[Bug 44837] New: BattlEye 'BEDaisy' kernel service fails in driver entry point due to missing ' ntoskrnl.exe.PsAcquireProcessExitSynchronization'
https://bugs.winehq.org/show_bug.cgi?id=44837
Bug ID: 44837 Summary: BattlEye 'BEDaisy' kernel service fails in driver entry point due to missing 'ntoskrnl.exe.PsAcquireProcessExitSynchronization' Product: Wine Version: 3.4 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 44811
--- snip --- ... 0052:Call KERNEL32.GetModuleHandleW(7ec246fc L"ntoskrnl.exe") ret=7ec1a2f6 0052:Ret KERNEL32.GetModuleHandleW() retval=7ec00000 ret=7ec1a2f6 0052:Call KERNEL32.GetProcAddress(7ec00000,0011d4b8 "PsAcquireProcessExitSynchronization") ret=7ec1a30b 0052:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec1a30b 0052:Call KERNEL32.GetModuleHandleW(7ec24718 L"hal.dll") ret=7ec1a324 0052:Ret KERNEL32.GetModuleHandleW() retval=f7ac0000 ret=7ec1a324 0052:Call KERNEL32.GetProcAddress(f7ac0000,0011d4b8 "PsAcquireProcessExitSynchronization") ret=7ec1a33f 0052:Ret KERNEL32.GetProcAddress() retval=00000000 ret=7ec1a33f 0052:Call ntdll.RtlFreeAnsiString(0065eb30) ret=7ec1a351 0052:Ret ntdll.RtlFreeAnsiString() retval=0065eb30 ret=7ec1a351 0052:fixme:ntoskrnl:MmGetSystemRoutineAddress L"PsAcquireProcessExitSynchronization" not found 0052:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=00000000 ret=007da46e 0052:Ret driver init 0x78d000 (obj=0x11caa0,str=L"\Registry\Machine\System\CurrentControlSet\Services\BEDaisy") retval=c0000001 0052:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11caa0 ... 0052:Ret ntoskrnl.exe.IoCreateDriver() retval=c0000001 ret=7effb786 0052:err:winedevice:async_create_driver failed to create driver L"BEDaisy": c0000001 ... --- snip ---
Discussion of this API (potential use) here
https://forum.sysinternals.com/discussion-howto-enumerate-handles_topic19403...
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-ker...
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/run-down-pr...
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/index.htm
(PsAcquireProcessExitSynchronization 6.0 and higher )
$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe
$ wine --version wine-3.4-192-gd7430abd40
Regards
https://bugs.winehq.org/show_bug.cgi?id=44837
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://static.tibia.com/dow | |nload/Tibia_Setup.exe Keywords| |download, obfuscation
https://bugs.winehq.org/show_bug.cgi?id=44837
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|BattlEye 'BEDaisy' kernel |BattlEye 'BEDaisy' kernel |service fails in driver |service fails in driver |entry point due to missing |entry point due to missing |'ntoskrnl.exe.PsAcquireProc |'ntoskrnl.exe.Ps{Acquire,Re |essExitSynchronization' |lease}ProcessExitSynchroniz | |ation'
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello again,
actually stubs for both should be added, to avoid another ticket.
* VOID PsAcquireProcessExitSynchronization(PEPROCESS Process) * ULONG PsReleaseProcessExitSynchronization(PEPROCESS Process)
A code example how this API is supposed to be used:
https://github.com/processhacker/processhacker/blob/master/KProcessHacker/ob...
--- snip --- ...
/** * Gets a pointer to the handle table of a process. * * \param Process A process object. * * \return A pointer to the handle table, or NULL if the process is terminating or the request is * not supported. You must call KphDereferenceProcessHandleTable() when the handle table is no * longer needed. */ PHANDLE_TABLE KphReferenceProcessHandleTable( _In_ PEPROCESS Process ) { PHANDLE_TABLE handleTable = NULL;
PAGED_CODE();
// Fail if we don't have an offset. if (KphDynEpObjectTable == -1) return NULL;
// Prevent the process from terminating and get its handle table. if (NT_SUCCESS(PsAcquireProcessExitSynchronization(Process))) { handleTable = *(PHANDLE_TABLE *)PTR_ADD_OFFSET(Process, KphDynEpObjectTable);
if (!handleTable) PsReleaseProcessExitSynchronization(Process); }
return handleTable; }
/** * Dereferences the handle table of a process. * * \param Process A process object. */ VOID KphDereferenceProcessHandleTable( _In_ PEPROCESS Process ) { PAGED_CODE();
PsReleaseProcessExitSynchronization(Process); }
... --- snip ---
Regards
https://bugs.winehq.org/show_bug.cgi?id=44837
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |leslie_alistair@hotmail.com
https://bugs.winehq.org/show_bug.cgi?id=44837
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello another time :-)
I noticed after posting my previous comment that the return types for the prototypes taken from https://forum.sysinternals.com discussion are incorrect (swapped).
Use the one from the github code example.
Regards
https://bugs.winehq.org/show_bug.cgi?id=44837
mirh mirh@protonmail.ch changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mirh@protonmail.ch
https://bugs.winehq.org/show_bug.cgi?id=44837
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |STAGED Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/ntoskrnl-Stubs
--- Comment #3 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Patches 0015-0018 are required to complete the ntoskrml stubs for Battleye.
Another patch was added to the staging patchset fltmgr.sys-filters which is also required.
Even after all the patches have been applied, it services still fails but with STATUS_NOT_IMPLEMENTED.
https://bugs.winehq.org/show_bug.cgi?id=44837
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|STAGED |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |dd7467cc4dc2e7cc71edbe1d551 | |a0c3dd71bce36
--- Comment #4 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=dd7467cc4dc2e7cc71edbe1d5...
https://bugs.winehq.org/show_bug.cgi?id=44837
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.6.
https://bugs.winehq.org/show_bug.cgi?id=44837
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://static.tibia.com/dow |https://web.archive.org/web |nload/Tibia_Setup.exe |/20210117182120/https://sta | |tic.tibia.com/download/Tibi | |a_Setup.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla