[Bug 49290] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on access to 'ComponentGlobals' out parameter, returned by 'wdfldr.sys.WdfVersionBind'

https://bugs.winehq.org/show_bug.cgi?id=49290

Bug ID: 49290 Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on access to 'ComponentGlobals' out parameter, returned by 'wdfldr.sys.WdfVersionBind' Product: Wine Version: 5.9 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---

Hello folks,

continuation of bug 49193

--- snip --- $ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll,+reg wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:trace:seh:raise_exception info[0]=0000000000000000 00d0:trace:seh:raise_exception info[1]=0000000000000030 00d0:trace:seh:raise_exception rax=0000000000000000 rbx=0000000000000000 rcx=5a6b5c4ad4f60000 rdx=0000000000000045 00d0:trace:seh:raise_exception rsi=000000000078dfb8 rdi=000000000078de50 rbp=0000000000000000 rsp=0000000000b5f860 00d0:trace:seh:raise_exception r8=0000000000000000 r9=0000000000b5ee22 r10=0000000000000000 r11=0000000000000000 00d0:trace:seh:raise_exception r12=000000000078de50 r13=00007fffffea4000 r14=000000000078dfb8 r15=0000000000000000 00d0:trace:seh:call_vectored_handlers calling handler at 0x22d0a0 code=c0000005 flags=0 00d0:trace:seh:call_vectored_handlers handler at 0x22d0a0 returned 0 00d0:trace:seh:RtlVirtualUnwind type 1 rip c81116 rsp b5f860 00d0:trace:seh:dump_unwind_info **** func 1060-1182 ... wine: Unhandled page fault on read access to 0000000000000030 at address 0000000000C81116 (thread 00d0), starting debugger... --- snip ---

Driver disassembly, showing it wants to access a field/member of opaque 'WDF_COMPONENT_GLOBALS' structure which is returned by WdfVersionBind():

--- snip --- ... 0000000140001104 | call denuvo-anti-cheat.14003AE20 | 0000000140001109 | cmp eax,ebp | 000000014000110B | mov ebx,eax | 000000014000110D | jl denuvo-anti-cheat.140001166 | 000000014000110F | mov rax,qword ptr ds:[1400AB9A8] | ComponentGlobals 0000000140001116 | cmp byte ptr ds:[rax+30],bpl | *boom* 000000014000111A | je denuvo-anti-cheat.140001140 | 000000014000111C | mov rax,qword ptr ds:[1400AB998] | 0000000140001123 | cmp qword ptr ds:[rdi+68],rbp | 0000000140001127 | cmovne rax,qword ptr ds:[rdi+68] | ... --- snip ---

Init/setup:

--- snip --- ... 000000014000108D | mov eax,208 | 0000000140001092 | mov qword ptr ds:[1400AB9B0],rcx | 0000000140001099 | lea rcx,qword ptr ds:[1400AB988] | 00000001400010A0 | mov word ptr ds:[1400AB98A],ax | 00000001400010A7 | lea rax,qword ptr ds:[1400AB9C0] | 00000001400010AE | mov word ptr ds:[1400AB988],bp | 00000001400010B5 | mov qword ptr ds:[1400AB990],rax | 00000001400010BC | call qword ptr ds:[<&JMP.&RtlCopyUnicodeString>] | 00000001400010C2 | lea r9,qword ptr ds:[1400AB9A8] | ComponentGlobals 00000001400010C9 | lea r8,qword ptr ds:[1400A7060] | BindInfo 00000001400010D0 | lea rdx,qword ptr ds:[1400AB988] | RegistryPath 00000001400010D7 | mov rcx,rdi | DriverObject 00000001400010DA | call denuvo-anti-cheat.14006F97A | WdfVersionBind 00000001400010DF | cmp eax,ebp | 00000001400010E1 | jl denuvo-anti-cheat.14000116D | ... 000000014006F97A | jmp qword ptr ds:[<&JMP.&WdfVersionBind>] | 000000014006F980 | jmp qword ptr ds:[<&JMP.&WdfVersionBindClass>] | 000000014006F986 | jmp qword ptr ds:[<&JMP.&WdfVersionUnbindClass>] | 000000014006F98C | jmp qword ptr ds:[<&JMP.&_purecall>] | --- snip ---

https://github.com/microsoft/Windows-Driver-Frameworks/blob/master/src/frame...

--- snip --- //----------------------------------------------------------------------------- // WDFLDR.SYS exported function prototype definitions //----------------------------------------------------------------------------- _Must_inspect_result_ NTSTATUS WdfVersionBind( __in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath, __inout PWDF_BIND_INFO BindInfo, __out PWDF_COMPONENT_GLOBALS* ComponentGlobals ); --- snip ---

$ wine --version wine-5.9-162-gcb67fb39ff

Regards