[Bug 44496] New: BattlEye 'BEDaisy' kernel service custom imports resolved can't cope with 'ntoskrnl.exe' low-level (wc)string/copy helpers being forwarded to 'msvcrt.dll'

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Feb 11 07:08:23 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=44496

            Bug ID: 44496
           Summary: BattlEye 'BEDaisy' kernel service custom imports
                    resolved can't cope with 'ntoskrnl.exe' low-level
                    (wc)string/copy helpers being forwarded to
                    'msvcrt.dll'
           Product: Wine
           Version: 3.1
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

follow-up of bug 37355

Small client to reproduce: http://static.tibia.com/download/Tibia_Setup.exe

NOTE: Due to a regression with service state/transition handling, the kernel
driver service is not started by the helper service anymore (only once upon
installation).
To work around bug 41670 issue 'wine net stop BEService' command from another
console after the window "Starting BattlEye Service..." shows up and wait a
bit. The app will detect this and restart the helper service which in turn will
start the kernel service.

Also suffers from bug 38836 later.

--- snip ---
$ pwd
/home/focht/.wine/drive_c/users/focht/Local Settings/Application
Data/Tibia/packages/Tibia/bin

$  WINEDEBUG=+tid,+seh,+ntoskrnl,+winedevice,+process,+loaddll,+relay,+module
wine ./client_launcher.exe >>log.txt 2>&1
...
0049:Call
ntoskrnl.exe.IoAllocateMdl(00780000,00040409,00000000,00000000,00000000)
ret=0080bf37
0049:trace:ntoskrnl:IoAllocateMdl (0x780000, 263177, 0, 0, (nil))
0049:Call ntdll.RtlAllocateHeap(00110000,00000008,00000120) ret=7ecd1460
0049:Ret  ntdll.RtlAllocateHeap() retval=0011cd38 ret=7ecd1460
0049:fixme:ntoskrnl:IoGetCurrentProcess () semi-stub
0049:Ret  ntoskrnl.exe.IoAllocateMdl() retval=0011cd38 ret=0080bf37
0049:Call ntoskrnl.exe.MmProbeAndLockPages(0011cd38,00000000,00000001)
ret=0080bf37
0049:fixme:ntoskrnl:MmProbeAndLockPages (0x11cd38, 0, 1): stub
0049:Ret  ntoskrnl.exe.MmProbeAndLockPages() retval=0000003f ret=0080bf37
0049:Call
ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011cd38,00000000,00000000,00000001,00000000,00000000)
ret=0080bf37
0049:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11cd38, 0, 0, 0x1, 0, 0):
stub
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00040409) ret=7ecd4509
0049:Ret  ntdll.RtlAllocateHeap() retval=0011d958 ret=7ecd4509
0049:Call KERNEL32.OpenProcess(001fffff,00000000,00000043) ret=7ecd4534
0049:Ret  KERNEL32.OpenProcess() retval=00000040 ret=7ecd4534
0049:Call
KERNEL32.ReadProcessMemory(00000040,00780000,0011d958,00040409,00000000)
ret=7ecd4567
0049:Ret  KERNEL32.ReadProcessMemory() retval=00000001 ret=7ecd4567
0049:Call KERNEL32.CloseHandle(00000040) ret=7ecd458e
0049:Ret  KERNEL32.CloseHandle() retval=00000001 ret=7ecd458e
0049:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache Success!
0049:Ret  ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=0011d958
ret=0080bf37
0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00000068) ret=0080bf37
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00000068) ret=7ecd3339
0049:Ret  ntdll.RtlAllocateHeap() retval=0015f3a8 ret=7ecd3339
0049:trace:ntoskrnl:ExAllocatePoolWithTag 104 pool 0 -> 0x15f3a8
0049:Ret  ntoskrnl.exe.ExAllocatePool() retval=0015f3a8 ret=0080bf37
0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398)
ret=0080732b
0049:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b
0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339
0049:Ret  ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339
0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0
0049:Ret  ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc
0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f398)
ret=008034e1
0049:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229
0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0
0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586
0049:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586
0049:Ret  ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229
0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398)
ret=0080732b
0049:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b
0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339
0049:Ret  ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339
0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0
0049:Ret  ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc
0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f398)
ret=008034e1
0049:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229
0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0
0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586
0049:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586
0049:Ret  ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229
0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f354,00000000,0065f350)
ret=0080732b
0049:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b
0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339
0049:Ret  ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339
0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0
0049:Ret  ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc
0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f350)
ret=008034e1
0049:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229
0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0
0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586
0049:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586
0049:Ret  ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229
0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f358,00000000,0065f354)
ret=0080732b
0049:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b
0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339
0049:Ret  ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339
0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0
0049:Ret  ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc
0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f354)
ret=008034e1
0049:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229
0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0
0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586
0049:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586
0049:Ret  ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229
0049:Call ntdll.NtQuerySystemInformation(0000000b,0065f310,00000000,0065f30c)
ret=0080732b
0049:Ret  ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b
0049:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc
0049:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ecd3339
0049:Ret  ntdll.RtlAllocateHeap() retval=0015f6d0 ret=7ecd3339
0049:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x15f6d0
0049:Ret  ntoskrnl.exe.ExAllocatePool() retval=0015f6d0 ret=007fe2fc
0049:Call ntdll.NtQuerySystemInformation(0000000b,0015f6d0,00001400,0065f30c)
ret=008034e1
0049:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
0049:Call ntoskrnl.exe.ExFreePool(0015f6d0) ret=00803229
0049:trace:ntoskrnl:ExFreePoolWithTag 0x15f6d0
0049:Call ntdll.RtlFreeHeap(00110000,00000000,0015f6d0) ret=7ecd3586
0049:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecd3586
0049:Ret  ntoskrnl.exe.ExFreePool() retval=00000001 ret=00803229
--- snip ---

The (heavily obfuscated) kernel driver uses its own custom imports resolver.
It basically walks the module list using 'NtQuerySystemInformation(
SystemModuleInformation, ...)' and processes the export table of 'ntoskrnl.exe'
and later 'fltmgr.sys' in order to resolve some needed functions.

The resolver is rather simplistic and can't deal with Wine's forwarded exports
to 'msvcrt'. Native Windows kernel doesn't do this.

--- snip ---
...
DbgPrint says: The procedure entry point wcsncmp could not be located in the
module ntoskrnl.exe
Ret  driver init 0x7fdf6e
(obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy")
retval=c0000183
0049:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11cb58
0049:trace:winedevice:init_driver - DriverInit = 0x7fdf6e
0049:trace:winedevice:init_driver - DriverStartIo = (nil)
0049:trace:winedevice:init_driver - DriverUnload = (nil)
0049:trace:winedevice:init_driver - MajorFunction[0] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[1] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[2] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[3] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[4] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[5] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[6] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[7] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[8] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[9] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[10] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[11] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[12] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[13] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[14] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[15] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[16] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[17] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[18] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[19] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[20] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[21] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[22] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[23] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[24] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[25] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[26] = 0x7ecd1b10
0049:trace:winedevice:init_driver - MajorFunction[27] = 0x7ecd1b10
0049:Call ntdll.RtlFreeUnicodeString(0011cb74) ret=7ecd1d12
0049:Ret  ntdll.RtlFreeUnicodeString() retval=0011cb74 ret=7ecd1d12
0049:Call ntdll.RtlFreeUnicodeString(0011cc0c) ret=7ecd1d26
0049:Ret  ntdll.RtlFreeUnicodeString() retval=0011cc0c ret=7ecd1d26
0049:Call ntdll.RtlFreeHeap(00110000,00000000,0011cb48) ret=7ecd1d46
0049:Ret  ntdll.RtlFreeHeap() retval=00000001 ret=7ecd1d46
0049:Ret  ntoskrnl.exe.IoCreateDriver() retval=c0000183 ret=7effb7fc
0049:err:winedevice:async_create_driver failed to create driver L"BEDaisy":
c0000183
--- snip ---

NOTE: This is a similar problem domain as bug 37852 ("Sentinel HASP
'hardlock.sys' kernel driver custom imports resolver can't cope with many
'ntoskrnl.exe' functions being fowarded to 'ntdll.dll' (Minitab 16 fails to
start)". Although this driver requires a much smaller set of (msvcrt)
functions.

* native API (ntdll) -> bug 37852
* msvcrt -> this one

Source:
https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe5570dd52:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l1484

--- snip ---
1484 @ cdecl -private wcsncmp(wstr wstr long) msvcrt.wcsncmp
--- snip ---

The driver requires the following set of functions not be forwarded:

* wcsncmp
* _wcsnicmp
* _strnicmp
* memcpy
* memset
* _stricmp

Wine should reimplement the low-level string/copy helpers in 'ntoskrnl' in same
way as it is done for 'ntdll' core module (NTDLL_foobar).

Source:

https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe5570dd52:/dlls/ntdll/ntdll.spec#l1457

--- snip ---
1457 @ cdecl -private wcsncmp(wstr wstr long) NTDLL_wcsncmp
--- snip ---

https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe5570dd52:/dlls/ntdll/wcstring.c#l157

--- snip ---
 157 /*********************************************************************
 158  *           wcsncmp    (NTDLL.@)
 159  */
 160 INT __cdecl NTDLL_wcsncmp( LPCWSTR str1, LPCWSTR str2, INT n )
 161 {
 162     return strncmpW( str1, str2, n );
 163 }
--- snip ---

With these things fixed, the driver runs further - into next problems.

$ sha1sum Tibia_Setup.exe 
50951008ccc402cc32407bfc56a88da873e3e9bd  Tibia_Setup.exe

$ du -sh Tibia_Setup.exe 
5.2M    Tibia_Setup.exe

$ wine --version
wine-3.1-193-g354fa7eb79

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list