[Bug 49194] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs 'netio.sys' (Winsock Kernel Sockets API / WSK)
https://bugs.winehq.org/show_bug.cgi?id=49194
Bug ID: 49194 Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs 'netio.sys' (Winsock Kernel Sockets API / WSK) Product: Wine Version: 5.8 Hardware: x86 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says. Continuation of bug 49192
Disclaimer for the general populace, to avoid these stupid comments on Reddit/your-favourite-gossip-site: This is not an attempt to make anything work.
--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wine net start "Denuvo Anti-Cheat" >>log.txt 2>&1 ... 00d0:trace:ntoskrnl:load_driver loading driver L"C:\Program Files\Denuvo Anti-Cheat\denuvo-anti-cheat.sys" 00d0:Call KERNEL32.LoadLibraryW(0078eff0 L"C:\Program Files\Denuvo Anti-Cheat\denuvo-anti-cheat.sys") ret=00236828 ... 00d0:err:module:import_dll Library netio.sys (which is needed by L"C:\Program Files\Denuvo Anti-Cheat\denuvo-anti-cheat.sys") not found ... 00d0:err:module:import_dll Library wdfldr.sys (which is needed by L"C:\Program Files\Denuvo Anti-Cheat\denuvo-anti-cheat.sys") not found 00d0:Ret ntdll.LdrLoadDll() retval=c0000135 ret=7b01d770 ... 00d0:Ret KERNEL32.LoadLibraryW() retval=00000000 ret=00236828 ... 00d0:trace:ntoskrnl:IoDeleteDriver (00000000000FB930) ... 00d0:err:ntoskrnl:ZwLoadDriver failed to create driver L"\Registry\Machine\System\CurrentControlSet\Services\Denuvo Anti-Cheat": c0000142 --- snip ---
--- snip --- $ winedump -j import drive_c/Program\ Files/Denuvo\ Anti-Cheat/denuvo-anti-cheat.sys Contents of drive_c/Program Files/Denuvo Anti-Cheat/denuvo-anti-cheat.sys: 1553128 bytes
Import Table size: 00000050 offset 0017381c netio.sys Hint/Name Table: 0017F670 TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970) ForwarderChain: 00000000 First thunk RVA: 0017F000 Thunk Ordn Name 0017f000 1 WskDeregister 0017f008 2 WskRegister 0017f010 3 WskReleaseProviderNPI 0017f018 0 WskCaptureProviderNPI
offset 00173830 ntoskrnl.exe Hint/Name Table: 0017F698 TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970) ForwarderChain: 00000000 First thunk RVA: 0017F028 Thunk Ordn Name 0017f028 0 ExAcquireFastMutex 0017f030 1 ExAllocatePoolWithQuotaTag 0017f038 2 ExAllocatePoolWithTag 0017f040 3 ExCreateCallback 0017f048 4 ExFreePoolWithTag 0017f050 5 ExRegisterCallback 0017f058 6 ExReleaseFastMutex 0017f060 7 ExUnregisterCallback 0017f068 8 IoAllocateIrp 0017f070 9 IoAllocateMdl 0017f078 10 IoFreeIrp 0017f080 11 IoFreeMdl 0017f088 12 IoGetCurrentProcess 0017f090 13 IoGetInitialStack 0017f098 14 IoReuseIrp 0017f0a0 15 KdDebuggerEnabled 0017f0a8 16 KdRefreshDebuggerNotPresent 0017f0b0 17 KeAcquireSpinLockAtDpcLevel 0017f0b8 18 KeAcquireSpinLockRaiseToDpc 0017f0c0 19 KeBugCheckEx 0017f0c8 20 KeCancelTimer 0017f0d0 21 KeDelayExecutionThread 0017f0d8 22 KeGenericCallDpc 0017f0e0 23 KeGetCurrentProcessorNumberEx 0017f0e8 24 KeInitializeDpc 0017f0f0 25 KeInitializeEvent 0017f0f8 26 KeInitializeMutex 0017f100 27 KeInitializeTimer 0017f108 28 KeLowerIrql 0017f110 29 KeQueryActiveProcessorCountEx 0017f118 30 KeReleaseMutex 0017f120 31 KeReleaseSpinLock 0017f128 32 KeReleaseSpinLockFromDpcLevel 0017f130 33 KeRevertToUserAffinityThreadEx 0017f138 34 KeSetEvent 0017f140 35 KeSetSystemAffinityThreadEx 0017f148 36 KeSetTimer 0017f150 37 KeSignalCallDpcDone 0017f158 38 KeSignalCallDpcSynchronize 0017f160 39 KeStackAttachProcess 0017f168 40 KeUnstackDetachProcess 0017f170 41 KeWaitForSingleObject 0017f178 42 KfRaiseIrql 0017f180 43 MmBuildMdlForNonPagedPool 0017f188 44 MmGetPhysicalAddress 0017f190 45 MmGetSystemRoutineAddress 0017f198 46 MmGetVirtualForPhysical 0017f1a0 47 MmIsAddressValid 0017f1a8 48 MmMapIoSpace 0017f1b0 49 MmUnmapIoSpace 0017f1b8 50 ObOpenObjectByPointer 0017f1c0 51 ObReferenceObjectByHandle 0017f1c8 52 ObRegisterCallbacks 0017f1d0 53 ObUnRegisterCallbacks 0017f1d8 54 ObfDereferenceObject 0017f1e0 55 ObfReferenceObject 0017f1e8 56 PsCreateSystemThread 0017f1f0 57 PsGetCurrentProcessId 0017f1f8 58 PsGetCurrentThreadTeb 0017f200 59 PsGetProcessId 0017f208 60 PsGetThreadProcessId 0017f210 61 PsGetVersion 0017f218 62 PsLookupProcessByProcessId 0017f220 63 PsProcessType 0017f228 64 PsRemoveLoadImageNotifyRoutine 0017f230 65 PsSetLoadImageNotifyRoutine 0017f238 66 PsTerminateSystemThread 0017f240 67 PsThreadType 0017f248 68 RtlAnsiCharToUnicodeChar 0017f250 69 RtlAnsiStringToUnicodeString 0017f258 70 RtlCheckRegistryKey 0017f260 71 RtlCopyUnicodeString 0017f268 72 RtlFreeUnicodeString 0017f270 73 RtlGetVersion 0017f278 74 RtlInitAnsiString 0017f280 75 RtlInitUnicodeString 0017f288 76 RtlQueryRegistryValues 0017f290 77 RtlRandomEx 0017f298 78 RtlUnicodeToMultiByteN 0017f2a0 79 ZwClose 0017f2a8 80 ZwCreateFile 0017f2b0 81 ZwCreateKey 0017f2b8 82 ZwDeleteFile 0017f2c0 83 ZwDeleteKey 0017f2c8 84 ZwDeleteValueKey 0017f2d0 85 ZwDuplicateObject 0017f2d8 86 ZwLoadDriver 0017f2e0 87 ZwOpenFile 0017f2e8 88 ZwOpenProcess 0017f2f0 89 ZwQuerySystemInformation 0017f2f8 90 ZwQueryVirtualMemory 0017f300 91 ZwReadFile 0017f308 92 ZwSetValueKey 0017f310 93 ZwUnloadDriver 0017f318 94 ZwWriteFile 0017f320 95 __C_specific_handler 0017f328 96 __chkstk 0017f330 97 _purecall
offset 00173844 wdfldr.sys Hint/Name Table: 0017F9B0 TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970) ForwarderChain: 00000000 First thunk RVA: 0017F340 Thunk Ordn Name 0017f340 1 WdfVersionBindClass 0017f348 2 WdfVersionUnbind 0017f350 3 WdfVersionUnbindClass 0017f358 0 WdfVersionBind
Done dumping drive_c/Program Files/Denuvo Anti-Cheat/denuvo-anti-cheat.sys --- snip ---
Looks like the driver registers itself as Winsock Kernel (WSK) client. This is the "new" way as the TDI API is considered legacy on modern Windows versions.
--- quote --- The TDI feature is deprecated and will be removed in future versions of Microsoft Windows. Depending on how you use TDI, use either the Winsock Kernel (WSK) or Windows Filtering Platform (WFP). --- quote ---
Just mentioning here since Wine has this component as well, albeit different design: 'http.sys' is a WSK client on Windows.
https://docs.microsoft.com/en-us/windows-hardware/drivers/network/registerin...
$ wine --version wine-5.8-173-g9e26bc8116
Regards
https://bugs.winehq.org/show_bug.cgi?id=49194
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://store.steampowered. | |com/app/782330/ Keywords| |obfuscation
https://bugs.winehq.org/show_bug.cgi?id=49194
Paul Gofman pgofman@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pgofman@codeweavers.com
--- Comment #1 from Paul Gofman pgofman@codeweavers.com --- Created attachment 67223 --> https://bugs.winehq.org/attachment.cgi?id=67223 WIP patches
I am attaching the WIP patchset with which I got DOOM Eternal starting. I know there are a lot of bugs mixed in here but there are about 50 patches addressing different issues I met on the way and I am afraid sorting them out across the bugs at this stage is beyond me.
Those patches: - Add wdfldr.sys stub; - Partially implement netio.sys (but everything I saw DAC using so far); - Add a load of stubs and implements some missing bits of functionality in ntoskrnl.exe; - Adds a couple of functions to ntdll.dll - Contains a couple of hacks, with one of them especially unfortunate and requiring debugging the thing further.
The patchset is based on top of current Staging. I am likely going to work on upstreaming most of those patches.
I did not test the game beyond the first screen. I guess multiplayer is unlikely to work.
Patch 0046 is actually not a fix or a workaround, this is essentially a shortcut to pass the thing further I used to be able to see the end of those missing pieces. The thread which is terminated there does a lot of checks on initialization, and something is still getting wrong on its way so if it finishes it work it tears down everything (while the other threads are already operating normally).
Anastasius, if you would like to debug the issue(s) with yet failing thread further to find out what it needs, would you please let me know so I won't duplicate the effort?
https://bugs.winehq.org/show_bug.cgi?id=49194
Nikolay Sivov bunglehead@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #67223|text/plain |application/gzip mime type| | Attachment #67223|1 |0 is patch| |
https://bugs.winehq.org/show_bug.cgi?id=49194
--- Comment #2 from Paul Gofman pgofman@codeweavers.com --- Created attachment 67224 --> https://bugs.winehq.org/attachment.cgi?id=67224 A bit better hack
I actually got what it wants in that thread which was causing problems. The attached patch is to replace patches 0039 and that unfortunate 0046 one.
The correct way to fix it is obviously to implement some hash validation.
https://bugs.winehq.org/show_bug.cgi?id=49194
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello Paul,
coming back from off-day seeing this. Kudos to you ;-)
If you don't mind I will split out some patches that are obviously not hacks into own bug reports.
Regards
https://bugs.winehq.org/show_bug.cgi?id=49194
--- Comment #4 from Paul Gofman pgofman@codeweavers.com --- (In reply to Anastasius Focht from comment #3)
If you don't mind I will split out some patches that are obviously not hacks into own bug reports.
Yes, sure.
https://bugs.winehq.org/show_bug.cgi?id=49194
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Fixed by SHA1| |8fe1c9e1bb39aabd8e4e2527895 | |2a6ead96531d2 Summary|Denuvo Anti-Cheat |Denuvo Anti-Cheat |'denuvo-anti-cheat.sys' |'denuvo-anti-cheat.sys' |needs 'netio.sys' (Winsock |fails to load, needs |Kernel Sockets API / WSK) |'netio.sys' stub driver | |(Winsock Kernel Sockets API | |/ WSK) Status|NEW |RESOLVED
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
this is fixed by commits:
* https://source.winehq.org/git/wine.git/commitdiff/8fe1c9e1bb39aabd8e4e252789... ("netio.sys: Add driver stub.")
* https://source.winehq.org/git/wine.git/commitdiff/7382ec9071b5fd2d36d96e79db... ("include/ddk: Add wsk.h file.")
* https://source.winehq.org/git/wine.git/commitdiff/392e4437d8e4e5c61e970344ea... ("netio.sys: Add stub for WskRegister().")
* https://source.winehq.org/git/wine.git/commitdiff/1e3ef06d3724aaef8880734617... ("netio.sys: Add stub for WskDeregister().")
* https://source.winehq.org/git/wine.git/commitdiff/bdb4d8225110c5a3c4acdea86f... ("netio.sys: Add stub for WskCaptureProviderNPI().")
* https://source.winehq.org/git/wine.git/commitdiff/8a9bbe4963fc480a3dad778a29... ("netio.sys: Add stub for WskReleaseProviderNPI().")
Thanks Paul
I've refined the ticket summary to not make it a meta-bug (implementing whole component). Implementation of needed functionality shall be subject to new ticket(s) - if desired.
$ wine --version wine-5.9-320-gaba27fd5a3
Regards
https://bugs.winehq.org/show_bug.cgi?id=49194
--- Comment #6 from Paul Gofman pgofman@codeweavers.com --- (In reply to Anastasius Focht from comment #5)
I've refined the ticket summary to not make it a meta-bug (implementing whole component). Implementation of needed functionality shall be subject to new ticket(s) - if desired.
Hello Anastasius,
thanks for your efforts testing and documenting this. My draft implementation has exactly the features Denuvo needed to start, not a bit more nor less. My plan is to prepare for upstream those bits of WSK functionality, with a possible extension of maybe just a bit more sane WSK client dispatch callbacks handling.
I am not sure if ticket for every particular missing bit is feasible when nothing is implemented yet. Maybe we can have a single ticket like "Implement WSK NPI", and when some implementation is in place and at least something can work with that, close it and then have specific ones when something needs a missing piece?
https://bugs.winehq.org/show_bug.cgi?id=49194
--- Comment #7 from Anastasius Focht focht@gmx.net --- Hello Paul,
I've created a continuation ticket here: bug 49323 ("Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs implementation of Winsock Kernel (WSK) Network Programming Interface (NPI)").
Even with Denuvo Anti-Cheat been removed with recent updates, it's still useful to explore/expand into new areas ;-) The old version with DAC can be preserved by preventing updates or using Steam depot. Digging out other WSK clients/apps for testing shouldn't be too hard.
Regards
https://bugs.winehq.org/show_bug.cgi?id=49194
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #8 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.10.
-
WineHQ Bugzilla