[Bug 45666] Multiple Riot Games' anti-cheat / protection schemes need implementation of NtQuerySystemInformation 'SystemModuleInformationEx' info class (League of Legends 8.15+, Valorant/Vanguard)

https://bugs.winehq.org/show_bug.cgi?id=45666

Anastasius Focht focht@gmx.net changed:

What |Removed |Added ---------------------------------------------------------------------------- Summary|League of Legends 8.15+ |Multiple Riot Games' |fails due to missing |anti-cheat / protection |implementation of |schemes need implementation |NtQuerySystemInformation(Sy |of NtQuerySystemInformation |stemModuleInformationEx) in |'SystemModuleInformationEx' |Windows Vista+ mode |info class (League of | |Legends 8.15+, | |Valorant/Vanguard)

--- Comment #13 from Anastasius Focht focht@gmx.net --- Hello folks,

Riot's Vanguard (Valorant) also needs this. Actually a slightly improved variant of the Wine-Staging patch.

--- snip --- $ WINEDEBUG=+seh,+loaddll,+process,+ntoskrnl,+int,+relay,+ntdll wine net start vgc >>log2.txt 2>&1 ... 001b:Call ntoskrnl.exe.ZwQuerySystemInformation(0000004d,00000000,00000000,00d4f600) ret=0115ca41 001b:Call ntdll.NtQuerySystemInformation(0000004d,00000000,00000000,00d4f600) ret=7bca21df 001b:trace:ntdll:NtQuerySystemInformation (0x0000004d,(nil),0x00000000,0xd4f600) 001b:Ret ntdll.NtQuerySystemInformation() retval=c0000005 ret=7bca21df 001b:Ret ntoskrnl.exe.ZwQuerySystemInformation() retval=c0000005 ret=0115ca41 001b:trace:seh:raise_exception code=c0000096 flags=0 addr=0x115ec76 ip=115ec76 tid=001b 001b:trace:seh:raise_exception rax=00001ce570abf47e rbx=0000000000000000 rcx=0000000000000000 rdx=00000000ffffffff 001b:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000000000 rbp=0000000000d4f3e0 rsp=0000000000d4f2e0 001b:trace:seh:raise_exception r8=0000000000e8ae30 r9=00000000c0000005 r10=0000000000000000 r11=0000000000000000 001b:trace:seh:raise_exception r12=0000000000000000 r13=0000000000000000 r14=0000000000000006 r15=0000000000000000 001b:trace:seh:call_vectored_handlers calling handler at 0x18000b9f0 code=c0000096 flags=0 001b:trace:int:emulate_instruction mov cr8,rax at 115ec76 --- snip ---

Most drivers do something like this:

--- snip --- ULONG len = 0; NtQuerySystemInformation( SystemModuleInformation, NULL, 0, &len); --- snip ---

This is entirely reasonable as they want to figure out how much memory is needed to allocate a SYSTEM_MODULE_INFORMATION structure of the right size. After allocating the buffer they call 'NtQuerySystemInformation' again.

Wine-Staging is too restrictive with parameter validation:

https://github.com/wine-staging/wine-staging/blob/master/patches/ntdll-Syste...

IMHO this might apply for the non-ex variant as well.

With fixed version:

--- snip --- $ WINEDEBUG=+seh,+loaddll,+process,+ntoskrnl,+int,+relay,+ntdll wine net start vgc >>log2.txt 2>&1 ... 001b:Call ntoskrnl.exe.ZwQuerySystemInformation(0000004d,00000000,00000000,00d4f600) ret=0115ca41 001b:Call ntdll.NtQuerySystemInformation(0000004d,00000000,00000000,00d4f600) ret=7bca21cf 001b:trace:ntdll:NtQuerySystemInformation (0x0000004d,(nil),0x00000000,0xd4f600) 001b:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=7bca21cf 001b:Ret ntoskrnl.exe.ZwQuerySystemInformation() retval=c0000004 ret=0115ca41 001b:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000200,00000140,656e6f4e) ret=0115fcbe 001b:Call ntdll.RtlAllocateHeap(008a0000,00000000,00000140) ret=180010a2d 001b:Ret ntdll.RtlAllocateHeap() retval=008a0330 ret=180010a2d 001b:trace:ntoskrnl:ExAllocatePoolWithTag 320 pool 512 -> 00000000008A0330 001b:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=008a0330 ret=0115fcbe 001b:Call ntoskrnl.exe.ZwQuerySystemInformation(0000004d,008a0330,00000140,00d4f600) ret=0115ca41 001b:Call ntdll.NtQuerySystemInformation(0000004d,008a0330,00000140,00d4f600) ret=7bca21cf 001b:trace:ntdll:NtQuerySystemInformation (0x0000004d,0x8a0330,0x00000140,0xd4f600) 001b:fixme:ntdll:NtQuerySystemInformation info_class SystemModuleInformationEx stub! 001b:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7bca21cf 001b:Ret ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=0115ca41 001b:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4 001b:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330 001b:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca21cf 001b:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca21cf 001b:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4 --- snip ---

It's still not enough in case of Vanguard as only 'ntdll' module is returned but at least the basic code is in place.

Tidbit:

--- snip --- 001b:Call ntoskrnl.exe._stricmp(00d4f590 "Consider this a final friendly warning... There are one of two paths from this point.",00d4f530 "http://bit.ly/good-side | OR | http://bit.ly/bad-side") ret=0115b29c 001b:Call msvcrt._stricmp(00d4f590 "Consider this a final friendly warning... There are one of two paths from this point.",00d4f530 "http://bit.ly/good-side | OR | http://bit.ly/bad-side") ret=7bca21df 001b:Call ntdll.RtlAllocateHeap(00010000,00000008,000004f8) ret=7fa8dc2c59e4 001b:Ret ntdll.RtlAllocateHeap() retval=007290d0 ret=7fa8dc2c59e4 001b:Ret msvcrt._stricmp() retval=fffffffb ret=7bca21df 001b:Ret ntoskrnl.exe._stricmp() retval=fffffffb ret=0115b29c --- snip ---

;-)

What's the blocking part here? Although not being sufficient for the most recent incarnations it's still working for other games, right?

$ wine --version wine-5.6-258-gf31a29b8d1

Regards