https://bugs.winehq.org/show_bug.cgi?id=53078 Bernhard Übelacker <bernhardu(a)mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bernhardu(a)mailbox.org --- Comment #1 from Bernhard Übelacker <bernhardu(a)mailbox.org> --- Created attachment 72590 --> https://bugs.winehq.org/attachment.cgi?id=72590 hack to workaround second-ntdll and trigger driver startup This is what I found while trying to investigate loading the game in wine. The "Star Stable Online.exe" is just the launcher and updater. When pressing the play button it spawns a "SSOClient.exe". This is now also spawning processes "GameGuard.des" and "GameMon.des". The latter detects a 64-Bit system and spawns then "GameMon64.des". This last process then calls NtLoadDriver for loading "dump_wmimmc.sys". The first issue is "GameMon.des" doing a LoadLibraryEx for ntdll.dll, and calling from this copy NtSetInformationThread(ThreadHideFromDebugger), which fails because in the second ntdll __wine_syscall_dispatcher never gets set, which usually takes place in ntdll_init_syscalls. Second issue is the function NtLoadDriver is currently just a stub. And for obfuscation reasons "dump_wmimmc.sys" gets deleted. Then the third inside ZwLoadDriver/IoCreateDriver in "dump_wmimmc.sys" calls: IoCreateDevice, IoCreateSymbolicLink("\\??\\dump_wmimmc"), PsGetVersion, ZwQueryValueKey("...\Windows NT\CurrentVersion\UBR"), IoGetCurrentProcess and PsGetCurrentProcessId. I guess something of this makes it upset and causes IoDeleteSymbolicLink("\\??\\dump_wmimmc") and IoDeleteDevice, finally returning 0xc0000001(STATUS_UNSUCCESSFUL). But because of the obfuscation I could not see what exactly what went wrong in dump_wmimmc.sys. Attached are some ugly hacks to try to workaround the first two issues. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.