37: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: