[Bug 38836] SCM 'StartService' must wait for driver service entry point execution before return ( PunkBuster 'PnkBstrB' service failure, CPU-Z randomly fails to load its driver, BattlEye 'BEDaisy' kernel service)

https://bugs.winehq.org/show_bug.cgi?id=38836

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|SCM 'StartService' must |SCM 'StartService' must |wait for driver service |wait for driver service |entry point execution |entry point execution |before return (PunkBuster |before return (PunkBuster |'PnkBstrB' service exits |'PnkBstrB' service failure, |with failure, CPU-Z |CPU-Z randomly fails to |randomly fails to load its |load its driver, BattlEye |driver) |'BEDaisy' kernel service)

--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,

revisiting, still present.

Encountered this problem during investigation of BattlEye service failures (bug 41670).

I have a number of patches (hacks) to make the 'BEDaisy' kernel driver service somewhat functional that it survives the driver initialization (entry point). The BattlEye helper service 'BEService' starts 'BEDaisy' kernel driver service.

--- snip --- ... 0009:Call KERNEL32.CreateProcessW(00000000,0033de64 L""C:\users\focht\Local Settings\Application Data\Tibia\packages\Tibia\bin\client_launcher.exe" 3",00000000,00000000,00000000,00000410,00000000,00000000,0033d940,0033d930) ret=7e7e9506 ... 0009:trace:process:create_process_impl started process pid 003a tid 003b 0009:Ret KERNEL32.CreateProcessW() retval=00000001 ret=7e7e9506 ... 003b:Call advapi32.CreateServiceW(00133f30,00422d4c L"BEService",00423154 L"BattlEye Service",00060010,00000010,00000003,00000001,0033f3a0 L""C:\Program Files\Common Files\BattlEye\BEService.exe"",00000000,00000000,00000000,00000000,00000000) ret=0046e55c ... 0037:Call KERNEL32.CreateProcessW(00000000,0011cdc0 L""C:\Program Files\Common Files\BattlEye\BEService.exe"",00000000,00000000,00000000,00000400,00450000,00000000,00ddf8ec,00ddf930) ret=7ed5dc0b ... 003e:Starting process L"C:\Program Files\Common Files\BattlEye\BEService.exe" (entryproc=0x4eb460) ... 003e:Call advapi32.StartServiceCtrlDispatcherA(0033fe58) ret=00447aa9 ... 003b:Ret advapi32.StartServiceW() retval=00000001 ret=0043482a 0041:Call KERNEL32.CreateNamedPipeA(00758228 "\\.\pipe\BattlEye",40040003,00000006,00000002,00000400,00000400,00000000,00000000) ret=00473131 0041:Ret KERNEL32.CreateNamedPipeA() retval=00000054 ret=00473131 0041:Call KERNEL32.CreateNamedPipeA(00758228 "\\.\pipe\BattlEye",40040003,00000006,00000002,00000400,00000400,00000000,00000000) ret=004be6f2 0041:Ret KERNEL32.CreateNamedPipeA() retval=00000058 ret=004be6f2 ... 0041:Call advapi32.CreateServiceW(00135e68,007581d4 L"BEDaisy",007581d4 L"BEDaisy",00010034,00000001,00000003,00000001,0075d820 L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys",00000000,00000000,00000000,00000000,00000000) ret=004b243a ... 0045:trace:winedevice:create_driver starting driver L"BEDaisy" 0045:Call advapi32.SetServiceStatus(0011b788,0043fcf4) ret=7effb41b ... 0045:Ret advapi32.SetServiceStatus() retval=00000001 ret=7effb41b ... 0045:Call KERNEL32.TrySubmitThreadpoolCallback(7effb724,0011b808,0043fd34) ret=7effbb3f 0048:Call PE DLL (proc=0xf739521c,module=0xf7350000 L"rpcrt4.dll",reason=THREAD_ATTACH,res=(nil)) 0048:Ret PE DLL (proc=0xf739521c,module=0xf7350000 L"rpcrt4.dll",reason=THREAD_ATTACH,res=(nil)) retval=1 0045:Ret KERNEL32.TrySubmitThreadpoolCallback() retval=00000001 ret=7effbb3f 0048:Starting thread proc 0x7bca027b (arg=0x11cad8) ... 0048:trace:winedevice:load_driver loading driver L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys" ... 0048:Call KERNEL32.LoadLibraryW(0011cd38 L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys") ret=7effaa20 ... 0041:Ret advapi32.StartServiceA() retval=00000001 ret=004316a4 0041:Call KERNEL32.CreateFileA(007581a0 "\\.\BattlEye",c0000000,00000000,00000000,00000003,00000000,00000000) ret=00408ea6 0048:trace:module:map_image mapped PE file at 0x780000-0x80f000 0048:trace:module:map_image mapping section .text at 0x781000 off 0 size 0 virt 2a8a flags 68000020 0048:trace:module:map_image mapping section .rdata at 0x784000 off 0 size 0 virt 8fc flags 48000040 0048:trace:module:map_image mapping section .data at 0x785000 off 0 size 0 virt 1238 flags c8000040 0041:Ret KERNEL32.CreateFileA() retval=ffffffff ret=00408ea6 0048:trace:module:map_image mapping section INIT at 0x787000 off 0 size 0 virt 7e6 flags 60000020 0048:trace:module:map_image mapping section .be0 at 0x788000 off 0 size 0 virt 38409 flags e8000060 0048:trace:module:map_image mapping section .be1 at 0x7c1000 off 400 size 4c400 virt 4c338 flags e0000060 ... 0041:Call advapi32.CloseServiceHandle(00135e68) ret=004a786c ... 0041:Call advapi32.QueryServiceStatus(00135f08,00757934) ret=004b1cad ... 0041:Ret advapi32.QueryServiceStatus() retval=00000001 ret=004b1cad ... 0041:Ret advapi32.CloseServiceHandle() retval=00000001 ret=004818c7 ... 0048:trace:winedevice:load_driver_module L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys": relocating from 0x400000 to 0x780000 ... 0041:Call KERNEL32.DeleteFileW(0075d820 L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys") ret=0040dcf6 ... 0048:Call driver init 0x7fdf6e (obj=0x11cb58,str=L"\Registry\Machine\System\CurrentControlSet\Services\BEDaisy") ... 0048:Ret driver init 0x7fdf6e (obj=0x11cb58,str=L"\Registry\Machine\System\CurrentControlSet\Services\BEDaisy") retval=00000000 ... 002e:Call KERNEL32.GetStringTypeW(00000001,00151968 L"21:19:03: Successfully installed BattlEye Service.\r\n21:19:03: Failed to initialize BattlEye Service: Driver Init Error (2).\r\n",00000001,005bf45a) ret=7e1f4505 0 ... 0048:trace:ntoskrnl:IoCreateDevice (0x11cb58, 0, L"\Device\BattlEye", 34, 0, 0, 0x65f1e8) ... 0048:trace:ntoskrnl:IoCreateSymbolicLink L"\DosDevices\BattlEye" -> L"\Device ... 0048:Ret ntoskrnl.exe.IoCreateDriver() retval=00000000 ret=7effb7c8 ... --- snip ---

The app/service expects the kernel driver entry point executed *before* 'StartService' returns. Also see 'CreateFile' calls from the client to check if driver symbolic link exists in the log snippet. I've already documented this behaviour in my initial analysis here.

Source:

https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe...

--- snip --- 410 /* load a driver and notify services.exe about the status change */ 411 static NTSTATUS create_driver( const WCHAR *driver_name ) 412 { ... 437 TRACE( "starting driver %s\n", wine_dbgstr_w(driver_name) ); 438 set_service_status( driver->handle, SERVICE_START_PENDING, 0 ); 439 440 memset( &environment, 0, sizeof(environment) ); 441 environment.Version = 1; 442 environment.CleanupGroup = cleanup_group; 443 444 /* don't block the service control handler */ 445 if (!TrySubmitThreadpoolCallback( async_create_driver, driver, &environment )) 446 async_create_driver( NULL, driver ); 447 448 return STATUS_SUCCESS; 449 } --- snip ---

The code was reworked here for async load/unload: https://source.winehq.org/git/wine.git/commitdiff/440482d2ef31333d1bc3ce15b0...

$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe

$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe

$ wine --version wine-3.1-193-g354fa7eb79

Regards