[Bug 49198] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes in entry point (incorrect page protection restored during relocation processing)

19 May 2020


      https://bugs.winehq.org/show_bug.cgi?id=49198
Bug ID: 49198
           Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes in
                    entry point (incorrect page protection restored during
                    relocation processing)
           Product: Wine
           Version: 5.8
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
as it says. Regression introduced by commit
https://source.winehq.org/git/wine.git/commitdiff/22dfb0df10b44d1c21b3d04b59...
("ntoskrnl.exe: Protect relocated pages one at a time.")
--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl,+loaddll,+module,+ntdll,+virtual wine net
start "Denuvo Anti-Cheat" >>log.txt 2>&1
...
00d0:trace:ntoskrnl:load_driver loading driver L"C:\Program Files\Denuvo
Anti-Cheat\denuvo-anti-cheat.sys"
00d0:Call KERNEL32.LoadLibraryW(0078e440 L"C:\Program Files\Denuvo
Anti-Cheat\denuvo-anti-cheat.sys") ret=00236928 
...
00d0:trace:virtual:map_view got mem in reserved area 0xc80000-0xe04000
00d0:trace:module:map_image mapped PE file at 0xc80000-0xe04000
00d0:trace:module:map_image mapping section .text at 0xc81000 off 600 size
75200 virt 75200 flags 68000020
00d0:trace:module:map_image clearing 0xcf6200 - 0xcf7000
00d0:trace:module:map_image mapping section .rdata at 0xcf7000 off 75800 size
2fa00 virt 30000 flags 48000020
00d0:trace:module:map_image clearing 0xd26a00 - 0xd27000
00d0:trace:module:map_image mapping section .data at 0xd27000 off a5200 size
200 virt 5000 flags c8000020
00d0:trace:module:map_image clearing 0xd27200 - 0xd28000
00d0:trace:module:map_image mapping section .pdata at 0xd2c000 off a5400 size
7800 virt 8000 flags 48000040
00d0:trace:module:map_image clearing 0xd33800 - 0xd34000
00d0:trace:module:map_image mapping section .gfids at 0xd34000 off acc00 size
200 virt 1000 flags 48000020
00d0:trace:module:map_image clearing 0xd34200 - 0xd35000
00d0:trace:module:map_image mapping section PAGE at 0xd35000 off ace00 size 400
virt 400 flags 68000020
00d0:trace:module:map_image clearing 0xd35400 - 0xd36000
00d0:trace:module:map_image mapping section .edata at 0xd36000 off ad200 size
200 virt 1000 flags 48000020
00d0:trace:module:map_image clearing 0xd36200 - 0xd37000
00d0:trace:module:map_image mapping section INIT at 0xd37000 off ad400 size e00
virt e00 flags 68000020
00d0:trace:module:map_image clearing 0xd37e00 - 0xd38000
00d0:trace:module:map_image mapping section .rsrc at 0xd38000 off ae200 size
1a00 virt 2000 flags 48000020
00d0:trace:module:map_image clearing 0xd39a00 - 0xd3a000
00d0:trace:module:map_image mapping section  at 0xd3a000 off afc00 size c1a00
virt c1828 flags 68000020
00d0:trace:module:map_image clearing 0xdfba00 - 0xdfc000
00d0:trace:module:map_image mapping section  at 0xdfc000 off 171600 size e00
virt c2c flags 48000020
00d0:trace:module:map_image clearing 0xdfce00 - 0xdfd000
00d0:trace:module:map_image mapping section  at 0xdfd000 off 172400 size 600
virt 480 flags c8000020
00d0:trace:module:map_image clearing 0xdfd600 - 0xdfe000
00d0:trace:module:map_image mapping section  at 0xdfe000 off 172a00 size 800
virt 696 flags 68000020
00d0:trace:module:map_image clearing 0xdfe800 - 0xdff000
00d0:trace:module:map_image mapping section .rdata at 0xdff000 off 173200 size
1400 virt 12d4 flags 48000040
00d0:trace:module:map_image clearing 0xe00400 - 0xe01000
00d0:trace:module:map_image mapping section .rsrc at 0xe01000 off 174600 size
600 virt 4f8 flags 42000040
00d0:trace:module:map_image clearing 0xe01600 - 0xe02000
00d0:trace:module:map_image mapping section .reloc at 0xe02000 off 174c00 size
1c00 virt 1a60 flags 42000040
00d0:trace:module:map_image clearing 0xe03c00 - 0xe04000
00d0:trace:virtual:VIRTUAL_DumpView View: 0xc80000 - 0xe03fff (image)
00d0:trace:virtual:VIRTUAL_DumpView       0xc80000 - 0xc80fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xc81000 - 0xcf6fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xcf7000 - 0xd26fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd27000 - 0xd2bfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xd2c000 - 0xd34fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd35000 - 0xd35fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd36000 - 0xd36fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd37000 - 0xd37fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd38000 - 0xd39fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd3a000 - 0xdfbfff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdfc000 - 0xdfcfff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xdfd000 - 0xdfdfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xdfe000 - 0xdfefff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdff000 - 0xe03fff c-r-- 
...
00d0:trace:loaddll:load_native_dll Loaded L"C:\Program Files\Denuvo
Anti-Cheat\denuvo-anti-cheat.sys" at 0xc80000: native
00d0:trace:module:load_dll Loaded module L"\??\C:\Program Files\Denuvo
Anti-Cheat\denuvo-anti-cheat.sys" at 0xc80000
00d0:trace:module:process_attach (L"denuvo-anti-cheat.sys",(nil)) - START
00d0:trace:module:process_attach (L"netio.sys",(nil)) - START
00d0:trace:module:process_attach (L"netio.sys",(nil)) - END
00d0:trace:module:process_attach (L"wdfldr.sys",(nil)) - START
00d0:trace:module:process_attach (L"wdfldr.sys",(nil)) - END
00d0:trace:module:process_attach (L"denuvo-anti-cheat.sys",(nil)) - END
00d0:Ret  ntdll.LdrLoadDll() retval=00000000 ret=7b01d770
00d0:Call ntdll.RtlReleasePath(0078e4d0) ret=7b01d7ae
00d0:Ret  ntdll.RtlReleasePath() retval=00000001 ret=7b01d7ae
00d0:Ret  KERNEL32.LoadLibraryW() retval=00c80000 ret=00236928 
...
00d0:trace:ntoskrnl:perform_relocations relocating from
0000000140000000-0000000140184000 to 0000000000C80000-0000000000E04000
00d0:Call KERNEL32.VirtualProtect(00cf7000,00002000,00000004,00b5f7c0)
ret=00236a79
00d0:Call
ntdll.NtProtectVirtualMemory(ffffffffffffffff,00b5f6e0,00b5f6d8,00000004,00b5f7c0)
ret=7b02d058
00d0:trace:virtual:NtProtectVirtualMemory 0xffffffffffffffff 0xcf7000 00002000
00000004
00d0:trace:virtual:VIRTUAL_DumpView View: 0xc80000 - 0xe03fff (image)
00d0:trace:virtual:VIRTUAL_DumpView       0xc80000 - 0xc80fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xc81000 - 0xcf6fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xcf7000 - 0xcf8fff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xcf9000 - 0xd26fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd27000 - 0xd2bfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xd2c000 - 0xd34fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd35000 - 0xd35fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd36000 - 0xd36fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd37000 - 0xd37fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd38000 - 0xd39fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd3a000 - 0xdfbfff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdfc000 - 0xdfcfff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xdfd000 - 0xdfdfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xdfe000 - 0xdfefff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdff000 - 0xe03fff c-r-- 
...
00d0:Call
ntdll.LdrProcessRelocationBlock(00d27000,10000000a,00e03924,fffffffec0c80000)
ret=00236a9e
00d0:Ret  ntdll.LdrProcessRelocationBlock() retval=00e03938 ret=00236a9e
00d0:Call KERNEL32.VirtualProtect(00d27000,00002000,00000008,00b5f7c0)
ret=00236ab4
00d0:Call
ntdll.NtProtectVirtualMemory(ffffffffffffffff,00b5f6e0,00b5f6d8,00000008,00b5f7c0)
ret=7b02d058
00d0:trace:virtual:NtProtectVirtualMemory 0xffffffffffffffff 0xd27000 00002000
00000008
00d0:trace:virtual:VIRTUAL_DumpView View: 0xc80000 - 0xe03fff (image)
00d0:trace:virtual:VIRTUAL_DumpView       0xc80000 - 0xc80fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xc81000 - 0xcf6fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xcf7000 - 0xd26fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd27000 - 0xd2bfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xd2c000 - 0xd34fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd35000 - 0xd35fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd36000 - 0xd36fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd37000 - 0xd37fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd38000 - 0xd39fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd3a000 - 0xdfbfff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdfc000 - 0xdfcfff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xdfd000 - 0xdfdfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xdfe000 - 0xdfefff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdff000 - 0xe03fff c-r--
00d0:Ret  ntdll.NtProtectVirtualMemory() retval=00000000 ret=7b02d058
00d0:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=00236ab4
00d0:Call KERNEL32.VirtualProtect(00dfd000,00002000,00000004,00b5f7c0)
ret=00236a79
00d0:Call
ntdll.NtProtectVirtualMemory(ffffffffffffffff,00b5f6e0,00b5f6d8,00000004,00b5f7c0)
ret=7b02d058
00d0:trace:virtual:NtProtectVirtualMemory 0xffffffffffffffff 0xdfd000 00002000
00000004
00d0:trace:virtual:VIRTUAL_DumpView View: 0xc80000 - 0xe03fff (image)
00d0:trace:virtual:VIRTUAL_DumpView       0xc80000 - 0xc80fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xc81000 - 0xcf6fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xcf7000 - 0xd26fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd27000 - 0xd2bfff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xd2c000 - 0xd34fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd35000 - 0xd35fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd36000 - 0xd36fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd37000 - 0xd37fff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xd38000 - 0xd39fff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xd3a000 - 0xdfbfff c-r-x
00d0:trace:virtual:VIRTUAL_DumpView       0xdfc000 - 0xdfcfff c-r--
00d0:trace:virtual:VIRTUAL_DumpView       0xdfd000 - 0xdfefff c-rW-
00d0:trace:virtual:VIRTUAL_DumpView       0xdff000 - 0xe03fff c-r--
00d0:Ret  ntdll.NtProtectVirtualMemory() retval=00000000 ret=7b02d058
00d0:Ret  KERNEL32.VirtualProtect() retval=00000001 ret=00236a79 
...
00d0:Call driver init 0000000000C81184
(obj=000000000078E290,str=L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo
Anti-Cheat")
00d0:trace:seh:raise_exception code=c0000005 flags=0 addr=0xdfe5e0 ip=dfe5e0
tid=00d0
00d0:trace:seh:raise_exception  info[0]=0000000000000008
00d0:trace:seh:raise_exception  info[1]=0000000000dfe5e0
00d0:trace:seh:raise_exception  rax=0000000000d2b9c0 rbx=0000000000c81184
rcx=0000000000d2b988 rdx=000000000078e3f8
00d0:trace:seh:raise_exception  rsi=000000000078e3f8 rdi=000000000078e290
rbp=0000000000000000 rsp=0000000000b5f858
00d0:trace:seh:raise_exception   r8=00002b992ddfa232  r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
00d0:trace:seh:raise_exception  r12=000000000078e290 r13=00007fffffea4000
r14=000000000078e3f8 r15=0000000000000000
00d0:trace:seh:call_vectored_handlers calling handler at 0x22cf50 code=c0000005
flags=0
00d0:trace:seh:call_vectored_handlers handler at 0x22cf50 returned 0
00d0:warn:seh:virtual_unwind exception data not found in
L"denuvo-anti-cheat.sys" 
--- snip ---
0xdfe000 = IAT which has page execute protection erroneously removed during
relocation processing.
$ wine --version
wine-5.8-232-gca6dbcf35b
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 49198] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes in entry point (incorrect page protection restored during relocation processing)