wine-bugs March 2021

wine-bugs@winehq.org

1 participants
6199 discussions

[Bug 44497] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback ( object manager) functions
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=44497 Bug ID: 44497 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback (object manager) functions Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44496 The kernel driver uses object manager callbacks in order to implement process protection. * ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion Example kernel driver code to show how the API is being used: https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obc… --- quote --- ObCallback Callback Registration Driver The ObCallback sample driver demonstrates the use of registered callbacks for process protection. The driver registers control callbacks which are called at process creation. Design and Operation The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks routine and a callback to restrict requested access rights during a open process action. The second example uses the PsSetCreateProcessNotifyRoutineEx routine to reject a process creation by examining the command line. --- quote --- Another article: https://malwaretips.com/threads/av-self-protection-process-c-c.66200/ BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning 'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail. * ObRegisterCallbacks -> return STATUS_SUCCESS (and fake handle) * ObUnRegisterCallbacks -> just empty stub is enough * ObGetFilterVersion -> return OB_FLT_REGISTRATION_VERSION Also mentioned in tps://bugs.winehq.org/show_bug.cgi?id=41039#c0 ("Virtualbox crashes with access violation, needs ntoskrnl.exe.FsRtlIsNameInExpression") although not the problem there. --- snip --- fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObRegisterCallbacks" not found fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObUnRegisterCallbacks" not found --- snip --- With these things fixed, the driver runs further - into next problems. $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.1-193-g354fa7eb79 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 6

[Bug 44500] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented fltmgr.sys functions ( FltRegisterFilter, FltStartFiltering, FltUnregisterFilter)
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=44500 Bug ID: 44500 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented fltmgr.sys functions (FltRegisterFilter, FltStartFiltering, FltUnregisterFilter) Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: fltmgr Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44499 The kernel driver uses multiple methods to implement process protection/supervision. * ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion -> covered by bug 44497 * PsSetCreateProcessNotifyRoutineEx -> covered by bug 44499 * FltRegisterFilter * FltStartFiltering * FltUnregisterFilter BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning 'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail. * FltRegisterFilter -> return STATUS_SUCCESS and some dummy handle as "out" * FltStartFiltering -> return STATUS_SUCCESS * FltUnregisterFilter -> just empty stub is enough (needed when driver unloads) With this and all previous bug reports fixed/worked around, the driver init routine runs to completion and the kernel service starts successfully. Proof: --- snip --- ... 0048:trace:winedevice:load_driver loading driver L"C:\\Program Files\\Common Files\\BattlEye\\BEDaisy.sys" ... 0048:trace:module:process_attach (L"BEDaisy.sys",(nil)) - END 0048:Ret KERNEL32.LoadLibraryW() retval=00780000 ret=7effaa20 ... 0048:trace:winedevice:load_driver_module L"C:\\Program Files\\Common Files\\BattlEye\\BEDaisy.sys": relocating from 0x400000 to 0x780000 ... 0048:Call driver init 0x7fdf6e (obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") 0048:Call --- snip --- Map the driver image via Mdl in order to hot-patch. --- snip --- ... ntoskrnl.exe.IoAllocateMdl(00780000,00040409,00000000,00000000,00000000) ret=0080bf37 0048:trace:ntoskrnl:IoAllocateMdl (0x780000, 263177, 0, 0, (nil)) 0048:Call ntdll.RtlAllocateHeap(00110000,00000008,00000120) ret=7ecdf800 0048:Ret ntdll.RtlAllocateHeap() retval=0011cd38 ret=7ecdf800 0048:fixme:ntoskrnl:IoGetCurrentProcess () semi-stub 0048:Ret ntoskrnl.exe.IoAllocateMdl() retval=0011cd38 ret=0080bf37 0048:Call ntoskrnl.exe.MmProbeAndLockPages(0011cd38,00000000,00000001) ret=0080bf37 0048:fixme:ntoskrnl:MmProbeAndLockPages (0x11cd38, 0, 1): stub 0048:Ret ntoskrnl.exe.MmProbeAndLockPages() retval=0000003f ret=0080bf37 0048:Call ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011cd38,00000000,00000000,00000001,00000000,00000000) ret=0080bf37 0048:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11cd38, 0, 0, 0x1, 0, 0): stub 0048:Call ntdll.RtlAllocateHeap(00110000,00000000,00040409) ret=7ece28a9 0048:Ret ntdll.RtlAllocateHeap() retval=0011d978 ret=7ece28a9 0048:Call KERNEL32.OpenProcess(001fffff,00000000,00000042) ret=7ece28d4 0048:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ece28d4 0048:Call KERNEL32.ReadProcessMemory(00000040,00780000,0011d978,00040409,00000000) ret=7ece2907 0048:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=7ece2907 0048:Call KERNEL32.CloseHandle(00000040) ret=7ece2929 0048:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ece2929 0048:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache Success! 0048:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=0011d978 ret=0080bf37 --- snip --- Manually resolve 'ntoskrnl.exe' and other module imports. Most activity is invisible from any trace log (walking in-memory lists, obfuscated strings). --- snip --- 0048:Call ntdll.NtQuerySystemInformation(0000000b,008100a0,00001400,0065f350) ret=008034e1 0048:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 ... 0048:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398) ret=0080732b 0048:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0048:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0048:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ece16d9 0048:Ret ntdll.RtlAllocateHeap() retval=008100a0 ret=7ece16d9 0048:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x8100a0 0048:Ret ntoskrnl.exe.ExAllocatePool() retval=008100a0 ret=007fe2fc 0048:Call ntdll.NtQuerySystemInformation(0000000b,008100a0,00001400,0065f398) ret=008034e1 0048:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 ... --- snip --- Commit the changes to the memory image -> 'MmUnlockPages'. --- snip --- ... 0048:Call ntoskrnl.exe.MmUnlockPages(0011cd38) ret=0080bf37 0048:fixme:ntoskrnl:MmUnlockPages (0x11cd38): stub 0048:Call KERNEL32.OpenProcess(001fffff,00000000,00000042) ret=7ece2be8 0048:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ece2be8 0048:Call KERNEL32.WriteProcessMemory(00000040,00780000,0011d978,00040409,00000000) ret=7ece2c17 0048:Ret KERNEL32.WriteProcessMemory() retval=00000001 ret=7ece2c17 0048:Call KERNEL32.CloseHandle(00000040) ret=7ece2c25 0048:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ece2c25 0048:Call ntdll.RtlFreeHeap(00110000,00000000,0011d978) ret=7ece2c45 0048:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ece2c45 0048:fixme:ntoskrnl:MmUnlockPages Success! 0048:Ret ntoskrnl.exe.MmUnlockPages() retval=0000002b ret=0080bf37 0048:Call ntoskrnl.exe.IoFreeMdl(0011cd38) ret=0080bf37 0048:trace:ntoskrnl:IoFreeMdl 0x11cd38 0048:Call ntdll.RtlFreeHeap(00110000,00000000,0011cd38) ret=7ecdf8fa 0048:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecdf8fa 0048:Ret ntoskrnl.exe.IoFreeMdl() retval=00000001 ret=0080bf37 ... --- snip --- Register object manager/process/mini driver callbacks and create driver symlinks. --- snip --- ... 0048:Call ntoskrnl.exe.ObGetFilterVersion() ret=0078c6be 0048:fixme:ntoskrnl:ObGetFilterVersion stub 0048:Ret ntoskrnl.exe.ObGetFilterVersion() retval=00000100 ret=0078c6be 0048:Call ntoskrnl.exe.KeInitializeMutex(00785020,00000000) ret=0079e1f6 0048:fixme:ntoskrnl:KeInitializeMutex stub: 0x785020, 0 0048:Ret ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=0079e1f6 0048:Call ntoskrnl.exe.IoCreateDevice(0011cb58,00000000,0065f1a8,00000022,00000000,00000000,0065f1e8) ret=007a2653 0048:trace:ntoskrnl:IoCreateDevice (0x11cb58, 0, L"\\Device\\BattlEye", 34, 0, 0, 0x65f1e8) ... 0048:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=007a2653 0048:Call ntoskrnl.exe.IoCreateSymbolicLink(0065f1cc,0065f1a8) ret=007a2834 0048:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\BattlEye" -> L"\\Device\\BattlEye" 0048:Call ntdll.NtCreateSymbolicLinkObject(0065f064,000f0001,0065f04c,0065f1a8) ret=7ece06af 0048:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece06af 0048:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=007a2834 0048:Call ntoskrnl.exe.KeWaitForSingleObject(00785020,00000000,00000000,00000000,00000000) ret=007b8643 0048:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x785020, 0, 0, 0, (nil) 0048:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=007b8643 0048:Call ntdll.RtlInitUnicodeString(0065f0c8,00783a7c L"363220") ret=00794e44 0048:Ret ntdll.RtlInitUnicodeString() retval=0065f0c8 ret=00794e44 0048:Call ntoskrnl.exe.ObRegisterCallbacks(0065f0c4,00785040) ret=007b869d 0048:fixme:ntoskrnl:ObRegisterCallbacks : stub 0048:Ret ntoskrnl.exe.ObRegisterCallbacks() retval=00000000 ret=007b869d 0048:Call ntoskrnl.exe.KeReleaseMutex(00785020,00000000) ret=007a4ee7 0048:fixme:ntoskrnl:KeReleaseMutex stub: 0x785020, 0 0048:Ret ntoskrnl.exe.KeReleaseMutex() retval=c0000002 ret=007a4ee7 0048:Call ntoskrnl.exe.PsSetLoadImageNotifyRoutine(007817a0) ret=00797911 0048:fixme:ntoskrnl:PsSetLoadImageNotifyRoutine (0x7817a0) stub 0048:Ret ntoskrnl.exe.PsSetLoadImageNotifyRoutine() retval=00000000 ret=00797911 0048:Call ntoskrnl.exe.PsSetCreateThreadNotifyRoutine(007811c4) ret=0079e1fb 0048:fixme:ntoskrnl:PsSetCreateThreadNotifyRoutine stub: 0x7811c4 0048:Ret ntoskrnl.exe.PsSetCreateThreadNotifyRoutine() retval=00000000 ret=0079e1fb 0048:Call ntoskrnl.exe.memset(0065f108,00000000,00000038) ret=007b63ab 0048:Ret ntoskrnl.exe.memset() retval=0065f108 ret=007b63ab 0048:Call fltmgr.sys.FltRegisterFilter(0011cb58,0065f108,00785500) ret=007afad8 0048:fixme:fltmgr:FltRegisterFilter (0x11cb58, 0x65f108): stub ... 0048:Ret fltmgr.sys.FltRegisterFilter() retval=00000000 ret=007afad8 0048:Call fltmgr.sys.FltStartFiltering(0011d978) ret=00795697 0048:fixme:fltmgr:FltStartFiltering (0x11d978): stub 0048:Ret fltmgr.sys.FltStartFiltering() retval=00000000 ret=00795697 0048:Call ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx(00781aba,00000000) ret=0079d0f5 0048:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutineEx stub: 0x781aba 0 0048:Ret ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx() retval=00000000 ret=0079d0f5 ... --- snip --- Driver init successful return: --- snip --- ... 0048:Call ntdll.RtlInitUnicodeString(0065f190,0065f444 L"\\Driver") ret=0078ee45 0048:Ret ntdll.RtlInitUnicodeString() retval=0065f190 ret=0078ee45 0048:Call ntdll.ZwOpenDirectoryObject(0065f1c8,00000001,0065f1b0) ret=0079a425 0048:Ret ntdll.ZwOpenDirectoryObject() retval=00000000 ret=0079a425 0048:Call ntdll.ZwQueryDirectoryObject(00000048,0065f1f4,00000100,00000001,00000000,0065f458,00000000) ret=007a78fb 0048:Ret ntdll.ZwQueryDirectoryObject() retval=8000001a ret=007a78fb 0048:Call ntdll.ZwClose(00000048) ret=00795dcc 0048:Ret ntdll.ZwClose() retval=00000000 ret=00795dcc 0048:Ret driver init 0x7fdf6e (obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") retval=00000000 0048:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11cb58 0048:trace:winedevice:init_driver - DriverInit = 0x7fdf6e 0048:trace:winedevice:init_driver - DriverStartIo = (nil) 0048:trace:winedevice:init_driver - DriverUnload = 0x781de8 0048:trace:winedevice:init_driver - MajorFunction[0] = 0x781dc4 0048:trace:winedevice:init_driver - MajorFunction[1] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[2] = 0x781d54 0048:trace:winedevice:init_driver - MajorFunction[3] = 0x7820c2 0048:trace:winedevice:init_driver - MajorFunction[4] = 0x7829b4 0048:trace:winedevice:init_driver - MajorFunction[5] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[6] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[7] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[8] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[9] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[10] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[11] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[12] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[13] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[14] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[15] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[16] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[17] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[18] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[19] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[20] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[21] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[22] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[23] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[24] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[25] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[26] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[27] = 0x7ecdfeb0 0048:Ret ntoskrnl.exe.IoCreateDriver() retval=00000000 ret=7effb7c8 0048:Call ntoskrnl.exe.ObReferenceObjectByName(0065fdc0,00000040,00000000,00000000,00000000,00000000,00000000,0065fdc8) ret=7effb852 0048:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\\Driver\\BEDaisy" 64 (nil) 0 (nil) 0 (nil) 0x65fdc8 ... 0048:Ret ntoskrnl.exe.ObReferenceObjectByName() retval=00000000 ret=7effb852 ... 0048:Call advapi32.SetServiceStatus(0011b788,0065fd84) ret=7effb41b ... 0048:Ret advapi32.SetServiceStatus() retval=00000001 ret=7effb41b --- snip --- NOTE: This doesn't really make BattlEye functional. It enables both services to run and prevents the initial driver service crashes/errors (2). The "Tibia" client I used to test with (http://static.tibia.com/download/Tibia_Setup.exe) still reports BattlEye not working properly. --- snip --- ... [ 11:53:26,282 ] BattlEye: "Initialized (v1.243)" [ 11:53:26,374 ] Request connection to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171" (unprotected: "tcp://tibia-pool-eu.ciproxy.com:7171" ) requested (Charakter "Da Beef" ) [ 11:53:26,374 ] Request connection to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171" "Damora" [ 11:53:26,405 ] Connected to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171" "Damora" [ 11:53:26,637 ] QObject::connect: Cannot connect (null)::stateChanged(QNetworkSession::State) to QNetworkReplyHttpImpl::_q_networkSessionStateChanged(QNetworkSession::State) [ 11:53:26,691 ] QObject::connect: Cannot connect (null)::stateChanged(QNetworkSession::State) to QNetworkReplyHttpImpl::_q_networkSessionStateChanged(QNetworkSession::State) [ 11:53:27,317 ] BattlEye: "Restarting client is necessary, service isn't running properly" [ 11:53:27,318 ] BattlEye: "Restarting client is necessary, update required" ... --- snip --- I have no intention to look further unless there is some progress on previous tickets. $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.1-193-g354fa7eb79 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 5

[Bug 44837] New: BattlEye 'BEDaisy' kernel service fails in driver entry point due to missing ' ntoskrnl.exe.PsAcquireProcessExitSynchronization'
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=44837 Bug ID: 44837 Summary: BattlEye 'BEDaisy' kernel service fails in driver entry point due to missing 'ntoskrnl.exe.PsAcquireProcessExitSynchronization' Product: Wine Version: 3.4 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44811 --- snip --- ... 0052:Call KERNEL32.GetModuleHandleW(7ec246fc L"ntoskrnl.exe") ret=7ec1a2f6 0052:Ret KERNEL32.GetModuleHandleW() retval=7ec00000 ret=7ec1a2f6 0052:Call KERNEL32.GetProcAddress(7ec00000,0011d4b8 "PsAcquireProcessExitSynchronization") ret=7ec1a30b 0052:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec1a30b 0052:Call KERNEL32.GetModuleHandleW(7ec24718 L"hal.dll") ret=7ec1a324 0052:Ret KERNEL32.GetModuleHandleW() retval=f7ac0000 ret=7ec1a324 0052:Call KERNEL32.GetProcAddress(f7ac0000,0011d4b8 "PsAcquireProcessExitSynchronization") ret=7ec1a33f 0052:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec1a33f 0052:Call ntdll.RtlFreeAnsiString(0065eb30) ret=7ec1a351 0052:Ret ntdll.RtlFreeAnsiString() retval=0065eb30 ret=7ec1a351 0052:fixme:ntoskrnl:MmGetSystemRoutineAddress L"PsAcquireProcessExitSynchronization" not found 0052:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=007da46e 0052:Ret driver init 0x78d000 (obj=0x11caa0,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") retval=c0000001 0052:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11caa0 ... 0052:Ret ntoskrnl.exe.IoCreateDriver() retval=c0000001 ret=7effb786 0052:err:winedevice:async_create_driver failed to create driver L"BEDaisy": c0000001 ... --- snip --- Discussion of this API (potential use) here https://forum.sysinternals.com/discussion-howto-enumerate-handles_topic1940… https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-ke… https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/run-down-p… https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/index.htm (PsAcquireProcessExitSynchronization 6.0 and higher ) $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.4-192-gd7430abd40 Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 9

[Bug 44906] New: BattlEye 'BEDaisy' kernel service fails in driver entry point due to missing ' ntoskrnl.exe.ExfUnblockPushLock'
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=44906 Bug ID: 44906 Summary: BattlEye 'BEDaisy' kernel service fails in driver entry point due to missing 'ntoskrnl.exe.ExfUnblockPushLock' Product: Wine Version: 3.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, ticket dedicated to: https://github.com/wine-staging/wine-staging/blob/master/patches/ntoskrnl-S… Prerequisite: * bug 44837 --- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wine net start BEDaisy >>log.txt 2>&1 ... 0035:Call KERNEL32.GetModuleHandleW(7ec229dc L"ntoskrnl.exe") ret=7ec18512 0035:Ret KERNEL32.GetModuleHandleW() retval=7ec00000 ret=7ec18512 0035:Call KERNEL32.GetProcAddress(7ec00000,0011d630 "PsAcquireProcessExitSynchronization") ret=7ec18527 0035:Ret KERNEL32.GetProcAddress() retval=7ec0e468 ret=7ec18527 ... 0035:trace:ntoskrnl:MmGetSystemRoutineAddress L"PsAcquireProcessExitSynchronization" -> 0x7ec0e468 0035:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=7ec0e468 ret=007da46e 0035:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0065ecac) ret=00868d6d ... 0035:Call KERNEL32.GetModuleHandleW(7ec229dc L"ntoskrnl.exe") ret=7ec18512 0035:Ret KERNEL32.GetModuleHandleW() retval=7ec00000 ret=7ec18512 0035:Call KERNEL32.GetProcAddress(7ec00000,0011d630 "PsReleaseProcessExitSynchronization") ret=7ec18527 ... 0035:trace:ntoskrnl:MmGetSystemRoutineAddress L"PsReleaseProcessExitSynchronization" -> 0x7ec0e540 0035:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=7ec0e540 ret=00868d6d 0035:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0065ecac) ret=0084d372 ... 0035:Call KERNEL32.GetModuleHandleW(7ec229dc L"ntoskrnl.exe") ret=7ec18512 0035:Ret KERNEL32.GetModuleHandleW() retval=7ec00000 ret=7ec18512 0035:Call KERNEL32.GetProcAddress(7ec00000,0011d630 "ExfUnblockPushLock") ret=7ec18527 0035:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec18527 0035:Call KERNEL32.GetModuleHandleW(7ec229f8 L"hal.dll") ret=7ec18540 0035:Ret KERNEL32.GetModuleHandleW() retval=f79f0000 ret=7ec18540 0035:Call KERNEL32.GetProcAddress(f79f0000,0011d630 "ExfUnblockPushLock") ret=7ec1855b 0035:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec1855b ... 0035:fixme:ntoskrnl:MmGetSystemRoutineAddress L"ExfUnblockPushLock" not found 0035:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=0084d372 0035:Ret driver init 0x78d000 (obj=0x11cc00,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") retval=c0000001 ... 0035:Ret ntoskrnl.exe.IoCreateDriver() retval=c0000001 ret=7effb832 0035:err:winedevice:async_create_driver failed to create driver L"BEDaisy": c0000001 --- snip --- $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 4

[Bug 44910] New: BattlEye 'BEDaisy' kernel service fails in driver entry point due to ' ntoskrnl.exe.ObReferenceObjectByHandle' stub (needs STATUS_SUCCESS)
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=44910 Bug ID: 44910 Summary: BattlEye 'BEDaisy' kernel service fails in driver entry point due to 'ntoskrnl.exe.ObReferenceObjectByHandle' stub (needs STATUS_SUCCESS) Product: Wine Version: 3.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 44907 Prerequisite: * bug 44837 -> missing 'ntoskrnl.exe.Ps{Acquire,Release}ProcessExitSynchronization' * bug 44906 -> missing 'ntoskrnl.exe.ExfUnblockPushLock' * bug 44907 -> missing 'fltmgr.sys.FltGetRoutineAddress' Unlike the other bug reports, I added +server debug channel to show which handle is being dereferenced. --- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl,+server wine net start BEDaisy >>log.txt 2>&1 ... 0033:Call driver init 0x78d000 (obj=0x11cb00,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") ... 0033:Call ntoskrnl.exe.PsCreateSystemThread(0065ec4c,001fffff,0065ec50,00000000,00000000,0078308e,00000000) ret=0080858c 0033:Call ntdll.RtlCreateUserThread(ffffffff,00000000,00000000,00000000,00000000,00000000,0078308e,00000000,0065ec4c,00000000) ret=7ec1823e 0033: *fd* 21 <- 145 0033: new_thread( access=001fffff, attributes=00000000, suspend=0, request_fd=21 ) 0033: new_thread() = 0 { tid=0035, handle=0040 } 0033:Ret ntdll.RtlCreateUserThread() retval=00000000 ret=7ec1823e 0033:Ret ntoskrnl.exe.PsCreateSystemThread() retval=00000000 ret=0080858c 0033:Call ntoskrnl.exe.ObReferenceObjectByHandle(00000040,001fffff,00000000,00000000,0078b55c,00000000) ret=007840d4 0033:fixme:ntoskrnl:ObReferenceObjectByHandle stub: 0x40 1fffff (nil) 0 0x78b55c (nil) 0033:Ret ntoskrnl.exe.ObReferenceObjectByHandle() retval=c0000002 ret=007840d4 0033:Call ntoskrnl.exe.KeSetEvent(0078b3f4,00000000,00000000) ret=00790914 0033:fixme:ntoskrnl:KeSetEvent (0x78b3f4, 0, 0): stub 0033:Ret ntoskrnl.exe.KeSetEvent() retval=00000000 ret=00790914 0033:Call ntoskrnl.exe.ZwClose(00000040) ret=007f2c73 0033:Call ntdll.NtClose(00000040) ret=7bc803ab 0033: close_handle( handle=0040 ) 0033: close_handle() = 0 0033:Ret ntdll.NtClose() retval=00000000 ret=7bc803ab 0033:Ret ntoskrnl.exe.ZwClose() retval=00000000 ret=007f2c73 0033:Call fltmgr.sys.FltUnregisterFilter(deadbeaf) ret=007fd488 0033:fixme:fltmgr:FltUnregisterFilter (0xdeadbeaf): stub 0033:Ret fltmgr.sys.FltUnregisterFilter() retval=00000039 ret=007fd488 0033:Call ntoskrnl.exe.PsRemoveCreateThreadNotifyRoutine(0078130c) ret=0082f2bc 0033:fixme:ntoskrnl:PsRemoveCreateThreadNotifyRoutine stub: 0x78130c 0033:Ret ntoskrnl.exe.PsRemoveCreateThreadNotifyRoutine() retval=00000000 ret=0082f2bc 0033:Call ntoskrnl.exe.PsRemoveLoadImageNotifyRoutine(00781dc6) ret=008242ab 0033:fixme:ntoskrnl:PsRemoveLoadImageNotifyRoutine stub: 0x781dc6 0033:Ret ntoskrnl.exe.PsRemoveLoadImageNotifyRoutine() retval=00000000 ret=008242ab 0033:Call ntoskrnl.exe.KeWaitForSingleObject(0078b530,00000000,00000000,00000000,00000000) ret=0080b669 0033:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x78b530, 0, 0, 0, (nil) 0033:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=0080b669 0033:Call ntoskrnl.exe.ObUnRegisterCallbacks(deadbeaf) ret=007ac56b 0033:fixme:ntoskrnl:ObUnRegisterCallbacks stub: 0xdeadbeaf 0033:Ret ntoskrnl.exe.ObUnRegisterCallbacks() retval=0000003b ret=007ac56b 0033:Call ntoskrnl.exe.KeReleaseMutex(0078b530,00000000) ret=00839822 0033:fixme:ntoskrnl:KeReleaseMutex stub: 0x78b530, 0 0033:Ret ntoskrnl.exe.KeReleaseMutex() retval=c0000002 ret=00839822 0033:Call ntoskrnl.exe.IoDeleteSymbolicLink(0065ec74) ret=0080d6dc 0033:Call ntdll.NtOpenSymbolicLinkObject(0065eb40,00000000,0065eb28) ret=7ec158ab 0033: open_symlink( access=00000000, attributes=00000040, rootdir=0000, name=L"\\DosDevices\\BattlEye" ) 0033: open_symlink() = 0 { handle=0044 } 0033:Ret ntdll.NtOpenSymbolicLinkObject() retval=00000000 ret=7ec158ab 0033: unlink_object( handle=0044 ) 0033: unlink_object() = 0 0033:Call ntdll.NtClose(00000044) ret=7ec15924 0033: close_handle( handle=0044 ) 0033: close_handle() = 0 0033:Ret ntdll.NtClose() retval=00000000 ret=7ec15924 0033:Ret ntoskrnl.exe.IoDeleteSymbolicLink() retval=00000000 ret=0080d6dc 0033:Call ntoskrnl.exe.IoDeleteDevice(0011cce0) ret=00867fef 0033:trace:ntoskrnl:IoDeleteDevice 0x11cce0 0033: delete_device( handle=0038 ) 0033: delete_device() = 0 0033:Call ntdll.NtClose(00000038) ret=7ec15773 0033: close_handle( handle=0038 ) 0033: close_handle() = 0 0033:Ret ntdll.NtClose() retval=00000000 ret=7ec15773 ... 0033:Ret ntoskrnl.exe.IoDeleteDevice() retval=00000001 ret=00867fef 0033:Ret driver init 0x78d000 (obj=0x11cb00,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") retval=c0000002 ... 0033:Ret ntoskrnl.exe.IoCreateDriver() retval=c0000002 ret=7effb832 0033:err:winedevice:async_create_driver failed to create driver L"BEDaisy": c0000002 --- snip --- MSDN: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/n… One of MS official kernel driver examples, illustrating how the API is meant to be used here (general pattern for getting thread object pointer): https://github.com/Microsoft/Windows-driver-samples/blob/master/general/can… --- snip --- ... status = PsCreateSystemThread(&threadHandle, (ACCESS_MASK)0, NULL, (HANDLE) 0, NULL, CsampPollingThread, deviceObject ); if ( !NT_SUCCESS( status )) { IoDeleteSymbolicLink( &unicodeDosDeviceName ); IoDeleteDevice( deviceObject ); return status; } // // Convert the Thread object handle into a pointer to the Thread object // itself. Then close the handle. // ObReferenceObjectByHandle(threadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &devExtension->ThreadObject, NULL ); ZwClose(threadHandle); ... --- snip --- NOTE: Unlike the snippet shown above, 'BEDaisy' driver checks the return value of 'ObReferenceObjectByHandle' and initiates teardown on failure. For testing I simply returned 'STATUS_SUCCESS' but also set the object pointer to a magic value (if ptr is non-NULL). The idea is when the driver tries to access/dereference the pointer we can easily see that a "poor" man's "succeed" stub is not enough. It seems it doesn't need a real thread object for now and runs much further. $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.5-107-gf4573adb0f Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 5

[Bug 44908] New: BattlEye 'BEDaisy' kernel service wants ' ntoskrnl.exe.ObGetObjectType'
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=44908 Bug ID: 44908 Summary: BattlEye 'BEDaisy' kernel service wants 'ntoskrnl.exe.ObGetObjectType' Product: Wine Version: 3.5 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs(a)winehq.org Reporter: focht(a)gmx.net Distribution: --- Hello folks, continuation of bug 4907 Prerequisite: * bug 44837 -> missing 'ntoskrnl.exe.Ps{Acquire,Release}ProcessExitSynchronization' * bug 44906 -> missing 'ntoskrnl.exe.ExfUnblockPushLock' * bug 44907 -> missing 'fltmgr.sys.FltGetRoutineAddress' --- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wine net start BEDaisy >>log.txt 2>&1 ... 0035:Call driver init 0x78d000 (obj=0x11cbf8,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") ... 0035:Call ntoskrnl.exe.RtlGetVersion(0078b270) ret=0080750a 0035:Call ntdll.RtlGetVersion(0078b270) ret=7bc803ab 0035:Ret ntdll.RtlGetVersion() retval=00000000 ret=7bc803ab 0035:Ret ntoskrnl.exe.RtlGetVersion() retval=00000000 ret=0080750a 0035:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0065ec68) ret=007a8561 0035:Call ntdll.RtlUnicodeStringToAnsiString(0065eb30,0065ec68,00000001) ret=7ec1855e 0035:Ret ntdll.RtlUnicodeStringToAnsiString() retval=00000000 ret=7ec1855e 0035:Call KERNEL32.GetModuleHandleW(7ec22a9c L"ntoskrnl.exe") ret=7ec18572 0035:Ret KERNEL32.GetModuleHandleW() retval=7ec00000 ret=7ec18572 0035:Call KERNEL32.GetProcAddress(7ec00000,0011d610 "ObGetObjectType") ret=7ec18587 0035:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec18587 0035:Call KERNEL32.GetModuleHandleW(7ec22ab8 L"hal.dll") ret=7ec185a0 0035:Ret KERNEL32.GetModuleHandleW() retval=f7b10000 ret=7ec185a0 0035:Call KERNEL32.GetProcAddress(f7b10000,0011d610 "ObGetObjectType") ret=7ec185bb 0035:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec185bb 0035:Call ntdll.RtlFreeAnsiString(0065eb30) ret=7ec185cd 0035:Ret ntdll.RtlFreeAnsiString() retval=0065eb30 ret=7ec185cd 0035:fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObGetObjectType" not found 0035:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=007a8561 ... 0035:Ret driver init 0x78d000 (obj=0x11cbf8,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") retval=c0000002 ... 0035:Ret ntoskrnl.exe.IoCreateDriver() retval=c0000002 ret=7effb832 0035:err:winedevice:async_create_driver failed to create driver L"BEDaisy": c0000002 --- snip --- NOTE: I didn't mention "crashes" or "fails in entry point" in this ticket summary on purpose. The failure from the log snippet is actually a different problem. $ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe $ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe $ wine --version wine-3.5-107-gf4573adb0f Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

2 4

[Bug 5149] Ebase 1.03 (FileMaker Pro 5 runtime): 'Find' button does nothing
by WineHQ Bugzilla 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=5149 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ebase 1.03 buttons "do |Ebase 1.03 (FileMaker Pro 5 |nothing" (FileMaker Pro) |runtime): 'Find' button | |does nothing URL|http://www.mediafire.com/?b | |a32udh1dr2 | --- Comment #16 from Anastasius Focht <focht(a)gmx.net> --- Hello folks, removing broken (fileshare) download link. There are multiple Internet Archive snapshots from the app author's website "Clif Graves Consulting": https://web.archive.org/web/20070223161029/http://www.clifgraves.com/eBase/… Unfortunately none of the linked app zip archives were ever captured on archive.org Regards -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 0

[Bug 11990] New: Script and Field Lists in FileMaker Pro are blank
by wine-bugs＠winehq.org 18 Mar '21

18 Mar '21

http://bugs.winehq.org/show_bug.cgi?id=11990 Summary: Script and Field Lists in FileMaker Pro are blank Product: Wine Version: 0.9.57. Platform: Other OS/Version: other Status: UNCONFIRMED Severity: normal Priority: P2 Component: -unknown AssignedTo: wine-bugs(a)winehq.org ReportedBy: dempsey(a)weirdfish.net Created an attachment (id=11316) --> (http://bugs.winehq.org/attachment.cgi?id=11316) Manage Databases Comparison I've installed FileMaker Advanced 9 fine using the latest Wine but when trying to view both fields and scripts it shows all the lines, but doesn't show the text which should be showing the name. I guess the problem occurs in all three places as they use the same control for : Field Listing in Manage Database Script Listing in Manage Scripts Script Steps in Edit Script http://magicbadger.com/dump/images/wine/FM_Manage_Database.png http://magicbadger.com/dump/images/wine/FM_Manage_Scripts.png http://magicbadger.com/dump/images/wine/FM_Edit_Script.png -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

2 7

[Bug 2423] FileMaker Pro 4.0 installer freezes when using scroll button
by WineHQ Bugzilla 18 Mar '21

18 Mar '21

1 0

[Bug 6375] FileMaker 5.x/6.x doesn't show contents of fields computed from the entries of other fields
by WineHQ Bugzilla 18 Mar '21

18 Mar '21

https://bugs.winehq.org/show_bug.cgi?id=6375 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://archive.org/details | |/FileMaker_Pro_5.5_U01073-0 | |01A_FileMaker_2001 Keywords| |download Summary|Computations in filemaker |FileMaker 5.x/6.x doesn't | |show contents of fields | |computed from the entries | |of other fields CC| |focht(a)gmx.net -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

wine-bugs March 2021