[Bug 37087] Gothic 2 english demo fails with 'Conflict: a hook process was found. Please deactivate all Antivirus and Anti-Trojan programs and debuggers.'

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Aug 10 13:32:34 CDT 2014 

https://bugs.winehq.org/show_bug.cgi?id=37087

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download, obfuscation
                URL|                            |http://www.fileplanet.com/1
                   |                            |51400/150000/fileinfo/Gothi
                   |                            |c-II-Demo-
            Summary|Gothic 2 english Demo still |Gothic 2 english demo fails
                   |fails with > "Conflict: a   |with 'Conflict: a hook
                   |hook process was found.     |process was found. Please
                   |..."                        |deactivate all Antivirus
                   |                            |and Anti-Trojan programs
                   |                            |and debuggers.'

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

whoops, I hit submit too early - but here it goes...

--- snip ---
$ pwd
/home/focht/.wine/drive_c/Program Files/JoWooD/Gothic II Demo/system

$ WINEDEBUG=+tid,+seh,+relay,+server wine ./Gothic2.exe >>log.txt 2>&1
...
wineserver: starting (pid=22736)
0008: *fd* 01c8 -> 20
0009: *fd* 6 <- 20
0009: init_thread( unix_pid=22733, unix_tid=22733, debug_level=1, teb=7ffd8000,
entry=7ffdf000, reply_fd=6, wait_fd=8, cpu=x86 )
0009: *fd* 8 <- 21
0009: init_thread() = 0 { pid=0008, tid=0009, server_start=1cfb4be9e26f010
(-0.0001500), info_size=0, version=456, all_cpus=00000001 }
0009: *fd* 1 <- 22 
...
0009:Call KERNEL32.CreateProcessA(00000000,01560000 "\"C:\\Program
Files\\JoWooD\\Gothic II Demo\\system\\Gothic2.exe\"
\t",00000000,00000000,00000000,00000004,00000000,00000000,4f8aee2f,4f8aee2b)
ret=00a7b004
...
0009: new_process( inherit_all=0, create_flags=00000004, socket_fd=12,
exe_file=003c, process_access=001fffff, process_attr=00000000,
thread_access=001fffff, thread_attr=00000000, cpu=x86, info_size=838,
info={debug_flags=0,console_flags=0,console=0000,hstdin=0018,hstdout=0004,hstderr=0008,
... )
0009: *fd* 01c8 -> 95
0009: new_process() = 0 { info=0044, pid=0022, phandle=0048, tid=0023,
thandle=004c }
0009: get_handle_fd( handle=0004 )
0009: *fd* 0004 -> 22
0009: get_handle_fd() = 0 { type=1, cacheable=1, access=00120116,
options=00000020 }
0009: select( flags=2, cookie=0134f2bc, timeout=infinite, prev_apc=0000,
result={}, data={WAIT,handles={0044}} )
0009: select() = PENDING { timeout=infinite, call={APC_NONE}, apc_handle=0000 }
0023: *fd* 5 <- 29
0023: init_thread( unix_pid=22762, unix_tid=22762, debug_level=1, teb=7ffd8000,
entry=7ffdf000, reply_fd=5, wait_fd=7, cpu=x86 )
0023: *fd* 7 <- 95
0023: init_thread() = 0 { pid=0022, tid=0023, server_start=1cfb4be9e26f010
(-1.3682260), info_size=9818, version=456, all_cpus=00000001 } 
...
0023:Call KERNEL32.__wine_kernel_init() ret=7bc59dbc
...
0023: init_process_done( gui=1, module=00400000, ldt_copy=f7706620,
entry=009b9080 )
0009: *wakeup* signaled=0
0023: *sent signal* signal=10
0023: init_process_done() = 0
0009: get_new_process_info( info=0044 )
0009: get_new_process_info() = 0 { success=1, exit_code=259 }
0009: close_handle( handle=0044 )
0009: close_handle() = 0
0009: close_handle( handle=003c )
0009: close_handle() = 0
0009:Ret  KERNEL32.CreateProcessA() retval=00000001 ret=00a7b004 
...
0023: set_suspend_context(
context={cpu=x86,eip=f773b430,esp=0134ff14,ebp=0134ffe8,eflags=00000296,cs=0023,ss=002b,ds=002b,es=002b,fs=0063,gs=006b,eax=00000000,ebx=00000001,ecx=7bced260,edx=00000000,esi=00000008,edi=7bcd1000,dr0=00000000,dr1=00000000,dr2=00000000,dr3=00000000,dr6=00000000,dr7=00000000,fp.ctrl=ffff027f,fp.status=ffff0000,fp.tag=ffffffff,fp.err_off=00000000,fp.err_sel=00000023,fp.data_off=00000000,fp.data_sel=ffff002b,fp.cr0npx=00000000,fp.reg0=0,fp.reg1=0,fp.reg2=0,fp.reg3=0,fp.reg4=0,fp.reg5=0,fp.reg6=0,fp.reg7=0,extended=...}
)
0023: set_suspend_context() = 0
0023: select( flags=2, cookie=7ffdb33c, timeout=0, prev_apc=0000, result={},
data={} )
0023: select() = PENDING { timeout=1cfb4be9ef9cc74 (+0.0000000),
call={APC_NONE}, apc_handle=0000 }
0009:Call KERNEL32.VirtualAlloc(00000000,00020000,00001000,00000040)
ret=00a7b004
0009:Ret  KERNEL32.VirtualAlloc() retval=01570000 ret=00a7b004
0009:Call
KERNEL32.ReadProcessMemory(00000048,00400000,01570000,00001000,00000000)
ret=4f8167fc
0009: read_process_memory( handle=0048, addr=00400000 )
0023: *signal* signal=19
0009: read_process_memory() = 0 { data={4d,5a,90,...(total 4096)} }
0009:Ret  KERNEL32.ReadProcessMemory() retval=00000001 ret=4f8167fc
0009:Call
KERNEL32.ReadProcessMemory(00000048,009b9000,01570000,000021e4,00000000)
ret=4f818849
0009: read_process_memory( handle=0048, addr=009b9000 )
0023: *signal* signal=19
0009: read_process_memory() = 0 { data={00,00,00,00,...(total 8676)} }
0009:Ret  KERNEL32.ReadProcessMemory() retval=00000001 ret=4f818849
0009:Call
KERNEL32.WriteProcessMemory(00000048,009b9052,4f819576,00000001,00000000)
ret=4f81957c
0009: write_process_memory( handle=0048, addr=009b9052, data={ff} )
0023: *signal* signal=19
0009: write_process_memory() = 0
0009:Ret  KERNEL32.WriteProcessMemory() retval=00000001 ret=4f81957c
0009:Call KERNEL32.ResumeThread(0000004c) ret=002c0000
0009: resume_thread( handle=004c )
0023: *wakeup* signaled=258
0009: resume_thread() = 0 { count=1 }
0009:Ret  KERNEL32.ResumeThread() retval=00000001 ret=002c0000
0023: get_suspend_context( )
0009:Call KERNEL32.ExitProcess(00a78be3) ret=4f8ae895
0023: get_suspend_context() = 0 {
context={cpu=x86,eip=f773b430,esp=0134ff14,ebp=0134ffe8,eflags=00000296,cs=0023,ss=002b,ds=002b,es=002b,fs=0063,gs=006b,eax=00000000,ebx=00000001,ecx=7bced260,edx=00000000,esi=00000008,edi=7bcd1000,dr0=00000000,dr1=00000000,dr2=00000000,dr3=00000000,dr6=00000000,dr7=00000000,fp.ctrl=ffff027f,fp.status=ffff0000,fp.tag=ffffffff,fp.err_off=00000000,fp.err_sel=00000023,fp.data_off=00000000,fp.data_sel=ffff002b,fp.cr0npx=00000000,fp.reg0=0,fp.reg1=0,fp.reg2=0,fp.reg3=0,fp.reg4=0,fp.reg5=0,fp.reg6=0,fp.reg7=0,extended={...}}
}
0009: terminate_process( handle=0000, exit_code=10980323 )
0009: terminate_process() = 0 { self=1 } 
...
0009: terminate_process( handle=ffffffff, exit_code=10980323 )
0009: terminate_process() = 0 { self=1 } 
...
0009: *killed* exit_code=10980323
0008: *process killed* 
...
--- snip ---

After bringing up the child and patching it at runtime the parent terminates
itself by design.

The child does lots of anti-debugging trickery (which works).

At one point it fetches the process list and tries to open the parent process
(NOTE: PID is not from process list):

--- snip ---
...
0023:Call ntdll.NtQuerySystemInformation(00000005,01570000,00050000,00000000)
ret=00a7b004
0023: create_snapshot( attributes=00000000, flags=00000003 )
0023: create_snapshot() = 0 { handle=003c }
0023: next_process( handle=003c, reset=1 )
0023: next_process() = 0 { count=16, pid=000c, ppid=000a, threads=1,
priority=2, handles=64, unix_pid=22740,
filename=L"C:\\windows\\system32\\winemenubuilder.exe" }
...
0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0,
delta_pri=0 }
0023: next_process( handle=003c, reset=0 )
0023: next_process() = 0 { count=14, pid=000e, ppid=000a, threads=6,
priority=2, handles=64, unix_pid=22742,
filename=L"C:\\windows\\system32\\services.exe" }
...
0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0,
delta_pri=0 }
0023: next_process( handle=003c, reset=0 )
0023: next_process() = 0 { count=7, pid=0012, ppid=000e, threads=4, priority=2,
handles=64, unix_pid=22746, filename=L"C:\\windows\\system32\\winedevice.exe" }
...
0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0,
delta_pri=0 }
0023: next_process( handle=003c, reset=0 )
0023: next_process() = 0 { count=4, pid=0019, ppid=000e, threads=3, priority=2,
handles=32, unix_pid=22753, filename=L"C:\\windows\\system32\\plugplay.exe" }
...
0023: next_thread( handle=003c, reset=0 )
0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0,
delta_pri=0 }
0023: next_process( handle=003c, reset=0 )
0023: next_process() = 0 { count=19, pid=0020, ppid=000c, threads=1,
priority=2, handles=32, unix_pid=22760,
filename=L"C:\\windows\\system32\\explorer.exe" }
...
0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0,
delta_pri=0 }
0023: next_process( handle=003c, reset=0 )
0023: next_process() = 0 { count=3, pid=0022, ppid=0008, threads=1, priority=2,
handles=32, unix_pid=22762, filename=L"C:\\Program Files\\JoWooD\\Gothic II
Demo\\system\\Gothic2.exe" }
0023: next_thread( handle=003c, reset=1 )
...
0023: next_thread() = NO_MORE_FILES { count=0, pid=0000, tid=0000, base_pri=0,
delta_pri=0 }
0023: next_process( handle=003c, reset=0 )
0023: next_process() = NO_MORE_FILES { count=0, pid=0000, ppid=0000, threads=0,
priority=0, handles=0, unix_pid=0, filename=L"" }
0023: close_handle( handle=003c )
0023: close_handle() = 0
0023:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=00a7b004
0023:Call KERNEL32.OpenProcess(001f0fff,00000000,00000008) ret=7a07cbd2
0023: open_process( pid=0008, access=001f0fff, attributes=00000000 )
0023: open_process() = 0 { handle=003c }
0023:Ret  KERNEL32.OpenProcess() retval=0000003c ret=7a07cbd2
0023:trace:seh:raise_exception code=c0000005 flags=0 addr=0x7a07cc53
ip=7a07cc53 tid=0023
0023:trace:seh:raise_exception  info[0]=00000001
0023:trace:seh:raise_exception  info[1]=7a050558
0023:trace:seh:raise_exception  eax=00000090 ebx=00000022 ecx=0002c6fd
edx=7ec789d0 esi=002c0000 edi=7a050558
0023:trace:seh:raise_exception  ebp=79b657c7 esp=0134fdbc cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00010246
0023:trace:seh:call_stack_handlers calling handler at 0x7a070563 code=c0000005
flags=0
0023:trace:seh:call_stack_handlers handler at 0x7a070563 returned 0
0023:Call user32.MessageBoxA(00000000,7a07d313 "Conflict: a hook process was
found. Please deactivate all Antivirus and Anti-Trojan programs and
debuggers.",7a07cde5 "Gothic II",00000000) ret=002c0000 
...
--- snip ---

It seems the child *expects* that the parent can't be opened anymore.

'wineserver' still keeps the process object around as there are references
(handles) to the process object.

Enumeration of processes in contrast doesn't show/list the parent process
because there is no single running thread in that process anymore - which is
correct behaviour.

I did a quick hack, forcing process object be gone and indeed lets the child
run much farther.
It still dies in the end - caused by another protection scheme brain damage.

The executable is from year 2000 so this brain damage clearly relies on pre-XP
era behaviour with the process object gone after (self)termination (less
complex handle management).

Someone could test if the demo runs on Windows XP/7 or can be made work with
compat mode (app shim).

$ sha1sum gothic2-demo-setup.exe 
3f1ff6d9b1d1ccdd5032caf349e7c0d79c6a9d24  gothic2-demo-setup.exe

$ du -sh gothic2-demo-setup.exe 
381M    gothic2-demo-setup.exe

$ wine --version
wine-1.7.24

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list