https://bugs.winehq.org/show_bug.cgi?id=44497 Bug ID: 44497 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback (object manager) functions Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44496 The kernel driver uses object manager callbacks in order to implement process protection. * ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion Example kernel driver code to show how the API is being used: https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obca... --- quote --- ObCallback Callback Registration Driver The ObCallback sample driver demonstrates the use of registered callbacks for process protection. The driver registers control callbacks which are called at process creation. Design and Operation The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks routine and a callback to restrict requested access rights during a open process action. The second example uses the PsSetCreateProcessNotifyRoutineEx routine to reject a process creation by examining the command line. --- quote --- Another article: https://malwaretips.com/threads/av-self-protection-process-c-c.66200/ BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning 'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail. * ObRegisterCallbacks -> return STATUS_SUCCESS (and fake handle) * ObUnRegisterCallbacks -> just empty stub is enough * ObGetFilterVersion -> return OB_FLT_REGISTRATION_VERSION Also mentioned in tps://bugs.winehq.org/show_bug.cgi?id=41039#c0 ("Virtualbox crashes with access violation, needs ntoskrnl.exe.FsRtlIsNameInExpression") although not the problem there. --- snip --- fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObRegisterCallbacks" not found fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObUnRegisterCallbacks" not found --- snip --- With these things fixed, the driver runs further - into next problems. $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.1-193-g354fa7eb79 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.