[Bug 44500] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented fltmgr.sys functions ( FltRegisterFilter, FltStartFiltering, FltUnregisterFilter)
https://bugs.winehq.org/show_bug.cgi?id=44500
Bug ID: 44500 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented fltmgr.sys functions (FltRegisterFilter, FltStartFiltering, FltUnregisterFilter) Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: fltmgr Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 44499
The kernel driver uses multiple methods to implement process protection/supervision.
* ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion
-> covered by bug 44497
* PsSetCreateProcessNotifyRoutineEx
-> covered by bug 44499
* FltRegisterFilter * FltStartFiltering * FltUnregisterFilter
BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning 'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail.
* FltRegisterFilter -> return STATUS_SUCCESS and some dummy handle as "out" * FltStartFiltering -> return STATUS_SUCCESS * FltUnregisterFilter -> just empty stub is enough (needed when driver unloads)
With this and all previous bug reports fixed/worked around, the driver init routine runs to completion and the kernel service starts successfully.
Proof:
--- snip --- ... 0048:trace:winedevice:load_driver loading driver L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys" ... 0048:trace:module:process_attach (L"BEDaisy.sys",(nil)) - END 0048:Ret KERNEL32.LoadLibraryW() retval=00780000 ret=7effaa20 ... 0048:trace:winedevice:load_driver_module L"C:\Program Files\Common Files\BattlEye\BEDaisy.sys": relocating from 0x400000 to 0x780000 ... 0048:Call driver init 0x7fdf6e (obj=0x11cb58,str=L"\Registry\Machine\System\CurrentControlSet\Services\BEDaisy") 0048:Call --- snip ---
Map the driver image via Mdl in order to hot-patch.
--- snip --- ... ntoskrnl.exe.IoAllocateMdl(00780000,00040409,00000000,00000000,00000000) ret=0080bf37 0048:trace:ntoskrnl:IoAllocateMdl (0x780000, 263177, 0, 0, (nil)) 0048:Call ntdll.RtlAllocateHeap(00110000,00000008,00000120) ret=7ecdf800 0048:Ret ntdll.RtlAllocateHeap() retval=0011cd38 ret=7ecdf800 0048:fixme:ntoskrnl:IoGetCurrentProcess () semi-stub 0048:Ret ntoskrnl.exe.IoAllocateMdl() retval=0011cd38 ret=0080bf37 0048:Call ntoskrnl.exe.MmProbeAndLockPages(0011cd38,00000000,00000001) ret=0080bf37 0048:fixme:ntoskrnl:MmProbeAndLockPages (0x11cd38, 0, 1): stub 0048:Ret ntoskrnl.exe.MmProbeAndLockPages() retval=0000003f ret=0080bf37 0048:Call ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011cd38,00000000,00000000,00000001,00000000,00000000) ret=0080bf37 0048:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11cd38, 0, 0, 0x1, 0, 0): stub 0048:Call ntdll.RtlAllocateHeap(00110000,00000000,00040409) ret=7ece28a9 0048:Ret ntdll.RtlAllocateHeap() retval=0011d978 ret=7ece28a9 0048:Call KERNEL32.OpenProcess(001fffff,00000000,00000042) ret=7ece28d4 0048:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ece28d4 0048:Call KERNEL32.ReadProcessMemory(00000040,00780000,0011d978,00040409,00000000) ret=7ece2907 0048:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=7ece2907 0048:Call KERNEL32.CloseHandle(00000040) ret=7ece2929 0048:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ece2929 0048:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache Success! 0048:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=0011d978 ret=0080bf37 --- snip ---
Manually resolve 'ntoskrnl.exe' and other module imports. Most activity is invisible from any trace log (walking in-memory lists, obfuscated strings).
--- snip --- 0048:Call ntdll.NtQuerySystemInformation(0000000b,008100a0,00001400,0065f350) ret=008034e1 0048:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 ... 0048:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398) ret=0080732b 0048:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b 0048:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc 0048:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ece16d9 0048:Ret ntdll.RtlAllocateHeap() retval=008100a0 ret=7ece16d9 0048:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x8100a0 0048:Ret ntoskrnl.exe.ExAllocatePool() retval=008100a0 ret=007fe2fc 0048:Call ntdll.NtQuerySystemInformation(0000000b,008100a0,00001400,0065f398) ret=008034e1 0048:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1 ... --- snip ---
Commit the changes to the memory image -> 'MmUnlockPages'.
--- snip --- ... 0048:Call ntoskrnl.exe.MmUnlockPages(0011cd38) ret=0080bf37 0048:fixme:ntoskrnl:MmUnlockPages (0x11cd38): stub 0048:Call KERNEL32.OpenProcess(001fffff,00000000,00000042) ret=7ece2be8 0048:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ece2be8 0048:Call KERNEL32.WriteProcessMemory(00000040,00780000,0011d978,00040409,00000000) ret=7ece2c17 0048:Ret KERNEL32.WriteProcessMemory() retval=00000001 ret=7ece2c17 0048:Call KERNEL32.CloseHandle(00000040) ret=7ece2c25 0048:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ece2c25 0048:Call ntdll.RtlFreeHeap(00110000,00000000,0011d978) ret=7ece2c45 0048:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ece2c45 0048:fixme:ntoskrnl:MmUnlockPages Success! 0048:Ret ntoskrnl.exe.MmUnlockPages() retval=0000002b ret=0080bf37 0048:Call ntoskrnl.exe.IoFreeMdl(0011cd38) ret=0080bf37 0048:trace:ntoskrnl:IoFreeMdl 0x11cd38 0048:Call ntdll.RtlFreeHeap(00110000,00000000,0011cd38) ret=7ecdf8fa 0048:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecdf8fa 0048:Ret ntoskrnl.exe.IoFreeMdl() retval=00000001 ret=0080bf37 ... --- snip ---
Register object manager/process/mini driver callbacks and create driver symlinks.
--- snip --- ... 0048:Call ntoskrnl.exe.ObGetFilterVersion() ret=0078c6be 0048:fixme:ntoskrnl:ObGetFilterVersion stub 0048:Ret ntoskrnl.exe.ObGetFilterVersion() retval=00000100 ret=0078c6be 0048:Call ntoskrnl.exe.KeInitializeMutex(00785020,00000000) ret=0079e1f6 0048:fixme:ntoskrnl:KeInitializeMutex stub: 0x785020, 0 0048:Ret ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=0079e1f6 0048:Call ntoskrnl.exe.IoCreateDevice(0011cb58,00000000,0065f1a8,00000022,00000000,00000000,0065f1e8) ret=007a2653 0048:trace:ntoskrnl:IoCreateDevice (0x11cb58, 0, L"\Device\BattlEye", 34, 0, 0, 0x65f1e8) ... 0048:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=007a2653 0048:Call ntoskrnl.exe.IoCreateSymbolicLink(0065f1cc,0065f1a8) ret=007a2834 0048:trace:ntoskrnl:IoCreateSymbolicLink L"\DosDevices\BattlEye" -> L"\Device\BattlEye" 0048:Call ntdll.NtCreateSymbolicLinkObject(0065f064,000f0001,0065f04c,0065f1a8) ret=7ece06af 0048:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece06af 0048:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=007a2834 0048:Call ntoskrnl.exe.KeWaitForSingleObject(00785020,00000000,00000000,00000000,00000000) ret=007b8643 0048:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x785020, 0, 0, 0, (nil) 0048:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=007b8643 0048:Call ntdll.RtlInitUnicodeString(0065f0c8,00783a7c L"363220") ret=00794e44 0048:Ret ntdll.RtlInitUnicodeString() retval=0065f0c8 ret=00794e44 0048:Call ntoskrnl.exe.ObRegisterCallbacks(0065f0c4,00785040) ret=007b869d 0048:fixme:ntoskrnl:ObRegisterCallbacks : stub 0048:Ret ntoskrnl.exe.ObRegisterCallbacks() retval=00000000 ret=007b869d 0048:Call ntoskrnl.exe.KeReleaseMutex(00785020,00000000) ret=007a4ee7 0048:fixme:ntoskrnl:KeReleaseMutex stub: 0x785020, 0 0048:Ret ntoskrnl.exe.KeReleaseMutex() retval=c0000002 ret=007a4ee7 0048:Call ntoskrnl.exe.PsSetLoadImageNotifyRoutine(007817a0) ret=00797911 0048:fixme:ntoskrnl:PsSetLoadImageNotifyRoutine (0x7817a0) stub 0048:Ret ntoskrnl.exe.PsSetLoadImageNotifyRoutine() retval=00000000 ret=00797911 0048:Call ntoskrnl.exe.PsSetCreateThreadNotifyRoutine(007811c4) ret=0079e1fb 0048:fixme:ntoskrnl:PsSetCreateThreadNotifyRoutine stub: 0x7811c4 0048:Ret ntoskrnl.exe.PsSetCreateThreadNotifyRoutine() retval=00000000 ret=0079e1fb 0048:Call ntoskrnl.exe.memset(0065f108,00000000,00000038) ret=007b63ab 0048:Ret ntoskrnl.exe.memset() retval=0065f108 ret=007b63ab 0048:Call fltmgr.sys.FltRegisterFilter(0011cb58,0065f108,00785500) ret=007afad8 0048:fixme:fltmgr:FltRegisterFilter (0x11cb58, 0x65f108): stub ... 0048:Ret fltmgr.sys.FltRegisterFilter() retval=00000000 ret=007afad8 0048:Call fltmgr.sys.FltStartFiltering(0011d978) ret=00795697 0048:fixme:fltmgr:FltStartFiltering (0x11d978): stub 0048:Ret fltmgr.sys.FltStartFiltering() retval=00000000 ret=00795697 0048:Call ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx(00781aba,00000000) ret=0079d0f5 0048:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutineEx stub: 0x781aba 0 0048:Ret ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx() retval=00000000 ret=0079d0f5 ... --- snip ---
Driver init successful return:
--- snip --- ... 0048:Call ntdll.RtlInitUnicodeString(0065f190,0065f444 L"\Driver") ret=0078ee45 0048:Ret ntdll.RtlInitUnicodeString() retval=0065f190 ret=0078ee45 0048:Call ntdll.ZwOpenDirectoryObject(0065f1c8,00000001,0065f1b0) ret=0079a425 0048:Ret ntdll.ZwOpenDirectoryObject() retval=00000000 ret=0079a425 0048:Call ntdll.ZwQueryDirectoryObject(00000048,0065f1f4,00000100,00000001,00000000,0065f458,00000000) ret=007a78fb 0048:Ret ntdll.ZwQueryDirectoryObject() retval=8000001a ret=007a78fb 0048:Call ntdll.ZwClose(00000048) ret=00795dcc 0048:Ret ntdll.ZwClose() retval=00000000 ret=00795dcc 0048:Ret driver init 0x7fdf6e (obj=0x11cb58,str=L"\Registry\Machine\System\CurrentControlSet\Services\BEDaisy") retval=00000000 0048:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11cb58 0048:trace:winedevice:init_driver - DriverInit = 0x7fdf6e 0048:trace:winedevice:init_driver - DriverStartIo = (nil) 0048:trace:winedevice:init_driver - DriverUnload = 0x781de8 0048:trace:winedevice:init_driver - MajorFunction[0] = 0x781dc4 0048:trace:winedevice:init_driver - MajorFunction[1] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[2] = 0x781d54 0048:trace:winedevice:init_driver - MajorFunction[3] = 0x7820c2 0048:trace:winedevice:init_driver - MajorFunction[4] = 0x7829b4 0048:trace:winedevice:init_driver - MajorFunction[5] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[6] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[7] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[8] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[9] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[10] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[11] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[12] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[13] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[14] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[15] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[16] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[17] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[18] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[19] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[20] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[21] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[22] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[23] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[24] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[25] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[26] = 0x7ecdfeb0 0048:trace:winedevice:init_driver - MajorFunction[27] = 0x7ecdfeb0 0048:Ret ntoskrnl.exe.IoCreateDriver() retval=00000000 ret=7effb7c8 0048:Call ntoskrnl.exe.ObReferenceObjectByName(0065fdc0,00000040,00000000,00000000,00000000,00000000,00000000,0065fdc8) ret=7effb852 0048:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\Driver\BEDaisy" 64 (nil) 0 (nil) 0 (nil) 0x65fdc8 ... 0048:Ret ntoskrnl.exe.ObReferenceObjectByName() retval=00000000 ret=7effb852 ... 0048:Call advapi32.SetServiceStatus(0011b788,0065fd84) ret=7effb41b ... 0048:Ret advapi32.SetServiceStatus() retval=00000001 ret=7effb41b --- snip ---
NOTE:
This doesn't really make BattlEye functional. It enables both services to run and prevents the initial driver service crashes/errors (2).
The "Tibia" client I used to test with (http://static.tibia.com/download/Tibia_Setup.exe) still reports BattlEye not working properly.
--- snip --- ... [ 11:53:26,282 ] BattlEye: "Initialized (v1.243)" [ 11:53:26,374 ] Request connection to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171" (unprotected: "tcp://tibia-pool-eu.ciproxy.com:7171" ) requested (Charakter "Da Beef" ) [ 11:53:26,374 ] Request connection to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171" "Damora" [ 11:53:26,405 ] Connected to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171" "Damora" [ 11:53:26,637 ] QObject::connect: Cannot connect (null)::stateChanged(QNetworkSession::State) to QNetworkReplyHttpImpl::_q_networkSessionStateChanged(QNetworkSession::State) [ 11:53:26,691 ] QObject::connect: Cannot connect (null)::stateChanged(QNetworkSession::State) to QNetworkReplyHttpImpl::_q_networkSessionStateChanged(QNetworkSession::State) [ 11:53:27,317 ] BattlEye: "Restarting client is necessary, service isn't running properly" [ 11:53:27,318 ] BattlEye: "Restarting client is necessary, update required" ... --- snip ---
I have no intention to look further unless there is some progress on previous tickets.
$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe
$ wine --version wine-3.1-193-g354fa7eb79
Regards
https://bugs.winehq.org/show_bug.cgi?id=44500
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://static.tibia.com/dow | |nload/Tibia_Setup.exe Keywords| |download, obfuscation
https://bugs.winehq.org/show_bug.cgi?id=44500
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |STAGED Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/fltmgr.sys-filte | |rs CC| |leslie_alistair@hotmail.com
https://bugs.winehq.org/show_bug.cgi?id=44500
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |c248b6cfb124258145d318ff4dc | |efa39e62e6a14 Status|STAGED |RESOLVED Resolution|--- |FIXED
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
the stubs have been committed:
* https://source.winehq.org/git/wine.git/commitdiff/b2ebe2834fb5a87df095008c66... ("fltmgr.sys: Add FltRegisterFilter stub.") * https://source.winehq.org/git/wine.git/commitdiff/f3a2bb1b10adb8577a2f753ab3... ("fltmgr.sys: Add FltStartFiltering stub.") * https://source.winehq.org/git/wine.git/commitdiff/c248b6cfb124258145d318ff4d... ("fltmgr.sys: Add FltUnregisterFilter stub.")
Thanks Alistair
It seems the author of the BattlEye driver is actively working on it, adding new API dependencies/imports every week ;-)
There is now an additional one:
--- snip --- $ WINEDEBUG=+seh,+relay,+ntoskrnl wine net start BEDaisy >>log.txt 2>&1 ... 0035:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0065ecac) ret=008560ad ... 0035:Call KERNEL32.GetProcAddress(7ec00000,0011d528 "IoDriverObjectType") ret=7ec18587 0035:Ret KERNEL32.GetProcAddress() retval=7ec0700c ret=7ec18587 ... 0035:trace:ntoskrnl:MmGetSystemRoutineAddress L"IoDriverObjectType" -> 0x7ec0700c ... 0035:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=7ec0700c ret=008560ad ... 0035:Call KERNEL32.RaiseException(80000100,00000001,00000002,0065eb78) ret=f7dd1b0f 0035:trace:seh:raise_exception code=80000100 flags=1 addr=0x7b446c33 ip=7b446c33 tid=0035 0035:trace:seh:raise_exception info[0]=f7dd1b28 0035:trace:seh:raise_exception info[1]=f7dd228b wine: Call from 0x7b446c33 to unimplemented function fltmgr.sys.FltGetRoutineAddress, aborting --- snip ---
I will create another ticket for that because it was an older version of the driver to reproduce with.
Regards
https://bugs.winehq.org/show_bug.cgi?id=44500
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.6.
https://bugs.winehq.org/show_bug.cgi?id=44500
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://static.tibia.com/dow |https://web.archive.org/web |nload/Tibia_Setup.exe |/20210117182120/https://sta | |tic.tibia.com/download/Tibi | |a_Setup.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla