[Bug 48989] New: Riot Vanguard (Riot Games) 'vgk.sys' crashes on unimplemented function ntoskrnl.exe.KeIpiGenericCall
https://bugs.winehq.org/show_bug.cgi?id=48989
Bug ID: 48989 Summary: Riot Vanguard (Riot Games) 'vgk.sys' crashes on unimplemented function ntoskrnl.exe.KeIpiGenericCall Product: Wine Version: 5.6 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: ntoskrnl Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
as it says.
--- snip --- ... The vgk service is starting. wine: Call from 0x7bc6dd4c to unimplemented function ntoskrnl.exe.KeIpiGenericCall, aborting wine: Unimplemented function ntoskrnl.exe.KeIpiGenericCall called at address 000000007BC6DD4C (thread 002f), starting debugger... ... --- snip ---
--- snip --- $ winedump -j import vgk.sys Contents of vgk.sys: 3196560 bytes
Import Table size: 00000050 offset 0001e090 cng.sys Hint/Name Table: 00022108 TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970) ForwarderChain: 00000000 First thunk RVA: 0001B028 Thunk Ordn Name 0001b028 8 BCryptDestroyHash 0001b030 1 BCryptCloseAlgorithmProvider
offset 0001e0a4 ntoskrnl.exe Hint/Name Table: 00022120 TimeDateStamp: 00000000 (Thu Jan 1 01:00:00 1970) ForwarderChain: 00000000 First thunk RVA: 0001B040 Thunk Ordn Name 0001b040 1081 KeIpiGenericCall 0001b048 2777 __C_specific_handler 0001b050 196 ExFreePoolWithTag 0001b058 2801 _stricmp 0001b060 2897 wcscat_s 0001b068 2901 wcscpy_s 0001b070 2060 RtlInitUnicodeString 0001b078 2571 ZwCreateFile 0001b080 2705 ZwReadFile 0001b088 2775 ZwWriteFile 0001b090 2560 ZwClose 0001b098 2604 ZwFlushBuffersFile 0001b0a0 2697 ZwQuerySystemInformation 0001b0a8 2259 RtlTimeToTimeFields 0001b0b0 986 KeAreAllApcsDisabled 0001b0b8 302 ExSystemTimeToLocalTime 0001b0c0 2885 swprintf_s 0001b0c8 2895 vswprintf_s 0001b0d0 2818 _vsnwprintf 0001b0d8 1049 KeInitializeApc 0001b0e0 1074 KeInsertQueueApc 0001b0e8 157 ExAllocatePoolWithTag 0001b0f0 990 KeBugCheckEx
Done dumping vgk.sys --- snip ---
Wine source:
https://source.winehq.org/git/wine.git/blob/f31a29b8d1ea478af28f14cdaf3db151...
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-kei...
$ sha1sum setup.exe 08deca4c0b46a3481e706926c0217d1c944d22a3 setup.exe
$ du -sh setup.exe 15M setup.exe
$ wine --version wine-5.6-258-gf31a29b8d1
Regards
https://bugs.winehq.org/show_bug.cgi?id=48989
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download, obfuscation URL| |https://riot-client.secure. | |dyn.riotcdn.net/channels/pu | |blic/rccontent/vanguard/0.3 | |.2.2/setup.exe
https://bugs.winehq.org/show_bug.cgi?id=48989
--- Comment #1 from Anastasius Focht focht@gmx.net --- Hello folks,
small addendum...
I propose to keep it as stub for now, that is not calling the supplied 'BroadcastFunction'.
--- snip --- 001b:fixme:ntoskrnl:KeIpiGenericCall stub: 0000000000D61D74 0000000000000000 --- snip ---
It's used as one of many anti-debugging measures:
--- snip --- 0000000000D61D74 | 48:83EC 28 | sub rsp,28 | 0000000000D61D78 | 33C9 | xor ecx,ecx | 0000000000D61D7A | E9 2A3A2E00 | jmp vgk.10457A9 | ... 00000000010457A9 | 90 | nop | 00000000010457AA | E9 00000000 | jmp vgk.10457AF | 00000000010457AF | FA | cli | 00000000010457B0 | 41:81F8 934FCB45 | cmp r8d,45CB4F93 | 00000000010457B7 | 6644:3BD9 | cmp r11w,cx | 00000000010457BB | F9 | stc | 00000000010457BC | 33C0 | xor eax,eax | 00000000010457BE | E9 00000000 | jmp vgk.10457C3 | 00000000010457C3 | 0F23F8 | mov dr7,rax | zap debug control 00000000010457C6 | E9 00000000 | jmp vgk.10457CB | 00000000010457CB | FB | sti | 00000000010457CC | F5 | cmc | 00000000010457CD | F8 | clc | 00000000010457CE | 48:83C4 28 | add rsp,28 | 00000000010457D2 | E9 00000000 | jmp vgk.10457D7 | 00000000010457D7 | C3 | ret | --- snip ---
It zeros out dr7 (debug control) in attempt to prevent hw breakpoints.
Although such measures can be defeated why not avoiding the trouble in first place.
Regards
https://bugs.winehq.org/show_bug.cgi?id=48989
Vijay Kamuju infyquest@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |infyquest@gmail.com
--- Comment #2 from Vijay Kamuju infyquest@gmail.com --- Sent a patch https://source.winehq.org/patches/data/184564 But this calls the sent broadcast function
https://bugs.winehq.org/show_bug.cgi?id=48989
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|https://riot-client.secure. |https://web.archive.org/web |dyn.riotcdn.net/channels/pu |/20200421165713/https://rio |blic/rccontent/vanguard/0.3 |t-client.secure.dyn.riotcdn |.2.2/setup.exe |.net/channels/public/rccont | |ent/vanguard/0.3.2.2/setup. | |exe
https://bugs.winehq.org/show_bug.cgi?id=48989
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present.
--- snip --- $ WINEDEBUG=+seh,+loaddll,+ntoskrnl,+module,+imports wine net start vgk
log.txt 2>&1
... 0118:trace:module:load_dll looking for L"ntoskrnl.exe" in L"C:\Program Files\Riot Vanguard;C:\windows\system32;C:\windows\system32\drivers;C:\windows\system32\" 0118:trace:module:load_dll Found L"C:\windows\system32\ntoskrnl.exe" for L"ntoskrnl.exe" at 00000000003E0000, count=-1 0118:warn:module:import_dll No implementation for ntoskrnl.exe.KeIpiGenericCall imported from L"C:\Program Files\Riot Vanguard\vgk.sys", setting to 00000000010F0000 0118:trace:imports:import_dll --- KeIpiGenericCall ntoskrnl.exe.1081 = 00000000010F0000 0118:trace:imports:import_dll --- __C_specific_handler ntoskrnl.exe.2777 = 0000000000401DA0 0118:trace:imports:import_dll --- ExFreePoolWithTag ntoskrnl.exe.196 = 00000000003F31C0 0118:trace:imports:import_dll --- _stricmp ntoskrnl.exe.2801 = 0000000000401F20 0118:trace:imports:import_dll --- wcscat_s ntoskrnl.exe.2897 = 0000000000402500 0118:trace:imports:import_dll --- wcscpy_s ntoskrnl.exe.2901 = 0000000000402540 0118:trace:imports:import_dll --- RtlInitUnicodeString ntoskrnl.exe.2060 = 0000000000403B00 0118:trace:imports:import_dll --- ZwCreateFile ntoskrnl.exe.2571 = 0000000000402C00 0118:trace:imports:import_dll --- ZwReadFile ntoskrnl.exe.2705 = 0000000000403160 0118:trace:imports:import_dll --- ZwWriteFile ntoskrnl.exe.2775 = 00000000004033F0 0118:trace:imports:import_dll --- ZwClose ntoskrnl.exe.2560 = 0000000000402BC0 0118:trace:imports:import_dll --- ZwFlushBuffersFile ntoskrnl.exe.2604 = 0000000000402D40 0118:trace:imports:import_dll --- ZwQuerySystemInformation ntoskrnl.exe.2697 = 00000000004030F0 0118:trace:imports:import_dll --- RtlTimeToTimeFields ntoskrnl.exe.2259 = 0000000000404110 0118:warn:module:import_dll No implementation for ntoskrnl.exe.KeAreAllApcsDisabled imported from L"C:\Program Files\Riot Vanguard\vgk.sys", setting to 00000000010F0024 0118:trace:imports:import_dll --- KeAreAllApcsDisabled ntoskrnl.exe.986 = 00000000010F0024 0118:trace:imports:import_dll --- ExSystemTimeToLocalTime ntoskrnl.exe.302 = 00000000004040C0 0118:trace:imports:import_dll --- swprintf_s ntoskrnl.exe.2885 = 0000000000402460 0118:trace:imports:import_dll --- vswprintf_s ntoskrnl.exe.2895 = 00000000004024E0 0118:trace:imports:import_dll --- _vsnwprintf ntoskrnl.exe.2818 = 0000000000402020 0118:trace:imports:import_dll --- KeInitializeApc ntoskrnl.exe.1049 = 00000000003FDA90 0118:trace:imports:import_dll --- KeInsertQueueApc ntoskrnl.exe.1074 = 00000000003E3520 0118:trace:imports:import_dll --- ExAllocatePoolWithTag ntoskrnl.exe.157 = 00000000003F2F80 0118:trace:imports:import_dll --- KeBugCheckEx ntoskrnl.exe.990 = 00000000003F59B0 0118:trace:module:build_module loaded L"\??\C:\Program Files\Riot Vanguard\vgk.sys" 000000000014A850 0000000000DB0000 0118:trace:loaddll:build_module Loaded L"C:\Program Files\Riot Vanguard\vgk.sys" at 0000000000DB0000: native 0118:trace:module:load_dll Loaded module L"\??\C:\Program Files\Riot Vanguard\vgk.sys" at 0000000000DB0000 0118:trace:module:process_attach (L"vgk.sys",0000000000000000) - START ... --- snip ---
$ wine --version wine-6.20-61-gababea0fd70
Regards
https://bugs.winehq.org/show_bug.cgi?id=48989
Etaash Mathamsetty etaash.mathamsetty@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |etaash.mathamsetty@gmail.co | |m
--- Comment #4 from Etaash Mathamsetty etaash.mathamsetty@gmail.com --- (In reply to Anastasius Focht from comment #1)
Hello folks,
small addendum...
I propose to keep it as stub for now, that is not calling the supplied 'BroadcastFunction'.
--- snip --- 001b:fixme:ntoskrnl:KeIpiGenericCall stub: 0000000000D61D74 0000000000000000 --- snip ---
It's used as one of many anti-debugging measures:
--- snip --- 0000000000D61D74 | 48:83EC 28 | sub rsp,28 | 0000000000D61D78 | 33C9 | xor ecx,ecx | 0000000000D61D7A | E9 2A3A2E00 | jmp vgk.10457A9 | ... 00000000010457A9 | 90 | nop | 00000000010457AA | E9 00000000 | jmp vgk.10457AF | 00000000010457AF | FA | cli | 00000000010457B0 | 41:81F8 934FCB45 | cmp r8d,45CB4F93 | 00000000010457B7 | 6644:3BD9 | cmp r11w,cx | 00000000010457BB | F9 | stc | 00000000010457BC | 33C0 | xor eax,eax | 00000000010457BE | E9 00000000 | jmp vgk.10457C3 | 00000000010457C3 | 0F23F8 | mov dr7,rax | zap debug control 00000000010457C6 | E9 00000000 | jmp vgk.10457CB | 00000000010457CB | FB | sti | 00000000010457CC | F5 | cmc | 00000000010457CD | F8 | clc | 00000000010457CE | 48:83C4 28 | add rsp,28 | 00000000010457D2 | E9 00000000 | jmp vgk.10457D7 | 00000000010457D7 | C3 | ret | --- snip ---
It zeros out dr7 (debug control) in attempt to prevent hw breakpoints.
Although such measures can be defeated why not avoiding the trouble in first place.
Regards
Unfortunately it seems like our best option is to implement a semi-stub, since a surprisingly large number of kernel level drivers use it
-
WineHQ Bugzilla