https://bugs.winehq.org/show_bug.cgi?id=44499 Bug ID: 44499 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented function ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44497 The kernel driver uses multiple methods to implement process protection/supervision. * ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion -> covered by bug 44497 Another method: * PsSetCreateProcessNotifyRoutineEx Example kernel driver code to show how the API is being used: https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obca... --- quote --- ObCallback Callback Registration Driver The ObCallback sample driver demonstrates the use of registered callbacks for process protection. The driver registers control callbacks which are called at process creation. Design and Operation The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks routine and a callback to restrict requested access rights during a open process action. The second example uses the PsSetCreateProcessNotifyRoutineEx routine to reject a process creation by examining the command line. --- quote --- Another article: https://malwaretips.com/threads/av-self-protection-process-c-c.66200/ For BattlEye 'BEDaisy' service to succeed the driver init routine it is enough to implement a stub for 'PsSetCreateProcessNotifyRoutineEx' like it was done with 'PsSetCreateProcessNotifyRoutine' -> return STATUS_SUCCESS https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe... --- snip --- 2381 /*********************************************************************** 2382 * PsSetCreateProcessNotifyRoutine (NTOSKRNL.EXE.@) 2383 */ 2384 NTSTATUS WINAPI PsSetCreateProcessNotifyRoutine( PCREATE_PROCESS_NOTIFY_ROUTINE callback, BOOLEAN remove ) 2385 { 2386 FIXME( "stub: %p %d\n", callback, remove ); 2387 return STATUS_SUCCESS; 2388 } --- snip --- $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.1-193-g354fa7eb79 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.