[Bug 44499] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented function ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx

https://bugs.winehq.org/show_bug.cgi?id=44499

Bug ID: 44499 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented function ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 44497

The kernel driver uses multiple methods to implement process protection/supervision.

* ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion

-> covered by bug 44497

Another method:

* PsSetCreateProcessNotifyRoutineEx

Example kernel driver code to show how the API is being used:

https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obca...

--- quote --- ObCallback Callback Registration Driver

The ObCallback sample driver demonstrates the use of registered callbacks for process protection. The driver registers control callbacks which are called at process creation. Design and Operation

The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks routine and a callback to restrict requested access rights during a open process action. The second example uses the PsSetCreateProcessNotifyRoutineEx routine to reject a process creation by examining the command line. --- quote ---

Another article:

https://malwaretips.com/threads/av-self-protection-process-c-c.66200/

For BattlEye 'BEDaisy' service to succeed the driver init routine it is enough to implement a stub for 'PsSetCreateProcessNotifyRoutineEx' like it was done with 'PsSetCreateProcessNotifyRoutine' -> return STATUS_SUCCESS

https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe...

--- snip --- 2381 /*********************************************************************** 2382 * PsSetCreateProcessNotifyRoutine (NTOSKRNL.EXE.@) 2383 */ 2384 NTSTATUS WINAPI PsSetCreateProcessNotifyRoutine( PCREATE_PROCESS_NOTIFY_ROUTINE callback, BOOLEAN remove ) 2385 { 2386 FIXME( "stub: %p %d\n", callback, remove ); 2387 return STATUS_SUCCESS; 2388 } --- snip ---

$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe

$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe

$ wine --version wine-3.1-193-g354fa7eb79

Regards