[Bug 49230] New: Multiple kernel drivers crash on unimplemented function ntoskrnl.exe.KeSetTimer (Denuvo Anti-Cheat 'denuvo-anti-cheat.sys')
https://bugs.winehq.org/show_bug.cgi?id=49230
Bug ID: 49230 Summary: Multiple kernel drivers crash on unimplemented function ntoskrnl.exe.KeSetTimer (Denuvo Anti-Cheat 'denuvo-anti-cheat.sys') Product: Wine Version: 5.9 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 49224 (split out from bug 49194).
--- snip --- $ WINEDEBUG=+seh,+relay,+int,+ntoskrnl,+ntdll,+reg wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:Call driver init 0000000000C81184 (obj=000000000078DFE0,str=L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo Anti-Cheat") ... 00d0:Call ntoskrnl.exe.PsCreateSystemThread(00b5f458,00000000,00000000,00000000,00000000,00c84340,00e41e78) ret=00c845d6 00d0:Call ntdll.RtlCreateUserThread(ffffffffffffffff,00000000,00000000,00000000,00000000,00000000,00c84340,00e41e78,00b5f458,00000000) ret=00233a0b 00d0:Ret ntdll.RtlCreateUserThread() retval=00000000 ret=00233a0b 00d0:Ret ntoskrnl.exe.PsCreateSystemThread() retval=00000000 ret=00c845d6 00d0:Call ntoskrnl.exe.ObReferenceObjectByHandle(00000050,001fffff,00000000,00000000,00e41e88,00000000) ret=00c8460a 00d0:trace:ntoskrnl:ObReferenceObjectByHandle 0000000000000050 1fffff 0000000000000000 0 0000000000E41E88 0000000000000000 00d0:Call ntdll.NtQueryObject(00000050,00000002,00b5f120,00000100,00b5f220) ret=0022e6cb 00d0:trace:ntdll:NtQueryObject (0x50,0x00000002,0xb5f120,0x00000100,0xb5f220) 00d0:Ret ntdll.NtQueryObject() retval=00000000 ret=0022e6cb ... 00d8:Starting thread proc 0xc84340 (arg=0xe41e78) ... 00d8:Call ntoskrnl.exe.KeInitializeTimer(04b600c4) ret=00caeab7 00d8:trace:ntoskrnl:KeInitializeTimerEx timer 0000000004B600C4, type 0. 00d8:Ret ntoskrnl.exe.KeInitializeTimer() retval=00000020 ret=00caeab7 00d8:Call ntoskrnl.exe.KeInitializeDpc(04b60104,00caecf0,04b6009c) ret=00caeacb 00d8:fixme:ntoskrnl:KeInitializeDpc stub 00d8:Ret ntoskrnl.exe.KeInitializeDpc() retval=00000005 ret=00caeacb 00d8:Call KERNEL32.RaiseException(80000100,00000001,00000002,067efbc0) ret=0023ea28 00d8:Call ntdll.memcpy(067efaa8,067efbc0,00000010) ret=7b0104f6 00d8:Ret ntdll.memcpy() retval=067efaa8 ret=7b0104f6 00d8:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b010505 ip=7b010505 tid=00d8 00d8:trace:seh:raise_exception info[0]=000000000025c000 00d8:trace:seh:raise_exception info[1]=000000000025e7ac 00d8:trace:seh:call_vectored_handlers calling handler at 0x22d030 code=80000100 flags=1 00d8:trace:seh:call_vectored_handlers handler at 0x22d030 returned 0 00d8:trace:seh:RtlVirtualUnwind type 1 rip 7b010505 rsp 67efa60 ... wine: Call from 0x7b010505 to unimplemented function ntoskrnl.exe.KeSetTimer, aborting --- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/056c9df854817670dc4fb9c095cba29c...
--- snip --- 637 @ stub KeSetTimer 638 @ stdcall KeSetTimerEx(ptr int64 long ptr) --- snip ---
Should be implemented on top of KeSetTimerEx().
$ wine --version wine-5.9-13-g3df701e6b9
Regards
https://bugs.winehq.org/show_bug.cgi?id=49230
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://store.steampowered. | |com/app/782330/ Keywords| |obfuscation
https://bugs.winehq.org/show_bug.cgi?id=49230
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
addendum, since it's needed to make custom timer DPC work with KeSetTimer (one shot timer):
--- snip --- 00d8:Call ntoskrnl.exe.KeInitializeTimer(04b600c4) ret=00caeab7 00d8:trace:ntoskrnl:KeInitializeTimerEx timer 0000000004B600C4, type 0. 00d8:Ret ntoskrnl.exe.KeInitializeTimer() retval=00000020 ret=00caeab7 00d8:Call ntoskrnl.exe.KeInitializeDpc(04b60104,00caecf0,04b6009c) ret=00caeacb 00d8:fixme:ntoskrnl:KeInitializeDpc stub 00d8:Ret ntoskrnl.exe.KeInitializeDpc() retval=00000005 ret=00caeacb 00d8:Call KERNEL32.RaiseException(80000100,00000001,00000002,067efbc0) ret=0023ea28 --- snip ---
The driver calls 'KeInitializeDpc' with DPC routine and context parameters. Wine currently throws them away:
https://source.winehq.org/git/wine.git/blob/056c9df854817670dc4fb9c095cba29c...
--- snip --- 3027 /*********************************************************************** 3028 * KeInitializeDpc (NTOSKRNL.EXE.@) 3029 */ 3030 VOID WINAPI KeInitializeDpc(PRKDPC Dpc, PKDEFERRED_ROUTINE DeferredRoutine, PVOID DeferredContext) 3031 { 3032 FIXME("stub\n"); 3033 } --- snip ---
Microsoft docs: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-kei...
--- quote --- The caller can queue an initialized DPC with KeInsertQueueDpc. The caller also can set up a timer object associated with the initialized DPC object and queue the DPC with KeSetTimer. --- quote ---
As implied by the documentation, 'KeInitializeDpc' needs associate the DPC routine and context with the DPC object. Paul buried that change in the same patch. Just wanted to highlight this in an extra comment.
Some example usage:
https://github.com/microsoft/Windows-driver-samples/blob/master/general/even...
Regards
https://bugs.winehq.org/show_bug.cgi?id=49230
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |ba98574207b8f85839587a880b9 | |7eecbe34bdd3c
--- Comment #2 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commit https://source.winehq.org/git/wine.git/commitdiff/ba98574207b8f85839587a880b... ("ntoskrnl.exe: Add KeSetTimer() function.")
Thanks Paul
$ wine --version wine-5.9-154-gf6595bbdff
Regards
https://bugs.winehq.org/show_bug.cgi?id=49230
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #3 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.10.
-
WineHQ Bugzilla