Update POOL_TYPE enum to include types listed on MSDN, including NonPagedPoolExecute, which is needed for Battleye.
Signed-off-by: Derek Lesho dereklesho52@Gmail.com --- include/ddk/wdm.h | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/include/ddk/wdm.h b/include/ddk/wdm.h index 0cd1673dbe..a639b3c7b7 100644 --- a/include/ddk/wdm.h +++ b/include/ddk/wdm.h @@ -183,14 +183,29 @@ typedef struct _VPB { } VPB, *PVPB;
typedef enum _POOL_TYPE { - NonPagedPool, - PagedPool, - NonPagedPoolMustSucceed, - DontUseThisType, - NonPagedPoolCacheAligned, - PagedPoolCacheAligned, - NonPagedPoolCacheAlignedMustS, - MaxPoolType + NonPagedPool , + NonPagedPoolExecute , + PagedPool , + NonPagedPoolMustSucceed , + DontUseThisType , + NonPagedPoolCacheAligned , + PagedPoolCacheAligned , + NonPagedPoolCacheAlignedMustS , + MaxPoolType , + NonPagedPoolBase , + NonPagedPoolBaseMustSucceed , + NonPagedPoolBaseCacheAligned , + NonPagedPoolBaseCacheAlignedMustS , + NonPagedPoolSession , + PagedPoolSession , + NonPagedPoolMustSucceedSession , + DontUseThisTypeSession , + NonPagedPoolCacheAlignedSession , + PagedPoolCacheAlignedSession , + NonPagedPoolCacheAlignedMustSSession , + NonPagedPoolNx , + NonPagedPoolNxCacheAligned , + NonPagedPoolSessionNx } POOL_TYPE;
typedef struct _WAIT_CONTEXT_BLOCK {
Switches the use of HeapAlloc with VirtualAlloc in order to allow for executable memory to be allocated, which is needed when the NonPagedPoolExecute POOL_TYPE is specified as a parameter.
Signed-off-by: Derek Lesho dereklesho52@Gmail.com --- dlls/ntoskrnl.exe/ntoskrnl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c index 577f5b3ba4..53cf37febe 100644 --- a/dlls/ntoskrnl.exe/ntoskrnl.c +++ b/dlls/ntoskrnl.exe/ntoskrnl.c @@ -1933,7 +1933,7 @@ PVOID WINAPI ExAllocatePoolWithQuota( POOL_TYPE type, SIZE_T size ) PVOID WINAPI ExAllocatePoolWithTag( POOL_TYPE type, SIZE_T size, ULONG tag ) { /* FIXME: handle page alignment constraints */ - void *ret = HeapAlloc( GetProcessHeap(), 0, size ); + void *ret = VirtualAlloc( NULL, size, (MEM_RESERVE | MEM_COMMIT), PAGE_READWRITE ); TRACE( "%lu pool %u -> %p\n", size, type, ret ); return ret; } @@ -1993,7 +1993,7 @@ void WINAPI ExFreePool( void *ptr ) void WINAPI ExFreePoolWithTag( void *ptr, ULONG tag ) { TRACE( "%p\n", ptr ); - HeapFree( GetProcessHeap(), 0, ptr ); + VirtualFree( ptr, 0, MEM_RELEASE ); }
Make wine allocate executable memory when the driver requests it. BEDaisy.sys, battleye's driver uses this POOL_TYPE, resulting in a page fault on execute access if the memory is not executable.
Signed-off-by: Derek Lesho dereklesho52@Gmail.com --- dlls/ntoskrnl.exe/ntoskrnl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c index 53cf37febe..f32ef58080 100644 --- a/dlls/ntoskrnl.exe/ntoskrnl.c +++ b/dlls/ntoskrnl.exe/ntoskrnl.c @@ -1933,7 +1933,7 @@ PVOID WINAPI ExAllocatePoolWithQuota( POOL_TYPE type, SIZE_T size ) PVOID WINAPI ExAllocatePoolWithTag( POOL_TYPE type, SIZE_T size, ULONG tag ) { /* FIXME: handle page alignment constraints */ - void *ret = VirtualAlloc( NULL, size, (MEM_RESERVE | MEM_COMMIT), PAGE_READWRITE ); + void *ret = VirtualAlloc( NULL, size, (MEM_RESERVE | MEM_COMMIT), (type==NonPagedPoolExecute) ? PAGE_EXECUTE_READWRITE : PAGE_READWRITE ); TRACE( "%lu pool %u -> %p\n", size, type, ret ); return ret; }
On 01/09/18 00:40, Derek Lesho wrote:
Update POOL_TYPE enum to include types listed on MSDN, including NonPagedPoolExecute, which is needed for Battleye.
Signed-off-by: Derek Lesho dereklesho52@Gmail.com
include/ddk/wdm.h | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/include/ddk/wdm.h b/include/ddk/wdm.h index 0cd1673dbe..a639b3c7b7 100644 --- a/include/ddk/wdm.h +++ b/include/ddk/wdm.h @@ -183,14 +183,29 @@ typedef struct _VPB { } VPB, *PVPB;
typedef enum _POOL_TYPE {
- NonPagedPool,
- PagedPool,
- NonPagedPoolMustSucceed,
- DontUseThisType,
- NonPagedPoolCacheAligned,
- PagedPoolCacheAligned,
- NonPagedPoolCacheAlignedMustS,
- MaxPoolType
- NonPagedPool ,
- NonPagedPoolExecute ,
- PagedPool ,
- NonPagedPoolMustSucceed ,
- DontUseThisType ,
- NonPagedPoolCacheAligned ,
- PagedPoolCacheAligned ,
- NonPagedPoolCacheAlignedMustS ,
- MaxPoolType ,
- NonPagedPoolBase ,
- NonPagedPoolBaseMustSucceed ,
- NonPagedPoolBaseCacheAligned ,
- NonPagedPoolBaseCacheAlignedMustS ,
- NonPagedPoolSession ,
- PagedPoolSession ,
- NonPagedPoolMustSucceedSession ,
- DontUseThisTypeSession ,
- NonPagedPoolCacheAlignedSession ,
- PagedPoolCacheAlignedSession ,
- NonPagedPoolCacheAlignedMustSSession ,
- NonPagedPoolNx ,
- NonPagedPoolNxCacheAligned ,
- NonPagedPoolSessionNx
} POOL_TYPE;
typedef struct _WAIT_CONTEXT_BLOCK {
MSDN, like the SDK headers, is copyrighted; you can't copy and paste directly from it.
Moreover, this changes the values for some existing types, which doesn't seem correct. MSDN even says that NonPagedPoolExecute is a synonym for NonPagedPool.
I see, thanks for clearing that up. Looking further, it looks like the NonPagedPoolExecute value was only added in Windows 8. Either way, even when the windows version in wine is set to windows 7, BEDaisy.sys does use ExAllocatePoolWithTag with a POOL_TYPE of 1 and tries to execute it. Maybe all paged memory allocated in the kernel is executable? On Sun, Sep 2, 2018 at 10:24 PM Zebediah Figura z.figura12@gmail.com wrote:
On 01/09/18 00:40, Derek Lesho wrote:
Update POOL_TYPE enum to include types listed on MSDN, including NonPagedPoolExecute, which is needed for Battleye.
Signed-off-by: Derek Lesho dereklesho52@Gmail.com
include/ddk/wdm.h | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/include/ddk/wdm.h b/include/ddk/wdm.h index 0cd1673dbe..a639b3c7b7 100644 --- a/include/ddk/wdm.h +++ b/include/ddk/wdm.h @@ -183,14 +183,29 @@ typedef struct _VPB { } VPB, *PVPB;
typedef enum _POOL_TYPE {
- NonPagedPool,
- PagedPool,
- NonPagedPoolMustSucceed,
- DontUseThisType,
- NonPagedPoolCacheAligned,
- PagedPoolCacheAligned,
- NonPagedPoolCacheAlignedMustS,
- MaxPoolType
- NonPagedPool ,
- NonPagedPoolExecute ,
- PagedPool ,
- NonPagedPoolMustSucceed ,
- DontUseThisType ,
- NonPagedPoolCacheAligned ,
- PagedPoolCacheAligned ,
- NonPagedPoolCacheAlignedMustS ,
- MaxPoolType ,
- NonPagedPoolBase ,
- NonPagedPoolBaseMustSucceed ,
- NonPagedPoolBaseCacheAligned ,
- NonPagedPoolBaseCacheAlignedMustS ,
- NonPagedPoolSession ,
- PagedPoolSession ,
- NonPagedPoolMustSucceedSession ,
- DontUseThisTypeSession ,
- NonPagedPoolCacheAlignedSession ,
- PagedPoolCacheAlignedSession ,
- NonPagedPoolCacheAlignedMustSSession ,
- NonPagedPoolNx ,
- NonPagedPoolNxCacheAligned ,
- NonPagedPoolSessionNx
} POOL_TYPE;
typedef struct _WAIT_CONTEXT_BLOCK {
MSDN, like the SDK headers, is copyrighted; you can't copy and paste directly from it.
Moreover, this changes the values for some existing types, which doesn't seem correct. MSDN even says that NonPagedPoolExecute is a synonym for NonPagedPool.
On 02/09/18 23:11, Derek Lesho wrote:
I see, thanks for clearing that up. Looking further, it looks like the NonPagedPoolExecute value was only added in Windows 8. Either way, even when the windows version in wine is set to windows 7, BEDaisy.sys does use ExAllocatePoolWithTag with a POOL_TYPE of 1 and tries to execute it. Maybe all paged memory allocated in the kernel is executable?
Indeed it would seem so:
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/no-execute-...
-
Derek Lesho -
Zebediah Figura