[Bug 44497] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback ( object manager) functions

11 Feb 2018


      https://bugs.winehq.org/show_bug.cgi?id=44497
Bug ID: 44497
           Summary: BattlEye 'BEDaisy' kernel service crashes on
                    unimplemented ntoskrnl.exe ObCallback (object manager)
                    functions
           Product: Wine
           Version: 3.1
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
continuation of bug 44496
The kernel driver uses object manager callbacks in order to implement process
protection.
* ObRegisterCallbacks
* ObUnRegisterCallbacks
* ObGetFilterVersion
Example kernel driver code to show how the API is being used:
https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obca...
--- quote ---
ObCallback Callback Registration Driver
The ObCallback sample driver demonstrates the use of registered callbacks for
process protection. The driver registers control callbacks which are called at
process creation.
Design and Operation
The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the
ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks
routine and a callback to restrict requested access rights during a open
process action. The second example uses the PsSetCreateProcessNotifyRoutineEx
routine to reject a process creation by examining the command line.
--- quote ---
Another article:
https://malwaretips.com/threads/av-self-protection-process-c-c.66200/
BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning
'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail.
* ObRegisterCallbacks -> return STATUS_SUCCESS (and fake handle)
* ObUnRegisterCallbacks -> just empty stub is enough
* ObGetFilterVersion -> return OB_FLT_REGISTRATION_VERSION
Also mentioned in tps://bugs.winehq.org/show_bug.cgi?id=41039#c0 ("Virtualbox
crashes with access violation, needs ntoskrnl.exe.FsRtlIsNameInExpression")
although not the problem there.
--- snip ---
fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObRegisterCallbacks" not found
fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObUnRegisterCallbacks" not found
--- snip ---
With these things fixed, the driver runs further - into next problems.
$ sha1sum Tibia_Setup.exe 
50951008ccc402cc32407bfc56a88da873e3e9bd  Tibia_Setup.exe
$ du -sh Tibia_Setup.exe 
5.2M    Tibia_Setup.exe
$ wine --version
wine-3.1-193-g354fa7eb79
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 44497] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback ( object manager) functions