[Bug 44497] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback ( object manager) functions
https://bugs.winehq.org/show_bug.cgi?id=44497
Bug ID: 44497 Summary: BattlEye 'BEDaisy' kernel service crashes on unimplemented ntoskrnl.exe ObCallback (object manager) functions Product: Wine Version: 3.1 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
continuation of bug 44496
The kernel driver uses object manager callbacks in order to implement process protection.
* ObRegisterCallbacks * ObUnRegisterCallbacks * ObGetFilterVersion
Example kernel driver code to show how the API is being used:
https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obca...
--- quote --- ObCallback Callback Registration Driver
The ObCallback sample driver demonstrates the use of registered callbacks for process protection. The driver registers control callbacks which are called at process creation. Design and Operation
The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks routine and a callback to restrict requested access rights during a open process action. The second example uses the PsSetCreateProcessNotifyRoutineEx routine to reject a process creation by examining the command line. --- quote ---
Another article:
https://malwaretips.com/threads/av-self-protection-process-c-c.66200/
BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning 'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail.
* ObRegisterCallbacks -> return STATUS_SUCCESS (and fake handle) * ObUnRegisterCallbacks -> just empty stub is enough * ObGetFilterVersion -> return OB_FLT_REGISTRATION_VERSION
Also mentioned in tps://bugs.winehq.org/show_bug.cgi?id=41039#c0 ("Virtualbox crashes with access violation, needs ntoskrnl.exe.FsRtlIsNameInExpression") although not the problem there.
--- snip --- fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObRegisterCallbacks" not found fixme:ntoskrnl:MmGetSystemRoutineAddress L"ObUnRegisterCallbacks" not found --- snip ---
With these things fixed, the driver runs further - into next problems.
$ sha1sum Tibia_Setup.exe 50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe 5.2M Tibia_Setup.exe
$ wine --version wine-3.1-193-g354fa7eb79
Regards
https://bugs.winehq.org/show_bug.cgi?id=44497
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |http://static.tibia.com/dow | |nload/Tibia_Setup.exe Keywords| |download, obfuscation Depends on| |44496
https://bugs.winehq.org/show_bug.cgi?id=44497
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |STAGED Staged patchset| |https://github.com/wine-sta | |ging/wine-staging/tree/mast | |er/patches/ntoskrnl-Ob_call | |backs CC| |leslie_alistair@hotmail.com
https://bugs.winehq.org/show_bug.cgi?id=44497 Bug 44497 depends on bug 44496, which changed state.
Bug 44496 Summary: Custom imports resolver used by multiple kernel drivers can't cope with 'ntoskrnl.exe' low-level (wc)string/copy helpers being forwarded to 'msvcrt.dll' (BattlEye 'BEDaisy', Sentinel HASP 'hardlock.sys') https://bugs.winehq.org/show_bug.cgi?id=44496
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED
https://bugs.winehq.org/show_bug.cgi?id=44497
Alistair Leslie-Hughes leslie_alistair@hotmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|STAGED |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |813c6f3af61093867bd3e24c686 | |db66a713ee301
--- Comment #1 from Alistair Leslie-Hughes leslie_alistair@hotmail.com --- Fixed by https://source.winehq.org/git/wine.git/?a=commit;h=813c6f3af61093867bd3e24c6...
https://bugs.winehq.org/show_bug.cgi?id=44497
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #2 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 3.5.
https://bugs.winehq.org/show_bug.cgi?id=44497
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://static.tibia.com/dow |https://web.archive.org/web |nload/Tibia_Setup.exe |/20210117182120/https://sta | |tic.tibia.com/download/Tibi | |a_Setup.exe
-
wine-bugs@winehq.org -
WineHQ Bugzilla