[Bug 38836] SCM 'StartService' must wait for driver service entry point execution before return ( PunkBuster 'PnkBstrB' service failure, CPU-Z randomly fails to load its driver, BattlEye 'BEDaisy' kernel service)

wine-bugs at winehq.org wine-bugs at winehq.org
Sat Feb 10 15:31:30 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=38836

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|SCM 'StartService' must     |SCM 'StartService' must
                   |wait for driver service     |wait for driver service
                   |entry point execution       |entry point execution
                   |before return (PunkBuster   |before return (PunkBuster
                   |'PnkBstrB' service exits    |'PnkBstrB' service failure,
                   |with failure, CPU-Z         |CPU-Z randomly fails to
                   |randomly fails to load its  |load its driver, BattlEye
                   |driver)                     |'BEDaisy' kernel service)

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

revisiting, still present.

Encountered this problem during investigation of BattlEye service failures (bug
41670).

I have a number of patches (hacks) to make the 'BEDaisy' kernel driver service
somewhat functional that it survives the driver initialization (entry point).
The BattlEye helper service 'BEService' starts 'BEDaisy' kernel driver service.

--- snip ---
...
0009:Call KERNEL32.CreateProcessW(00000000,0033de64 L"\"C:\\users\\focht\\Local
Settings\\Application Data\\Tibia\\packages\\Tibia\\bin\\client_launcher.exe\"
3",00000000,00000000,00000000,00000410,00000000,00000000,0033d940,0033d930)
ret=7e7e9506 
...
0009:trace:process:create_process_impl started process pid 003a tid 003b
0009:Ret  KERNEL32.CreateProcessW() retval=00000001 ret=7e7e9506
...
003b:Call advapi32.CreateServiceW(00133f30,00422d4c L"BEService",00423154
L"BattlEye Service",00060010,00000010,00000003,00000001,0033f3a0
L"\"C:\\Program Files\\Common
Files\\BattlEye\\BEService.exe\"",00000000,00000000,00000000,00000000,00000000)
ret=0046e55c 
...
0037:Call KERNEL32.CreateProcessW(00000000,0011cdc0 L"\"C:\\Program
Files\\Common
Files\\BattlEye\\BEService.exe\"",00000000,00000000,00000000,00000400,00450000,00000000,00ddf8ec,00ddf930)
ret=7ed5dc0b 
...
003e:Starting process L"C:\\Program Files\\Common
Files\\BattlEye\\BEService.exe" (entryproc=0x4eb460) 
...
003e:Call advapi32.StartServiceCtrlDispatcherA(0033fe58) ret=00447aa9 
...
003b:Ret  advapi32.StartServiceW() retval=00000001 ret=0043482a
0041:Call KERNEL32.CreateNamedPipeA(00758228
"\\\\.\\pipe\\BattlEye",40040003,00000006,00000002,00000400,00000400,00000000,00000000)
ret=00473131
0041:Ret  KERNEL32.CreateNamedPipeA() retval=00000054 ret=00473131
0041:Call KERNEL32.CreateNamedPipeA(00758228
"\\\\.\\pipe\\BattlEye",40040003,00000006,00000002,00000400,00000400,00000000,00000000)
ret=004be6f2
0041:Ret  KERNEL32.CreateNamedPipeA() retval=00000058 ret=004be6f2 
...
0041:Call advapi32.CreateServiceW(00135e68,007581d4 L"BEDaisy",007581d4
L"BEDaisy",00010034,00000001,00000003,00000001,0075d820 L"C:\\Program
Files\\Common
Files\\BattlEye\\BEDaisy.sys",00000000,00000000,00000000,00000000,00000000)
ret=004b243a 
...
0045:trace:winedevice:create_driver starting driver L"BEDaisy"
0045:Call advapi32.SetServiceStatus(0011b788,0043fcf4) ret=7effb41b 
...
0045:Ret  advapi32.SetServiceStatus() retval=00000001 ret=7effb41b
...
0045:Call KERNEL32.TrySubmitThreadpoolCallback(7effb724,0011b808,0043fd34)
ret=7effbb3f
0048:Call PE DLL (proc=0xf739521c,module=0xf7350000
L"rpcrt4.dll",reason=THREAD_ATTACH,res=(nil))
0048:Ret  PE DLL (proc=0xf739521c,module=0xf7350000
L"rpcrt4.dll",reason=THREAD_ATTACH,res=(nil)) retval=1
0045:Ret  KERNEL32.TrySubmitThreadpoolCallback() retval=00000001 ret=7effbb3f
0048:Starting thread proc 0x7bca027b (arg=0x11cad8) 
...
0048:trace:winedevice:load_driver loading driver L"C:\\Program Files\\Common
Files\\BattlEye\\BEDaisy.sys" 
...
0048:Call KERNEL32.LoadLibraryW(0011cd38 L"C:\\Program Files\\Common
Files\\BattlEye\\BEDaisy.sys") ret=7effaa20 
...
0041:Ret  advapi32.StartServiceA() retval=00000001 ret=004316a4
0041:Call KERNEL32.CreateFileA(007581a0
"\\\\.\\BattlEye",c0000000,00000000,00000000,00000003,00000000,00000000)
ret=00408ea6
0048:trace:module:map_image mapped PE file at 0x780000-0x80f000
0048:trace:module:map_image mapping section .text at 0x781000 off 0 size 0 virt
2a8a flags 68000020
0048:trace:module:map_image mapping section .rdata at 0x784000 off 0 size 0
virt 8fc flags 48000040
0048:trace:module:map_image mapping section .data at 0x785000 off 0 size 0 virt
1238 flags c8000040
0041:Ret  KERNEL32.CreateFileA() retval=ffffffff ret=00408ea6
0048:trace:module:map_image mapping section INIT at 0x787000 off 0 size 0 virt
7e6 flags 60000020
0048:trace:module:map_image mapping section .be0 at 0x788000 off 0 size 0 virt
38409 flags e8000060
0048:trace:module:map_image mapping section .be1 at 0x7c1000 off 400 size 4c400
virt 4c338 flags e0000060
...
0041:Call advapi32.CloseServiceHandle(00135e68) ret=004a786c 
...
0041:Call advapi32.QueryServiceStatus(00135f08,00757934) ret=004b1cad 
...
0041:Ret  advapi32.QueryServiceStatus() retval=00000001 ret=004b1cad
...
0041:Ret  advapi32.CloseServiceHandle() retval=00000001 ret=004818c7 
...
0048:trace:winedevice:load_driver_module L"C:\\Program Files\\Common
Files\\BattlEye\\BEDaisy.sys": relocating from 0x400000 to 0x780000 
...
0041:Call KERNEL32.DeleteFileW(0075d820 L"C:\\Program Files\\Common
Files\\BattlEye\\BEDaisy.sys") ret=0040dcf6 
...
0048:Call driver init 0x7fdf6e
(obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy") 
...
0048:Ret  driver init 0x7fdf6e
(obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy")
retval=00000000 
...
002e:Call KERNEL32.GetStringTypeW(00000001,00151968 L"21:19:03: Successfully
installed BattlEye Service.\r\n21:19:03: Failed to initialize BattlEye Service:
Driver Init Error (2).\r\n",00000001,005bf45a) ret=7e1f4505
0
...
0048:trace:ntoskrnl:IoCreateDevice (0x11cb58, 0, L"\\Device\\BattlEye", 34, 0,
0, 0x65f1e8) 
...
0048:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\BattlEye" ->
L"\\Device
...
0048:Ret  ntoskrnl.exe.IoCreateDriver() retval=00000000 ret=7effb7c8 
...
--- snip ---

The app/service expects the kernel driver entry point executed *before*
'StartService' returns. Also see 'CreateFile' calls from the client to check if
driver symbolic link exists in the log snippet.
I've already documented this behaviour in my initial analysis here.

Source:

https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe5570dd52:/programs/winedevice/device.c#l410

--- snip ---
 410 /* load a driver and notify services.exe about the status change */
 411 static NTSTATUS create_driver( const WCHAR *driver_name )
 412 {
...
 437     TRACE( "starting driver %s\n", wine_dbgstr_w(driver_name) );
 438     set_service_status( driver->handle, SERVICE_START_PENDING, 0 );
 439 
 440     memset( &environment, 0, sizeof(environment) );
 441     environment.Version = 1;
 442     environment.CleanupGroup = cleanup_group;
 443 
 444     /* don't block the service control handler */
 445     if (!TrySubmitThreadpoolCallback( async_create_driver, driver,
&environment ))
 446         async_create_driver( NULL, driver );
 447 
 448     return STATUS_SUCCESS;
 449 }
--- snip ---

The code was reworked here for async load/unload:
https://source.winehq.org/git/wine.git/commitdiff/440482d2ef31333d1bc3ce15b0aad4ceec60466c

$ sha1sum Tibia_Setup.exe 
50951008ccc402cc32407bfc56a88da873e3e9bd  Tibia_Setup.exe

$ du -sh Tibia_Setup.exe 
5.2M    Tibia_Setup.exe

$ wine --version
wine-3.1-193-g354fa7eb79

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list