[Bug 49192] New: Denuvo Anti-Cheat needs support for NtQuerySystemInformation 'SystemCodeIntegrityInformation' info class (Driver Signature Enforcement)
https://bugs.winehq.org/show_bug.cgi?id=49192
Bug ID: 49192 Summary: Denuvo Anti-Cheat needs support for NtQuerySystemInformation 'SystemCodeIntegrityInformation' info class (Driver Signature Enforcement) Product: Wine Version: 5.8 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntdll Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. Part of Doom Eternal. The Denuvo Anti-Cheat installer is baked into the main executable 'DOOMEternalx64vk.exe' which contains several PE payloads. I'm not aware of any other games that use it (yet).
Trace log:
--- snip --- $ pwd /home/focht/wine-games/wineprefix64-steam/drive_c/Program Files (x86)/Steam
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl wine ./steam.exe -no-cef-sandbox -applaunch 782330 >>log.txt 2>&1 ... 0464:Call KERNEL32.LoadLibraryW(0091ea80 L"C:\users\focht\Temp\denuvo-anti-cheat-update-service-launcher.dll") ret=01d3db68 ... 0464:Ret KERNEL32.LoadLibraryW() retval=03180000 ret=01d3db68 ... 0464:Call KERNEL32.GetProcAddress(03180000,14722b1f0 "startService3") ret=147244518 0464:Ret KERNEL32.GetProcAddress() retval=03193350 ret=147244518 ... 0464:Call KERNEL32.LoadLibraryW(01919a10 L"C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anticheat-gui.dll") ret=01d3db68 ... 0464:Ret KERNEL32.LoadLibraryW() retval=00000000 ret=01d3db68 ... 0464:Call version.GetFileVersionInfoW(0191b8c0 L"C:\users\focht\Temp\denuvo-anti-cheat-update-service-launcher.dll",00000000,000008ac,0191c8f0) ret=03195497 ... 0464:Ret version.GetFileVersionInfoW() retval=00000001 ret=03195497 0464:Call version.VerQueryValueW(0191c8f0,03202928 L"\",0091e628,0091e618) ret=031954c3 ... 0464:Ret version.VerQueryValueW() retval=00000001 ret=031954c3 ... 0464:Call KERNEL32.GetProcAddress(7bc20000,032044d0 "NtQuerySystemInformation") ret=0318ef65 0464:Ret KERNEL32.GetProcAddress() retval=7bc2d2b0 ret=0318ef65 0464:Call ntdll.NtQuerySystemInformation(00000067,0091e680,00000008,0091e678) ret=0318ef9d 0464:fixme:ntdll:NtQuerySystemInformation (0x00000067,0x91e680,0x00000008,0x91e678) stub 0464:Ret ntdll.NtQuerySystemInformation() retval=c0000003 ret=0318ef9d 0464:Call ntdll.NtQuerySystemInformation(00000023,0091e670,00000002,0091e678) ret=0318efb5 0464:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=0318efb5 ... --- snip ---
0x67 -> SYSTEM_CODEINTEGRITY_INFORMATION
'denuvo-anti-cheat-update-service-launcher-2020-05-18-16.12.57.645.log'
--- snip --- 2020-05-18-16.12.57.679 [INF] Got reporter binary, version 2.7.0.40281 2020-05-18-16.12.57.731 [INF] Launcher 2.7.0.40281 started. Transaction id: 4e7c49ed-40f1-448f-a762-898049b26608 2020-05-18-16.12.57.731 [ERR] Environment check failed! 2020-05-18-16.12.57.805 [INF] Reporter 2.7.0.40281 started, passing error 2 2020-05-18-16.14.45.721 [INF] Reporter completed: 0 --- snip ---
https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqu...
--- quote --- SYSTEM_CODEINTEGRITY_INFORMATION
When the SystemInformationClass parameter is SystemCodeIntegrityInformation, the buffer pointed to by the SystemInformation parameter should be large enough to hold a single SYSTEM_CODEINTEGRITY_INFORMATION structure having the following layout:
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION { ULONG Length; ULONG CodeIntegrityOptions; } SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
The Length member contains the size of the structure in bytes. This must be set by the caller.
The CodeIntegrityOptions member contains a bitmask to identify code integrity options.
Table 2
Value Meaning
0x01 CODEINTEGRITY_OPTION_ENABLED Enforcement of kernel mode Code Integrity is enabled. --- quote ---
It seems sufficient to set 'CODEINTEGRITY_OPTION_ENABLED' (0x1) to pass the DSE check. The Denuvo bootstrapper will then extract and install the update service and kernel driver.
--- snip --- .... 2020-05-18-17.10.52.450 [INF] Got reporter binary, version 2.7.0.40281 2020-05-18-17.10.52.455 [INF] Launcher 2.7.0.40281 started. Transaction id: 4e7c49ed-40f1-448f-a762-898049b26608 2020-05-18-17.10.52.472 [INF] Saving update service binary 2020-05-18-17.10.52.486 [INF] Saving update service binary to path: C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\Denuvo Anti-Cheat Installer.exe 2020-05-18-17.10.52.496 [INF] Saving update service binary 2020-05-18-17.10.52.508 [INF] Saving update service binary to path: C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat-runtime.dll 2020-05-18-17.10.52.515 [INF] Saving update service binary 2020-05-18-17.10.52.526 [INF] Saving update service binary to path: C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat.sys 2020-05-18-17.10.52.537 [INF] Update service not installed. 2020-05-18-17.10.52.542 [INF] Running installer: 2.7.0.40281 2020-05-18-17.10.52.550 [INF] Installer arguments: install "4e7c49ed-40f1-448f-a762-898049b26608" "C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat-runtime.dll" "C:\Program Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat.sys" 2020-05-18-17.10.55.278 [INF] Elevated installer run finished successfully. 2020-05-18-17.10.55.298 [INF] Update service not running. Starting the service 2020-05-18-17.10.55.892 [INF] Performing software update 2020-05-18-17.10.55.895 [INF] Sending clean check request 2020-05-18-17.10.55.897 [INF] Waiting for clean check response 2020-05-18-17.10.56.000 [INF] Sending update request 2020-05-18-17.10.56.004 [INF] Waiting for update response 2020-05-18-17.11.04.498 [ERR] Received updateFailureResponse. Reason: start driver failed 2020-05-18-17.11.04.559 [INF] Reporter 2.7.0.40281 started, passing error 2003 --- snip ---
$ wine --version wine-5.8-173-g9e26bc8116
Regards
https://bugs.winehq.org/show_bug.cgi?id=49192
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |obfuscation URL| |https://store.steampowered. | |com/app/782330/
https://bugs.winehq.org/show_bug.cgi?id=49192
Anya animegirl@stronzi.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |animegirl@stronzi.org
https://bugs.winehq.org/show_bug.cgi?id=49192
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/ntdll-SystemCode | |IntegrityInformation Status|NEW |STAGED CC| |leslie_alistair@hotmail.com
https://bugs.winehq.org/show_bug.cgi?id=49192
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |3269da9b46eaec8e3ea263fc8ec | |fcd24d3d8b6e6 CC| |z.figura12@gmail.com Resolution|--- |FIXED Status|STAGED |RESOLVED
--- Comment #1 from Zebediah Figura z.figura12@gmail.com --- Fixed by https://source.winehq.org/git/wine.git/commitdiff/3269da9b46eaec8e3ea263fc8ecfcd24d3d8b6e6.
https://bugs.winehq.org/show_bug.cgi?id=49192
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 6.6.
-
WineHQ Bugzilla