[Bug 49222] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on unimplemented function ntoskrnl.exe.KeRevertToUserAffinityThreadEx

https://bugs.winehq.org/show_bug.cgi?id=49222

Bug ID: 49222 Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on unimplemented function ntoskrnl.exe.KeRevertToUserAffinityThreadEx Product: Wine Version: 5.8 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 49220 (split out from bug 49194).

--- snip --- $ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:Call driver init 0000000000C81184 (obj=000000000078EE10,str=L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo Anti-Cheat") ... 00d0:Call ntoskrnl.exe.KeQueryActiveProcessorCountEx(0000ffff) ret=00c83d3a 00d0:fixme:ntoskrnl:KeQueryActiveProcessorCountEx GroupNumber 65535 semi-stub. 00d0:Call KERNEL32.GetSystemInfo(00b5f2f0) ret=00232996 00d0:Call ntdll.NtQuerySystemInformation(00000000,00b5f200,00000040,00000000) ret=7b02c721 00d0:trace:ntdll:NtQuerySystemInformation (0x00000000,0xb5f200,0x00000040,(nil)) 00d0:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7b02c721 00d0:Call ntdll.NtQuerySystemInformation(00000001,00b5f1f0,0000000c,00000000) ret=7b02c751 00d0:trace:ntdll:NtQuerySystemInformation (0x00000001,0xb5f1f0,0x0000000c,(nil)) 00d0:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7b02c751 00d0:Ret KERNEL32.GetSystemInfo() retval=00000006 ret=00232996 00d0:Ret ntoskrnl.exe.KeQueryActiveProcessorCountEx() retval=00000008 ret=00c83d3a 00d0:Call ntoskrnl.exe.KeSetSystemAffinityThreadEx(ffffffffffffffff) ret=00c83d56 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx (0xffffffff) semi-stub 00d0:Call ntdll.NtQueryInformationThread(fffffffffffffffe,0000001e,00b5f300,00000010,00000000) ret=00232b18 00d0:Ret ntdll.NtQueryInformationThread() retval=00000000 ret=00232b18 00d0:Call ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f310,00000010) ret=00232b70 00d0:Ret ntdll.NtSetInformationThread() retval=c000000d ret=00232b70 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx Set affinity, status 0xc000000d. 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx old.Group 0, old.Mask 0xff. 00d0:Ret ntoskrnl.exe.KeSetSystemAffinityThreadEx() retval=000000ff ret=00c83d56 00d0:Call ntoskrnl.exe.KeSetSystemAffinityThreadEx(00000001) ret=00c83d86 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx (0x1) semi-stub 00d0:Call ntdll.NtQueryInformationThread(fffffffffffffffe,0000001e,00b5f300,00000010,00000000) ret=00232b18 00d0:Ret ntdll.NtQueryInformationThread() retval=00000000 ret=00232b18 00d0:Call ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f310,00000010) ret=00232b70 00d0:Ret ntdll.NtSetInformationThread() retval=00000000 ret=00232b70 00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx old.Group 0, old.Mask 0xff. 00d0:Ret ntoskrnl.exe.KeSetSystemAffinityThreadEx() retval=000000ff ret=00c83d86 ... 00d0:fixme:int:emulate_instruction reg 0xfe returning 0. 00d0:trace:int:vectored_handler next instruction rip=c88cf5 00d0:trace:int:vectored_handler rax=0000000000000000 rbx=0000000000b5d280 rcx=00000000000000fe rdx=0000000000000000 00d0:trace:int:vectored_handler rsi=00000000008e1f70 rdi=0000000000000000 rbp=0000000000b5f370 rsp=0000000000b5d220 00d0:trace:int:vectored_handler r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000000 00d0:trace:int:vectored_handler r12=0000000000000000 r13=00000000ffea4000 r14=0000000000000000 r15=0000000080000008 00d0:trace:seh:call_vectored_handlers handler at 0x22cfa0 returned ffffffff 00d0:trace:seh:raise_exception code=80000100 flags=1 addr=0x7bc6cb0c ip=7bc6cb0c tid=00d0 00d0:trace:seh:raise_exception info[0]=0000000000e00266 00d0:trace:seh:raise_exception info[1]=0000000000dffcf8 wine: Call from 0x7bc6cb0c to unimplemented function ntoskrnl.exe.KeRevertToUserAffinityThreadEx, aborting --- snip ---

Microsoft docs:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-ker...

It's the "tail" (epilogue) of bug 49219 to restore the previous affinity of the driver's main thread.

Relevant disassembly snippet of driver:

--- snip --- ... 140003D37 | call qword ptr ds:[rax+40] | KeQueryActiveProcessorCountEx 140003D3A | mov byte ptr ds:[rsi+30],al | 140003D3D | movzx ebp,al | num cores 140003D40 | cmp al,20 | 140003D42 | jb denuvo-anti-cheat.140003D49 | 140003D44 | mov ebp,20 | limit to 32 cores max 140003D49 | or rcx,FFFFFFFFFFFFFFFF | 140003D4D | mov dword ptr ds:[rsi+34],ebp | 140003D50 | call qword ptr ds:[<&JMP.&KeSetSystemAffinityThreadEx>] 140003D56 | mov r15,rax | 140003D59 | test ebp,ebp | 140003D5B | je denuvo-anti-cheat.140003DA9 | 140003D5D | mov qword ptr ss:[rsp+80],r14 | 140003D65 | lea rdi,qword ptr ds:[rsi+38] | 140003D69 | lea r14,qword ptr ds:[rsi+1C38] | 140003D70 | mov esi,ebp | 140003D72 | mov rcx,rbx | 140003D75 | mov edx,1 | 140003D7A | shl rdx,cl | 140003D7D | mov rcx,rdx | current core mask 140003D80 | call qword ptr ds:[<&JMP.&KeSetSystemAffinityThreadEx>] 140003D86 | mov rdx,r14 | 140003D89 | mov rcx,rdi | 140003D8C | call denuvo-anti-cheat.1400086C0 | read cpuid + VMX MSRs 140003D91 | inc rbx | core++ 140003D94 | add rdi,E0 | 140003D9B | sub rsi,1 | 140003D9F | jne denuvo-anti-cheat.140003D72 | loop through all cores 140003DA1 | mov r14,qword ptr ss:[rsp+80] | 140003DA9 | mov rcx,r15 | 140003DAC | call qword ptr ds:[1400770F0] | KeRevertToUserAffinityThreadEx 140003DB2 | mov rcx,qword ptr ss:[rsp+30] | 140003DB7 | xor rcx,rsp | 140003DBA | call denuvo-anti-cheat.14006FB10 | 140003DBF | add rsp,40 | 140003DC3 | pop r15 | 140003DC5 | pop rdi | 140003DC6 | pop rsi | 140003DC7 | pop rbp | 140003DC8 | pop rbx | 140003DC9 | ret | --- snip ---

$ wine --version wine-5.8-323-g563de17f53

Regards