[Bug 39738] Protect DiSC v9.x DRM scheme prevents collection of crash information by configured JIT debugger (Cobra 11 - Burning Wheels)

https://bugs.winehq.org/show_bug.cgi?id=39738

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation Status|UNCONFIRMED |NEW CC| |focht@gmx.net Summary|Collecting backtrace of |Protect DiSC v9.x DRM |crashing process not |scheme prevents collection |possible. |of crash information by | |configured JIT debugger | |(Cobra 11 - Burning Wheels) Ever confirmed|0 |1

--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello Bernhard,

confirming.

A bunch of anti-debug watcher threads, part of the Protect DiSC v9.x DRM scheme is the problem here. They are continuously looking for "well known" processes (using window classes) and also check the PEB/debugger present flag in local process.

One of the watcher threads detects the process attach by the configured JIT debugger and terminates the process.

--- snip --- ... 0030:Starting thread proc 0x23b5efe (arg=0x23f64f6) 0030:Call KERNEL32.Sleep(000007d1) ret=023f6cde ... 0031:Starting thread proc 0x23b5efe (arg=0x23f6f42) 0031:Call KERNEL32.Sleep(000007d1) ret=023f7682 ... 0047:Starting thread proc 0x23b5efe (arg=0x24102db) 0047:Call KERNEL32.WaitForSingleObject(000000d4,ffffffff) ret=024103e5 ... 0031:Call KERNEL32.IsDebuggerPresent() ret=023f771b 0031:Ret KERNEL32.IsDebuggerPresent() retval=00000000 ret=023f771b ... 0031:Call user32.FindWindowA(023b7f95 "OLLYDBG",00000000) ret=023f78ea 0031:Ret user32.FindWindowA() retval=00000000 ret=023f78ea ... 0031:Call user32.FindWindowA(023b7f95 "GBDYLLO",00000000) ret=023f7af6 0031:Ret user32.FindWindowA() retval=00000000 ret=023f7af6 ... 0031:Call user32.FindWindowA(023b7f95 "pediy06",00000000) ret=023f7cbd 0031:Ret user32.FindWindowA() retval=00000000 ret=023f7cbd ... 0031:Call user32.FindWindowA(023b7f95 "OLLYDBG",00000000) ret=023f78ea 0031:Ret user32.FindWindowA() retval=00000000 ret=023f78ea ... 0031:Call user32.FindWindowA(023b7f95 "GBDYLLO",00000000) ret=023f7af6 0031:Ret user32.FindWindowA() retval=00000000 ret=023f7af6 ... 0031:Call user32.FindWindowA(023b7f95 "pediy06",00000000) ret=023f7cbd 0031:Ret user32.FindWindowA() retval=00000000 ret=023f7cbd ... 0031:Call KERNEL32.Sleep(000007d1) ret=023f7682 ... 0031:Call KERNEL32.Sleep(000007d1) ret=023f7682 ... 002f:trace:seh:raise_exception code=80000003 flags=0 addr=0x2064e46 ip=02064e47 tid=002f 002f:trace:seh:raise_exception eax=00000004 ebx=6ce5dee6 ecx=00cc1257 edx=00000000 esi=00cc1257 edi=00feabf0 002f:trace:seh:raise_exception ebp=4243484b esp=0146c738 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00200206 002f:trace:seh:call_stack_handlers calling handler at 0x2064e1a code=80000003 flags=0 002f:Call KERNEL32.GetTickCount() ret=020644b5 002f:Ret KERNEL32.GetTickCount() retval=008af18f ret=020644b5 002f:Call KERNEL32.GetTickCount() ret=02064507 002f:Ret KERNEL32.GetTickCount() retval=008af18f ret=02064507 002f:Call KERNEL32.CreateFileA(02122f54 "\\.\SICE",c0000000,00000003,00000000,00000003,00000080,00000000) ret=0207c9aa 002f:Ret KERNEL32.CreateFileA() retval=ffffffff ret=0207c9aa 002f:Call KERNEL32.CreateFileA(0146c6e8 "\\.\SIWVID",c0000000,00000003,00000000,00000003,00000080,00000000) ret=0207c9aa 002f:Ret KERNEL32.CreateFileA() retval=ffffffff ret=0207c9aa 002f:Call KERNEL32.CreateFileA(0146c6e8 "\\.\NTICE",c0000000,00000003,00000000,00000003,00000080,00000000) ret=0207c9aa 002f:Ret KERNEL32.CreateFileA() retval=ffffffff ret=0207c9aa ... 002f:Call advapi32.RegOpenKeyExA(80000002,08091f08 "Software\NuMega\SoftIce",00000000,00020019,0146c6bc) ret=0207db61 002f:Ret advapi32.RegOpenKeyExA() retval=00000002 ret=0207db61 ... 002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x52f7b2 ip=0052f7b2 tid=002f 002f:trace:seh:raise_exception info[0]=00000000 002f:trace:seh:raise_exception info[1]=1a6a0920 002f:trace:seh:raise_exception eax=0f76cea8 ebx=1cc0c020 ecx=000722b9 edx=0002b71e esi=1c2ef076 edi=1a545030 002f:trace:seh:raise_exception ebp=0146f7d0 esp=0146f700 cs=0023 ds=002b es=002b fs=0063 gs=006b flags=00210212 002f:trace:seh:call_stack_handlers calling handler at 0x5e970e code=c0000005 flags=0 002f:Call KERNEL32.GetLastError() ret=005d233a 002f:Ret KERNEL32.GetLastError() retval=00000000 ret=005d233a 002f:trace:seh:call_stack_handlers handler at 0x5e970e returned 1 002f:trace:seh:call_stack_handlers calling handler at 0x5d0f20 code=c0000005 flags=0 002f:Call KERNEL32.GetLastError() ret=005d233a 002f:Ret KERNEL32.GetLastError() retval=00000000 ret=005d233a 002f:trace:seh:call_stack_handlers handler at 0x5d0f20 returned 1 002f:trace:seh:call_stack_handlers calling handler at 0x7bcaad0d code=c0000005 flags=0 002f:Call KERNEL32.UnhandledExceptionFilter(0146f204) ret=7bcaad48 wine: Unhandled page fault on read access to 0x1a6a0920 at address 0x52f7b2 (thread 002f), starting debugger... 002f:trace:seh:start_debugger Starting debugger "winedbg --auto 46 464" ... 0031:Call KERNEL32.IsDebuggerPresent() ret=023f771b 0031:Ret KERNEL32.IsDebuggerPresent() retval=00000001 ret=023f771b 0032:Call KERNEL32.Sleep(000007d1) ret=023f878e 0030:Ret KERNEL32.Sleep() retval=00000000 ret=023f6cde 0035:Ret KERNEL32.Sleep() retval=00000000 ret=023fade2 0030:Call KERNEL32.Sleep(000007d1) ret=023f6cde 0035:Call KERNEL32.Sleep(000007d1) ret=023fade2 0034:Ret KERNEL32.Sleep() retval=00000000 ret=023fa3b7 0037:Ret KERNEL32.Sleep() retval=00000000 ret=023fc3a3 0034:Call KERNEL32.Sleep(000007d1) ret=023fa3b7 0037:Call KERNEL32.Sleep(000007d1) ret=023fc3a3 0036:Ret KERNEL32.Sleep() retval=00000000 ret=023fb903 000b:Ret KERNEL32.Sleep() retval=00000000 ret=02445b64 0036:Call KERNEL32.Sleep(000007d1) ret=023fb903 004d:Ret KERNEL32.Sleep() retval=00000000 ret=00cf1dae 000b:Call user32.FindWindowA(024458ce "Regmonclass",00000000) ret=02445c00 004d:Call KERNEL32.TerminateProcess(00000128,00000000) ret=00cf2be6 ... 0031:Call KERNEL32.ExitThread(00000000) ret=023ba69d ... 0031:Call PE DLL (proc=0x7cf2257c,module=0x7cec0000 L"msvcrt.dll",reason=THREAD_DETACH,res=(nil)) 002f:Ret KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bcaad48 ... Process of pid=002e has terminated No process loaded, cannot execute 'echo Modules:' Cannot get info on module while no process is loaded No process loaded, cannot execute 'echo Threads:' --- snip ---

Although it helps in this case, your patch will break Windows compatibility.

Windows doesn't suspend all other threads of the process during handling of 'UnhandledExceptionFilter' in the context of the faulting thread.

Secondary failures must be still allowed to occur on a different thread, causing the exception filter to be entered by an additional thread at the same time as an event from the first crash is already processed.

My guess would be if the crash is simulated/replicated on Windows it will react in the same way. Some debuggers support methods of non-invasive debugging, not causing 'BeingDebugged' set in target PEB so it might behave differently - depending on the type of configured JIT.

I've reworded the summary since this is a special case where a specific anti-debugger protection scheme actually causes the problem.

$ sha1sum BurningWheelsDemo.exe du6dc03653b97a0336a5c57fc4b04af61e3ebcee5e BurningWheelsDemo.exe

$ du -sh BurningWheelsDemo.exe 286M BurningWheelsDemo.exe

$ wine --version wine-1.8-rc3

Regards