New subject: [Bug 47047] 64-bit MRAC Anti-Cheat (My.Com Warface) kernel service crashes in driver entry point due to missing ' ntoskrnl.exe.MmGetPhysicalAddress' stub

19 Apr 2019


      https://bugs.winehq.org/show_bug.cgi?id=47047
Bug ID: 47047
           Summary: 64-bit MRAC Anti-Cheat (My.Com Warface) kernel service
                    crashes in driver entry point due to missing
                    'ntoskrnl.exe.MmGetPhysicalAddress' stub
           Product: Wine
           Version: 4.6
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs@winehq.org
          Reporter: focht@gmx.net
      Distribution: ---
Hello folks,
continuation of bug 47044
Download:
https://web.archive.org/web/20190331063634/http://static.gc.my.com/WarfaceMy...
--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl notepad >>log.txt 2>&1 &
$ wine net start mracdrv
The MRAC Driver service is starting.
No system resources.
...
00a3:Call driver init 0x140098005
(obj=0x27980,str=L"\Registry\Machine\System\CurrentControlSet\Services\mracdrv") 
...
00a3:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0002ad38) ret=14062f1a6
...
00a3:Call KERNEL32.GetModuleHandleW(7efc0ebad580 L"ntoskrnl.exe")
ret=7efc0eb9b3bc
00a3:Ret  KERNEL32.GetModuleHandleW() retval=7efc0eb80000 ret=7efc0eb9b3bc
00a3:Call KERNEL32.GetProcAddress(7efc0eb80000,00010eb0 "MmGetPhysicalAddress")
ret=7efc0eb9b3c9
00a3:Ret  KERNEL32.GetProcAddress() retval=7efc0eb85328 ret=7efc0eb9b3c9
...
00a3:trace:ntoskrnl:MmGetSystemRoutineAddress L"MmGetPhysicalAddress" ->
0x7efc0eb85328
00a3:Ret  ntoskrnl.exe.MmGetSystemRoutineAddress() retval=7efc0eb85328
ret=14062f1a6 
...
00a3:Call ntoskrnl.exe.ExpInterlockedPushEntrySList(140091f80,00032030)
ret=140998163
00a3:Call ntdll.RtlInterlockedPushEntrySList(140091f80,00032030) ret=7bc8de4f
00a3:Ret  ntdll.RtlInterlockedPushEntrySList() retval=0002ce10 ret=7bc8de4f
00a3:Ret  ntoskrnl.exe.ExpInterlockedPushEntrySList() retval=0002ce10
ret=140998163
00a3:Call KERNEL32.RaiseException(80000100,00000001,00000002,0032f340)
ret=7efc0eba5b29
00a3:trace:seh:NtRaiseException code=80000100 flags=1 addr=0x7b452d3c
ip=7b452d3c tid=00a3
00a3:trace:seh:NtRaiseException  info[0]=00007efc0eba5b4d
00a3:trace:seh:NtRaiseException  info[1]=00007efc0eba877c
00a3:trace:seh:call_vectored_handlers calling handler at 0x7efc0eb8d4e0
code=80000100 flags=1
00a3:trace:seh:call_vectored_handlers handler at 0x7efc0eb8d4e0 returned 0
wine: Call from 0x7b452d3c to unimplemented function
ntoskrnl.exe.MmGetPhysicalAddress, aborting 
...
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/...
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl...
--- snip ---
 690 @ stub MmGetPhysicalAddress
--- snip ---
Returning PHYSICAL_ADDRESS with PhysicalAddress.QuadPart == 0 won't do any
good. You have to return a non-zero address. It seems the address is located
within a non-paged pool allocation (8 KB) some calls earlier. I used kva == pa
(1:1) mapping to keep it happy.
--- snip ---
...
0031:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000000,00002000,4943414d)
ret=140ab5668
0031:Call ntdll.RtlAllocateHeap(00010000,00000000,00002000) ret=7f5fb4aec158
0031:Ret  ntdll.RtlAllocateHeap() retval=000372e0 ret=7f5fb4aec158
0031:trace:ntoskrnl:ExAllocatePoolWithTag 8192 pool 0 -> 0x372e0
0031:Ret  ntoskrnl.exe.ExAllocatePoolWithTag() retval=000372e0 ret=140ab5668 
...
0031:Call ntoskrnl.exe.ExpInterlockedPushEntrySList(140091f80,00031ff0)
ret=140998163
0031:Call ntdll.RtlInterlockedPushEntrySList(140091f80,00031ff0) ret=7bc8de4f
0031:Ret  ntdll.RtlInterlockedPushEntrySList() retval=0002cdd0 ret=7bc8de4f
0031:Ret  ntoskrnl.exe.ExpInterlockedPushEntrySList() retval=0002cdd0
ret=140998163
0031:Call ntoskrnl.exe.MmGetPhysicalAddress(00038000) ret=1403a839c
0031:fixme:ntoskrnl:MmGetPhysicalAddress stub: 0x38000
0031:Ret  ntoskrnl.exe.MmGetPhysicalAddress() retval=00038000 ret=1403a839c
0031:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(140091f80) ret=14008d019
0031:Call ntdll.RtlInterlockedPopEntrySList(140091f80) ret=7bc8de4f
0031:Ret  ntdll.RtlInterlockedPopEntrySList() retval=00031ff0 ret=7bc8de4f
0031:Ret  ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=00031ff0
ret=14008d019
0031:Call ntoskrnl.exe.ExpInterlockedPushEntrySList(140091f80,00031ff0)
ret=140ab62ab 
...
0031:Call
ntoskrnl.exe.IoAllocateMdl(00038000,00001000,00000000,00000000,00000000)
ret=140f3d8e4
0031:trace:ntoskrnl:IoAllocateMdl (0x38000, 4096, 0, 0, (nil))
0031:Call ntdll.RtlAllocateHeap(00010000,00000008,00000034) ret=7f5fb4aef514
0031:Ret  ntdll.RtlAllocateHeap() retval=00027af0 ret=7f5fb4aef514
0031:Ret  ntoskrnl.exe.IoAllocateMdl() retval=00027af0 ret=140f3d8e4 
...
0031:Call ntoskrnl.exe.MmProbeAndLockPages(00027af0,00000000,00000000)
ret=1403e3800
0031:fixme:ntoskrnl:MmProbeAndLockPages (0x27af0, 0, 0): stub
0031:Ret  ntoskrnl.exe.MmProbeAndLockPages() retval=0000003e ret=1403e3800 
...
0031:Call
ntoskrnl.exe.MmMapLockedPagesSpecifyCache(00027af0,00000000,00000001,00000000,00000000,00000010)
ret=140a50460
0031:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x27af0, 0, 1, (nil), 0, 16):
stub
0031:Ret  ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=00000000
ret=140a50460 
...
0031:Call ntoskrnl.exe.MmUnlockPages(00027af0) ret=140d4aa34
0031:fixme:ntoskrnl:MmUnlockPages (0x27af0): stub
0031:Ret  ntoskrnl.exe.MmUnlockPages() retval=00000032 ret=140d4aa34
...
0031:Call ntoskrnl.exe.IoFreeMdl(00027af0) ret=140ea7c48
0031:trace:ntoskrnl:IoFreeMdl 0x27af0
0031:Call ntdll.RtlFreeHeap(00010000,00000000,00027af0) ret=7f5fb4aef6ef
0031:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7f5fb4aef6ef
0031:Ret  ntoskrnl.exe.IoFreeMdl() retval=00000001 ret=140ea7c48 
...
0033:Call ntoskrnl.exe.PsTerminateSystemThread(00000000) ret=1400112a1
0033:trace:ntoskrnl:PsTerminateSystemThread status 0.
0033:Call KERNEL32.ExitThread(00000000) ret=7f5fb4af90ee 
...
0031:Ret  ntdll.NtWaitForMultipleObjects() retval=00000000 ret=7f5fb4afeec1 
...
0031:Ret  driver init 0x140098005
(obj=0x27940,str=L"\Registry\Machine\System\CurrentControlSet\Services\mracdrv")
retval=c000009a
...
0031:trace:ntoskrnl:init_driver init done for L"mracdrv" obj 0x27940
0031:trace:ntoskrnl:init_driver - DriverInit = 0x140098005
0031:trace:ntoskrnl:init_driver - DriverStartIo = (nil)
0031:trace:ntoskrnl:init_driver - DriverUnload = 0x1400291c0
0031:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f5fb4af35c0
0031:trace:ntoskrnl:ObDereferenceObject (0x27940) ref=0
...
0031:err:ntoskrnl:ZwLoadDriver failed to create driver
L"\Registry\Machine\System\CurrentControlSet\Services\mracdrv": c000009a 
...
--- snip ---
That's bug 37355
$ sha1sum WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe 
b07e87a029d6697ad823dc03fdbf297c406a91b9 
WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe
$ du -sh WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe 
6.8M    WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe
$ wine --version
wine-4.6-61-g085e58878f
Regards
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 47047] New: 64-bit MRAC Anti-Cheat (My.Com Warface) kernel service crashes in driver entry point due to missing ' ntoskrnl.exe.MmGetPhysicalAddress' stub