[Bug 49224] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on unimplemented function ntoskrnl.exe.{KeGenericCallDpc,KeSignalCallDpcSynchronize,KeSignalCallDpcDone}
https://bugs.winehq.org/show_bug.cgi?id=49224
Bug ID: 49224 Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on unimplemented function ntoskrnl.exe.{KeGenericCallDpc,KeSignalCallDpcSynchron ize,KeSignalCallDpcDone} Product: Wine Version: 5.8 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 49222 (split out from bug 49194).
--- snip --- $ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:Call driver init 0000000000C81184 (obj=000000000078EE10,str=L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo Anti-Cheat") ... 00d0:Call ntoskrnl.exe.KeRevertToUserAffinityThreadEx(000000ff) ret=00c84cf7 00d0:fixme:ntoskrnl:KeRevertToUserAffinityThreadEx Affinity 0xff stub. 00d0:Call ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f170,00000010) ret=00232c8d 00d0:Ret ntdll.NtSetInformationThread() retval=00000000 ret=00232c8d 00d0:Ret ntoskrnl.exe.KeRevertToUserAffinityThreadEx() retval=00000000 ret=00c84cf7 00d0:Call ntoskrnl.exe.NtQuerySystemInformation(00000000,00b5f220,00000040,00b5f210) ret=00c85cc2 00d0:Call ntdll.NtQuerySystemInformation(00000000,00b5f220,00000040,00b5f210) ret=7bca040f 00d0:trace:ntdll:NtQuerySystemInformation (0x00000000,0xb5f220,0x00000040,0xb5f210) 00d0:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7bca040f 00d0:Ret ntoskrnl.exe.NtQuerySystemInformation() retval=00000000 ret=00c85cc2 00d0:Call ntoskrnl.exe.NtQuerySystemInformation(000000b6,00b5f228,00000038,00b5f220) ret=00c85a01 00d0:Call ntdll.NtQuerySystemInformation(000000b6,00b5f228,00000038,00b5f220) ret=7bca040f 00d0:trace:ntdll:NtQuerySystemInformation (0x000000b6,0xb5f228,0x00000038,0xb5f220) 00d0:fixme:ntdll:NtQuerySystemInformation (0x000000b6,0xb5f228,0x00000038,0xb5f220) stub 00d0:Ret ntdll.NtQuerySystemInformation() retval=c0000003 ret=7bca040f 00d0:Ret ntoskrnl.exe.NtQuerySystemInformation() retval=c0000003 ret=00c85a01 00d0:trace:seh:raise_exception code=80000100 flags=1 addr=0x7bc6cb0c ip=7bc6cb0c tid=00d0 00d0:trace:seh:raise_exception info[0]=0000000000e00266 00d0:trace:seh:raise_exception info[1]=0000000000dffc02 00d0:trace:seh:call_vectored_handlers calling handler at 0x22cfc0 code=80000100 flags=1 ... wine: Call from 0x7bc6cb0c to unimplemented function ntoskrnl.exe.KeGenericCallDpc, aborting --- snip ---
Relevant disassembly snippet of driver:
---- snip --- 0000000140005ADF | mov rax,qword ptr ds:[rdi] | 0000000140005AE2 | call qword ptr ds:[rax+98] | schedule DPC 0000000140005AE8 | movaps xmm0,xmmword ptr ss:[rsp+40] | 0000000140005AED | lea r8,qword ptr ss:[rbp-30] | 0000000140005AF1 | movaps xmm1,xmmword ptr ss:[rsp+50] | 0000000140005AF6 | test al,al | 0000000140005AF8 | movups xmmword ptr ss:[rbp-28],xmm0 | 0000000140005AFC | mov dword ptr ss:[rbp-30],6E | 0000000140005B03 | movaps xmm0,xmmword ptr ss:[rsp+60] | 0000000140005B08 | setne byte ptr ss:[rbp-38] | ... 0000000140005770 | sub rsp,28 | 0000000140005774 | lea rdx,qword ptr ss:[rsp+38] | 0000000140005779 | mov qword ptr ss:[rsp+38],1 | 0000000140005782 | lea rcx,qword ptr ds:[1400057A0] | 1400057A0 = DPC 0000000140005789 | call qword ptr ds:[140077130] | KeGenericCallDpc 000000014000578F | cmp qword ptr ss:[rsp+38],1 | 0000000140005795 | sete al | 0000000140005798 | add rsp,28 | 000000014000579C | ret | ... --- snip ---
KeGenericCallDpc, KeSignalCallDpcSynchronize, KeSignalCallDpcDone API are used to implement a kernel-level barrier. I grouped them in this ticket because the functionality is intrinsically linked together.
The DPC itself (checks for IA32_EFER.NXE):
--- snip --- 00000001400057A0 | mov qword ptr ss:[rsp+8],rbx | 00000001400057A5 | mov qword ptr ss:[rsp+10],rsi | 00000001400057AA | push rdi | 00000001400057AB | sub rsp,20 | 00000001400057AF | mov rsi,r8 | 00000001400057B2 | mov rdi,rdx | 00000001400057B5 | mov ecx,C0000080 | IA32_EFER 00000001400057BA | rdmsr | 00000001400057BC | shl rdx,20 | 00000001400057C0 | mov rcx,r9 | 00000001400057C3 | or rax,rdx | rax |= (rdx << 32) 00000001400057C6 | mov rbx,rax | 00000001400057C9 | call qword ptr ds:[140077140] | KeSignalCallDpcSynchronize 00000001400057CF | shr rbx,B | IA32_EFER.NXE 00000001400057D3 | test bl,1 | 00000001400057D6 | jne denuvo-anti-cheat.1400057DF | 00000001400057D8 | mov qword ptr ds:[rdi],0 | 00000001400057DF | mov rcx,rsi | 00000001400057E2 | mov rbx,qword ptr ss:[rsp+30] | 00000001400057E7 | mov rsi,qword ptr ss:[rsp+38] | 00000001400057EC | add rsp,20 | 00000001400057F0 | pop rdi | 00000001400057F1 | jmp qword ptr ds:[140077138] | KeSignalCallDpcDone --- snip ---
MSR 0xC0000080
--- quote --- Extended Feature Enable Register (EFER) is a model-specific register added in the AMD K6 processor, to allow enabling the SYSCALL/SYSRET instruction, and later for entering and exiting long mode. This register becomes architectural in AMD64 and has been adopted by Intel as IA32_EFER. Its MSR number is 0xC0000080. --- quote ---
https://software.intel.com/sites/default/files/managed/7c/f1/253668-sdm-vol-...
Bit 11 = IA32_EFER.NXE = NXE/XD (No-Execute Enable/Execute Disable)
$ wine --version wine-5.8-324-g2c571df40b
Regards
https://bugs.winehq.org/show_bug.cgi?id=49224
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation URL| |https://store.steampowered. | |com/app/782330/
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
addendum, if a generic hack/patch for unknown MSR registers isn't used (bug 49221), handling for IA32_EFER MSR (0xC0000080) needs to be added as well. See DPC code in my comment #0.
Regards
https://bugs.winehq.org/show_bug.cgi?id=49224
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
addendum #2, full sequence with semi-stubs:
--- snip --- 00d0:fixme:ntoskrnl:KeGenericCallDpc Routine 0000000000C857A0, Context 0000000000B5F288 sem-stub. 00d0:trace:seh:raise_exception code=c0000005 flags=0 addr=0xc857ba ip=c857ba tid=00d0 00d0:trace:seh:raise_exception info[0]=0000000000000000 00d0:trace:seh:raise_exception info[1]=ffffffffffffffff 00d0:trace:seh:raise_exception rax=0000000000000008 rbx=00000000008ec1b8 rcx=00000000c0000080 rdx=0000000000b5f288 00d0:trace:seh:raise_exception rsi=0000000000b5f194 rdi=0000000000b5f288 rbp=0000000000b5f238 rsp=0000000000b5f130 00d0:trace:seh:raise_exception r8=0000000000b5f194 r9=0000000000b5f198 r10=0000000000000000 r11=0000000000000000 00d0:trace:seh:raise_exception r12=0000000000000000 r13=00007fffffea4000 r14=00000000008e4048 r15=00000000008e4098 00d0:trace:seh:call_vectored_handlers calling handler at 0x22d030 code=c0000005 flags=0 00d0:trace:int:emulate_instruction rdmsr CR 0xc0000080 00d0:fixme:int:emulate_instruction reg 0xc0000080 returning 0. 00d0:trace:int:vectored_handler next instruction rip=c857bc 00d0:trace:int:vectored_handler rax=0000000000000000 rbx=00000000008ec1b8 rcx=00000000c0000080 rdx=0000000000000000 00d0:trace:int:vectored_handler rsi=0000000000b5f194 rdi=0000000000b5f288 rbp=0000000000b5f238 rsp=0000000000b5f130 00d0:trace:int:vectored_handler r8=0000000000b5f194 r9=0000000000b5f198 r10=0000000000000000 r11=0000000000000000 00d0:trace:int:vectored_handler r12=0000000000000000 r13=00000000ffea4000 r14=00000000008e4048 r15=00000000008e4098 00d0:trace:seh:call_vectored_handlers handler at 0x22d030 returned ffffffff 00d0:Call ntoskrnl.exe.KeSignalCallDpcSynchronize(00b5f198) ret=00c857cf 00d0:fixme:ntoskrnl:KeSignalCallDpcSynchronize barrier 0000000000B5F198 stub. 00d0:Ret ntoskrnl.exe.KeSignalCallDpcSynchronize() retval=00000001 ret=00c857cf 00d0:Call ntoskrnl.exe.KeSignalCallDpcDone(00b5f194) ret=00235c6a 00d0:Ret ntoskrnl.exe.KeSignalCallDpcDone() retval=00235cc0 ret=00235c6a 00d0:Ret ntoskrnl.exe.KeGenericCallDpc() retval=00235cc0 ret=00c8578f --- snip ---
Regards
https://bugs.winehq.org/show_bug.cgi?id=49224
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/ntoskrnl.exe-KeG | |enericCallDpc CC| |leslie_alistair@hotmail.com Status|NEW |STAGED
https://bugs.winehq.org/show_bug.cgi?id=49224
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |4921d24627f5f004b94f1212187 | |adeda3f09219a Resolution|--- |FIXED Status|STAGED |RESOLVED
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by following commits:
* https://source.winehq.org/git/wine.git/commitdiff/73d915fd8e3c7389b114f5d837... ("ntoskrnl.exe: Add KeSignalCallDpcDone() function.")
* https://source.winehq.org/git/wine.git/commitdiff/1adc1b1ecf387bcefea9e4b220... "(ntoskrnl.exe: Add KeGenericCallDpc() function.")
* https://source.winehq.org/git/wine.git/commitdiff/4921d24627f5f004b94f121218... ("ntoskrnl.exe: Add KeSignalCallDpcSynchronize() function.")
Thanks Paul
$ wine --version wine-5.9-101-ge48fabff52
Regards
https://bugs.winehq.org/show_bug.cgi?id=49224
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.10.
-
WineHQ Bugzilla