[Bug 39738] Protect DiSC v9.x DRM scheme prevents collection of crash information by configured JIT debugger (Cobra 11 - Burning Wheels)

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Dec 4 10:25:10 CST 2015 

https://bugs.winehq.org/show_bug.cgi?id=39738

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download, obfuscation
             Status|UNCONFIRMED                 |NEW
                 CC|                            |focht at gmx.net
            Summary|Collecting backtrace of     |Protect DiSC v9.x DRM
                   |crashing process not        |scheme prevents collection
                   |possible.                   |of crash information by
                   |                            |configured JIT debugger
                   |                            |(Cobra 11 - Burning Wheels)
     Ever confirmed|0                           |1

--- Comment #1 from Anastasius Focht <focht at gmx.net> ---
Hello Bernhard,

confirming.

A bunch of anti-debug watcher threads, part of the Protect DiSC v9.x DRM scheme
is the problem here.
They are continuously looking for "well known" processes (using window classes)
and also check the PEB/debugger present flag in local process.

One of the watcher threads detects the process attach by the configured JIT
debugger and terminates the process.

--- snip ---
...
0030:Starting thread proc 0x23b5efe (arg=0x23f64f6)
0030:Call KERNEL32.Sleep(000007d1) ret=023f6cde 
...
0031:Starting thread proc 0x23b5efe (arg=0x23f6f42)
0031:Call KERNEL32.Sleep(000007d1) ret=023f7682 
...
0047:Starting thread proc 0x23b5efe (arg=0x24102db)
0047:Call KERNEL32.WaitForSingleObject(000000d4,ffffffff) ret=024103e5 
...
0031:Call KERNEL32.IsDebuggerPresent() ret=023f771b
0031:Ret  KERNEL32.IsDebuggerPresent() retval=00000000 ret=023f771b 
...
0031:Call user32.FindWindowA(023b7f95 "OLLYDBG",00000000) ret=023f78ea
0031:Ret  user32.FindWindowA() retval=00000000 ret=023f78ea
...
0031:Call user32.FindWindowA(023b7f95 "GBDYLLO",00000000) ret=023f7af6
0031:Ret  user32.FindWindowA() retval=00000000 ret=023f7af6
...
0031:Call user32.FindWindowA(023b7f95 "pediy06",00000000) ret=023f7cbd
0031:Ret  user32.FindWindowA() retval=00000000 ret=023f7cbd
...
0031:Call user32.FindWindowA(023b7f95 "OLLYDBG",00000000) ret=023f78ea
0031:Ret  user32.FindWindowA() retval=00000000 ret=023f78ea
...
0031:Call user32.FindWindowA(023b7f95 "GBDYLLO",00000000) ret=023f7af6
0031:Ret  user32.FindWindowA() retval=00000000 ret=023f7af6
...
0031:Call user32.FindWindowA(023b7f95 "pediy06",00000000) ret=023f7cbd
0031:Ret  user32.FindWindowA() retval=00000000 ret=023f7cbd
...
0031:Call KERNEL32.Sleep(000007d1) ret=023f7682 
...
0031:Call KERNEL32.Sleep(000007d1) ret=023f7682 
...
002f:trace:seh:raise_exception code=80000003 flags=0 addr=0x2064e46 ip=02064e47
tid=002f
002f:trace:seh:raise_exception  eax=00000004 ebx=6ce5dee6 ecx=00cc1257
edx=00000000 esi=00cc1257 edi=00feabf0
002f:trace:seh:raise_exception  ebp=4243484b esp=0146c738 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00200206
002f:trace:seh:call_stack_handlers calling handler at 0x2064e1a code=80000003
flags=0
002f:Call KERNEL32.GetTickCount() ret=020644b5
002f:Ret  KERNEL32.GetTickCount() retval=008af18f ret=020644b5
002f:Call KERNEL32.GetTickCount() ret=02064507
002f:Ret  KERNEL32.GetTickCount() retval=008af18f ret=02064507
002f:Call KERNEL32.CreateFileA(02122f54
"\\\\.\\SICE",c0000000,00000003,00000000,00000003,00000080,00000000)
ret=0207c9aa
002f:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0207c9aa
002f:Call KERNEL32.CreateFileA(0146c6e8
"\\\\.\\SIWVID",c0000000,00000003,00000000,00000003,00000080,00000000)
ret=0207c9aa
002f:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0207c9aa
002f:Call KERNEL32.CreateFileA(0146c6e8
"\\\\.\\NTICE",c0000000,00000003,00000000,00000003,00000080,00000000)
ret=0207c9aa
002f:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=0207c9aa
...
002f:Call advapi32.RegOpenKeyExA(80000002,08091f08
"Software\\NuMega\\SoftIce",00000000,00020019,0146c6bc) ret=0207db61
002f:Ret  advapi32.RegOpenKeyExA() retval=00000002 ret=0207db61 
...
002f:trace:seh:raise_exception code=c0000005 flags=0 addr=0x52f7b2 ip=0052f7b2
tid=002f
002f:trace:seh:raise_exception  info[0]=00000000
002f:trace:seh:raise_exception  info[1]=1a6a0920
002f:trace:seh:raise_exception  eax=0f76cea8 ebx=1cc0c020 ecx=000722b9
edx=0002b71e esi=1c2ef076 edi=1a545030
002f:trace:seh:raise_exception  ebp=0146f7d0 esp=0146f700 cs=0023 ds=002b
es=002b fs=0063 gs=006b flags=00210212
002f:trace:seh:call_stack_handlers calling handler at 0x5e970e code=c0000005
flags=0
002f:Call KERNEL32.GetLastError() ret=005d233a
002f:Ret  KERNEL32.GetLastError() retval=00000000 ret=005d233a
002f:trace:seh:call_stack_handlers handler at 0x5e970e returned 1
002f:trace:seh:call_stack_handlers calling handler at 0x5d0f20 code=c0000005
flags=0
002f:Call KERNEL32.GetLastError() ret=005d233a
002f:Ret  KERNEL32.GetLastError() retval=00000000 ret=005d233a
002f:trace:seh:call_stack_handlers handler at 0x5d0f20 returned 1
002f:trace:seh:call_stack_handlers calling handler at 0x7bcaad0d code=c0000005
flags=0
002f:Call KERNEL32.UnhandledExceptionFilter(0146f204) ret=7bcaad48
wine: Unhandled page fault on read access to 0x1a6a0920 at address 0x52f7b2
(thread 002f), starting debugger...
002f:trace:seh:start_debugger Starting debugger "winedbg --auto 46 464" 
...
0031:Call KERNEL32.IsDebuggerPresent() ret=023f771b
0031:Ret  KERNEL32.IsDebuggerPresent() retval=00000001 ret=023f771b
0032:Call KERNEL32.Sleep(000007d1) ret=023f878e
0030:Ret  KERNEL32.Sleep() retval=00000000 ret=023f6cde
0035:Ret  KERNEL32.Sleep() retval=00000000 ret=023fade2
0030:Call KERNEL32.Sleep(000007d1) ret=023f6cde
0035:Call KERNEL32.Sleep(000007d1) ret=023fade2
0034:Ret  KERNEL32.Sleep() retval=00000000 ret=023fa3b7
0037:Ret  KERNEL32.Sleep() retval=00000000 ret=023fc3a3
0034:Call KERNEL32.Sleep(000007d1) ret=023fa3b7
0037:Call KERNEL32.Sleep(000007d1) ret=023fc3a3
0036:Ret  KERNEL32.Sleep() retval=00000000 ret=023fb903
000b:Ret  KERNEL32.Sleep() retval=00000000 ret=02445b64
0036:Call KERNEL32.Sleep(000007d1) ret=023fb903
004d:Ret  KERNEL32.Sleep() retval=00000000 ret=00cf1dae
000b:Call user32.FindWindowA(024458ce "Regmonclass",00000000) ret=02445c00
004d:Call KERNEL32.TerminateProcess(00000128,00000000) ret=00cf2be6
...
0031:Call KERNEL32.ExitThread(00000000) ret=023ba69d
...
0031:Call PE DLL (proc=0x7cf2257c,module=0x7cec0000
L"msvcrt.dll",reason=THREAD_DETACH,res=(nil))
002f:Ret  KERNEL32.UnhandledExceptionFilter() retval=00000000 ret=7bcaad48
...
Process of pid=002e has terminated
No process loaded, cannot execute 'echo Modules:'
Cannot get info on module while no process is loaded
No process loaded, cannot execute 'echo Threads:'
--- snip ---

Although it helps in this case, your patch will break Windows compatibility.

Windows doesn't suspend all other threads of the process during handling of
'UnhandledExceptionFilter' in the context of the faulting thread.

Secondary failures must be still allowed to occur on a different thread,
causing the exception filter to be entered by an additional thread at the same
time as an event from the first crash is already processed.

My guess would be if the crash is simulated/replicated on Windows it will react
in the same way.
Some debuggers support methods of non-invasive debugging, not causing
'BeingDebugged' set in target PEB so it might behave differently - depending on
the type of configured JIT.

I've reworded the summary since this is a special case where a specific
anti-debugger protection scheme actually causes the problem.

$ sha1sum BurningWheelsDemo.exe 
du6dc03653b97a0336a5c57fc4b04af61e3ebcee5e  BurningWheelsDemo.exe

$ du -sh BurningWheelsDemo.exe 
286M    BurningWheelsDemo.exe

$ wine --version
wine-1.8-rc3

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list