New subject: [Bug 49222] Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on unimplemented function ntoskrnl.exe.KeRevertToUserAffinityThreadEx

22 May 2020


      https://bugs.winehq.org/show_bug.cgi?id=49222
Bug ID: 49222
           Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on
                    unimplemented function
                    ntoskrnl.exe.KeRevertToUserAffinityThreadEx
           Product: Wine
           Version: 5.8
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
continuation of bug 49220 (split out from bug 49194).
--- snip ---
$ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll wine net start "Denuvo
Anti-Cheat" >>log.txt 2>&1
...
00d0:Call driver init 0000000000C81184
(obj=000000000078EE10,str=L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo
Anti-Cheat") 
...
00d0:Call ntoskrnl.exe.KeQueryActiveProcessorCountEx(0000ffff) ret=00c83d3a
00d0:fixme:ntoskrnl:KeQueryActiveProcessorCountEx GroupNumber 65535 semi-stub.
00d0:Call KERNEL32.GetSystemInfo(00b5f2f0) ret=00232996
00d0:Call ntdll.NtQuerySystemInformation(00000000,00b5f200,00000040,00000000)
ret=7b02c721
00d0:trace:ntdll:NtQuerySystemInformation
(0x00000000,0xb5f200,0x00000040,(nil))
00d0:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=7b02c721
00d0:Call ntdll.NtQuerySystemInformation(00000001,00b5f1f0,0000000c,00000000)
ret=7b02c751
00d0:trace:ntdll:NtQuerySystemInformation
(0x00000001,0xb5f1f0,0x0000000c,(nil))
00d0:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=7b02c751
00d0:Ret  KERNEL32.GetSystemInfo() retval=00000006 ret=00232996
00d0:Ret  ntoskrnl.exe.KeQueryActiveProcessorCountEx() retval=00000008
ret=00c83d3a
00d0:Call ntoskrnl.exe.KeSetSystemAffinityThreadEx(ffffffffffffffff)
ret=00c83d56
00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx (0xffffffff) semi-stub
00d0:Call
ntdll.NtQueryInformationThread(fffffffffffffffe,0000001e,00b5f300,00000010,00000000)
ret=00232b18
00d0:Ret  ntdll.NtQueryInformationThread() retval=00000000 ret=00232b18
00d0:Call
ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f310,00000010)
ret=00232b70
00d0:Ret  ntdll.NtSetInformationThread() retval=c000000d ret=00232b70
00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx Set affinity, status
0xc000000d.
00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx old.Group 0, old.Mask 0xff.
00d0:Ret  ntoskrnl.exe.KeSetSystemAffinityThreadEx() retval=000000ff
ret=00c83d56
00d0:Call ntoskrnl.exe.KeSetSystemAffinityThreadEx(00000001) ret=00c83d86
00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx (0x1) semi-stub
00d0:Call
ntdll.NtQueryInformationThread(fffffffffffffffe,0000001e,00b5f300,00000010,00000000)
ret=00232b18
00d0:Ret  ntdll.NtQueryInformationThread() retval=00000000 ret=00232b18
00d0:Call
ntdll.NtSetInformationThread(fffffffffffffffe,0000001e,00b5f310,00000010)
ret=00232b70
00d0:Ret  ntdll.NtSetInformationThread() retval=00000000 ret=00232b70
00d0:fixme:ntoskrnl:KeSetSystemAffinityThreadEx old.Group 0, old.Mask 0xff.
00d0:Ret  ntoskrnl.exe.KeSetSystemAffinityThreadEx() retval=000000ff
ret=00c83d86 
...
00d0:fixme:int:emulate_instruction reg 0xfe returning 0.
00d0:trace:int:vectored_handler next instruction rip=c88cf5
00d0:trace:int:vectored_handler   rax=0000000000000000 rbx=0000000000b5d280
rcx=00000000000000fe rdx=0000000000000000
00d0:trace:int:vectored_handler   rsi=00000000008e1f70 rdi=0000000000000000
rbp=0000000000b5f370 rsp=0000000000b5d220
00d0:trace:int:vectored_handler    r8=0000000000000000  r9=0000000000000000
r10=0000000000000000 r11=0000000000000000
00d0:trace:int:vectored_handler   r12=0000000000000000 r13=00000000ffea4000
r14=0000000000000000 r15=0000000080000008
00d0:trace:seh:call_vectored_handlers handler at 0x22cfa0 returned ffffffff
00d0:trace:seh:raise_exception code=80000100 flags=1 addr=0x7bc6cb0c
ip=7bc6cb0c tid=00d0
00d0:trace:seh:raise_exception  info[0]=0000000000e00266
00d0:trace:seh:raise_exception  info[1]=0000000000dffcf8
wine: Call from 0x7bc6cb0c to unimplemented function
ntoskrnl.exe.KeRevertToUserAffinityThreadEx, aborting 
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-ker...
It's the "tail" (epilogue) of bug 49219 to restore the previous affinity of the
driver's main thread.
Relevant disassembly snippet of driver:
--- snip ---
...
140003D37 | call qword ptr ds:[rax+40]       | KeQueryActiveProcessorCountEx
140003D3A | mov byte ptr ds:[rsi+30],al      |
140003D3D | movzx ebp,al                     | num cores
140003D40 | cmp al,20                        |
140003D42 | jb denuvo-anti-cheat.140003D49   |
140003D44 | mov ebp,20                       | limit to 32 cores max
140003D49 | or rcx,FFFFFFFFFFFFFFFF          |
140003D4D | mov dword ptr ds:[rsi+34],ebp    |
140003D50 | call qword ptr ds:[<&JMP.&KeSetSystemAffinityThreadEx>]
140003D56 | mov r15,rax                      |
140003D59 | test ebp,ebp                     |
140003D5B | je denuvo-anti-cheat.140003DA9   |
140003D5D | mov qword ptr ss:[rsp+80],r14    |
140003D65 | lea rdi,qword ptr ds:[rsi+38]    |
140003D69 | lea r14,qword ptr ds:[rsi+1C38]  |
140003D70 | mov esi,ebp                      |
140003D72 | mov rcx,rbx                      |
140003D75 | mov edx,1                        |
140003D7A | shl rdx,cl                       |
140003D7D | mov rcx,rdx                      | current core mask
140003D80 | call qword ptr ds:[<&JMP.&KeSetSystemAffinityThreadEx>]
140003D86 | mov rdx,r14                      |
140003D89 | mov rcx,rdi                      |
140003D8C | call denuvo-anti-cheat.1400086C0 | read cpuid + VMX MSRs
140003D91 | inc rbx                          | core++
140003D94 | add rdi,E0                       |
140003D9B | sub rsi,1                        |
140003D9F | jne denuvo-anti-cheat.140003D72  | loop through all cores
140003DA1 | mov r14,qword ptr ss:[rsp+80]    |
140003DA9 | mov rcx,r15                      |
140003DAC | call qword ptr ds:[1400770F0]    | KeRevertToUserAffinityThreadEx
140003DB2 | mov rcx,qword ptr ss:[rsp+30]    |
140003DB7 | xor rcx,rsp                      |
140003DBA | call denuvo-anti-cheat.14006FB10 |
140003DBF | add rsp,40                       |
140003DC3 | pop r15                          |
140003DC5 | pop rdi                          |
140003DC6 | pop rsi                          |
140003DC7 | pop rbp                          |
140003DC8 | pop rbx                          |
140003DC9 | ret                              |
--- snip ---
$ wine --version
wine-5.8-323-g563de17f53
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 49222] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' crashes on unimplemented function ntoskrnl.exe.KeRevertToUserAffinityThreadEx