https://bugs.winehq.org/show_bug.cgi?id=44496
Bug ID: 44496 Summary: BattlEye 'BEDaisy' kernel service custom imports resolved can't cope with 'ntoskrnl.exe' low-level (wc)string/copy helpers being forwarded to 'msvcrt.dll' Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
follow-up of bug 37355
Small client to reproduce: http://static.tibia.com/download/Tibia_Setup.exe
NOTE: Due to a regression with service state/transition handling, the kernel driver service is not started by the helper service anymore (only once upon installation). To work around bug 41670 issue 'wine net stop BEService' command from another console after the window "Starting BattlEye Service..." shows up and wait a bit. The app will detect this and restart the helper service which in turn will start the kernel service.
Also suffers from bug 38836 later.
--- snip --- $ pwd /home/focht/.wine/drive_c/users/focht/Local Settings/Application Data/Tibia/packages/Tibia/bin
$ WINEDEBUG=+tid,+seh,+ntoskrnl,+winedevice,+process,+loaddll,+relay,+module wine ./client_launcher.exe >>log.txt 2>&1 ... 0049:Call ntoskrnl.exe.IoAllocateMdl(00780000,00040409,00000000,00000000,00000000) ret=0080bf37 0049:trace:ntoskrnl:IoAllocateMdl (0x780000, 263177, 0, 0, (nil)) 0049:Call ntdll.RtlAllocateHeap(00110000,00000008,00000120) ret=7ecd1460 0049:Ret ntdll.RtlAllocateHeap() retval=0011cd38 ret=7ecd1460 0049:fixme:ntoskrnl:IoGetCurrentProcess () semi-stub 0049:Ret ntoskrnl.exe.IoAllocateMdl() retval=0011cd38 ret=0080bf37 0049:Call ntoskrnl.exe.MmProbeAndLockPages(0011cd38,00000000,00000001) ret=0080bf37 0049:fixme:ntoskrnl:MmProbeAndLockPages (0x11cd38, 0, 1): stub 0049:Ret ntoskrnl.exe.MmProbeAndLockPages() retval=0000003f ret=0080bf37 0049:Call ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011cd38,00000000,00000000,00000001,00000000,00000000) ret=0080bf37 0049:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11cd38, 0, 0, 0x1, 0, 0): stub 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00040409) ret=7ecd4509 0049:Ret ntdll.RtlAllocateHeap() retval=0011d958 ret=7ecd4509 0049:Call KERNEL32.OpenProcess(001fffff,00000000,00000043) ret=7ecd4534 0049:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ecd4534 0049:Call KERNEL32.ReadProcessMemory(00000040,00780000,0011d958,00040409,00000000) ret=7ecd4567 0049:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=7ecd4567 0049:Call KERNEL32.CloseHandle(00000040) ret=7ecd458e 0049:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ecd458e 0049:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache Success! 0049:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=0011d958 ret=0080bf37 0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00000068) ret=0080bf37 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00000068) ret=7ecd3339 0049:Ret ntdll.RtlAllocateHeap() retval=0015f3a8 ret=7ecd3339 0049:trace:ntoskrnl:ExAllocatePoolWithTag 104 pool 0 -> 0x15f3a8 0049:Ret ntoskrnl.exe.ExAllocatePool() retval=0015f3a8 ret=0080bf37 0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398) ret=0080732b 0049:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339 0049:Ret ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339 0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0 0049:Ret ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc 0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f398) ret=008034e1 0049:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229 0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0 0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586 0049:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586 0049:Ret ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229 0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398) ret=0080732b 0049:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339 0049:Ret ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339 0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0 0049:Ret ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc 0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f398) ret=008034e1 0049:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229 0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0 0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586 0049:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586 0049:Ret ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229 0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f354,00000000,0065f350) ret=0080732b 0049:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339 0049:Ret ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339 0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0 0049:Ret ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc 0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f350) ret=008034e1 0049:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229 0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0 0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586 0049:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586 0049:Ret ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229 0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f358,00000000,0065f354) ret=0080732b 0049:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339 0049:Ret ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339 0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0 0049:Ret ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc 0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f354) ret=008034e1 0049:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229 0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0 0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586 0049:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586 0049:Ret ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229 0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f310,00000000,0065f30c) ret=0080732b 0049:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339 0049:Ret ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339 0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0 0049:Ret ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc 0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f30c) ret=008034e1 0049:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229 0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0 0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586 0049:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586 0049:Ret ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229 --- snip ---
The (heavily obfuscated) kernel driver uses its own custom imports resolver. It basically walks the module list using 'NtQuerySystemInformation( SystemModuleInformation, ...)' and processes the export table of 'ntoskrnl.exe' and later 'fltmgr.sys' in order to resolve some needed functions.
The resolver is rather simplistic and can't deal with Wine's forwarded exports to 'msvcrt'. Native Windows kernel doesn't do this.
--- snip --- ... DbgPrint says: The procedure entry point wcsncmp could not be located in the module ntoskrnl.exe Ret driver init 0x7fdf6e (obj=0x11cb58,str=L"\Registry\Machine\System\CurrentControlSet\Services\BEDaisy") retval=c0000183 0049:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11cb58 0049:trace:winedevice:init_driver - DriverInit = 0x7fdf6e 0049:trace:winedevice:init_driver - DriverStartIo = (nil) 0049:trace:winedevice:init_driver - DriverUnload = (nil) 0049:trace:winedevice:init_driver - MajorFunction[0] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[1] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[2] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[3] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[4] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[5] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[6] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[7] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[8] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[9] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[10] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[11] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[12] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[13] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[14] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[15] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[16] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[17] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[18] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[19] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[20] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[21] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[22] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[23] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[24] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[25] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[26] = 0x7ecd1b10 0049:trace:winedevice:init_driver - MajorFunction[27] = 0x7ecd1b10 0049:Call ntdll.RtlFreeUnicodeString(0011cb74) ret=7ecd1d12 0049:Ret ntdll.RtlFreeUnicodeString() retval=0011cb74 ret=7ecd1d12 0049:Call ntdll.RtlFreeUnicodeString(0011cc0c) ret=7ecd1d26 0049:Ret ntdll.RtlFreeUnicodeString() retval=0011cc0c ret=7ecd1d26 0049:Call ntdll.RtlFreeHeap(00110000,00000000,0011cb48) ret=7ecd1d46 0049:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecd1d46 0049:Ret ntoskrnl.exe.IoCreateDriver() retval=c0000183 ret=7effb7fc 0049:err:winedevice:async_create_driver failed to create driver L"BEDaisy": c0000183 --- snip ---
NOTE: This is a similar problem domain as bug 37852 ("Sentinel HASP 'hardlock.sys' kernel driver custom imports resolver can't cope with many 'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to start)". Although this driver requires a much smaller set of (msvcrt) functions.
* native API (ntdll) -> bug 37852 * msvcrt -> this one
Source: https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe...
--- snip --- 1484 @ cdecl -private wcsncmp(wstr wstr long) msvcrt.wcsncmp --- snip ---
The driver requires the following set of functions not be forwarded:
* wcsncmp * _wcsnicmp * _strnicmp * memcpy * memset * _stricmp
Wine should reimplement the low-level string/copy helpers in 'ntoskrnl' in same way as it is done for 'ntdll' core module (NTDLL_foobar).
Source:
https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe...
--- snip --- 1457 @ cdecl -private wcsncmp(wstr wstr long) NTDLL_wcsncmp --- snip ---
https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe...
--- snip --- 157 /********************************************************************* 158 * wcsncmp (NTDLL.@) 159 */ 160 INT __cdecl NTDLL_wcsncmp( LPCWSTR str1, LPCWSTR str2, INT n ) 161 { 162 return strncmpW( str1, str2, n ); 163 } --- snip ---
With these things fixed, the driver runs further - into next problems.
$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe
$ wine --version wine-3.1-193-g354fa7eb79
Regards