[Bug 44499] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented function ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Feb 11 07:42:50 CST 2018
https://bugs.winehq.org/show_bug.cgi?id=44499
Bug ID: 44499
Summary: BattlEye 'BEDaisy' kernel service crashes on
unimplemented function
ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx
Product: Wine
Version: 3.1
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 44497
The kernel driver uses multiple methods to implement process
protection/supervision.
* ObRegisterCallbacks
* ObUnRegisterCallbacks
* ObGetFilterVersion
-> covered by bug 44497
Another method:
* PsSetCreateProcessNotifyRoutineEx
Example kernel driver code to show how the API is being used:
https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obcallback
--- quote ---
ObCallback Callback Registration Driver
The ObCallback sample driver demonstrates the use of registered callbacks for
process protection. The driver registers control callbacks which are called at
process creation.
Design and Operation
The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the
ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks
routine and a callback to restrict requested access rights during a open
process action. The second example uses the PsSetCreateProcessNotifyRoutineEx
routine to reject a process creation by examining the command line.
--- quote ---
Another article:
https://malwaretips.com/threads/av-self-protection-process-c-c.66200/
For BattlEye 'BEDaisy' service to succeed the driver init routine it is enough
to implement a stub for 'PsSetCreateProcessNotifyRoutineEx' like it was done
with 'PsSetCreateProcessNotifyRoutine' -> return STATUS_SUCCESS
https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe5570dd52:/dlls/ntoskrnl.exe/ntoskrnl.c#l2381
--- snip ---
2381 /***********************************************************************
2382 * PsSetCreateProcessNotifyRoutine (NTOSKRNL.EXE.@)
2383 */
2384 NTSTATUS WINAPI PsSetCreateProcessNotifyRoutine(
PCREATE_PROCESS_NOTIFY_ROUTINE callback, BOOLEAN remove )
2385 {
2386 FIXME( "stub: %p %d\n", callback, remove );
2387 return STATUS_SUCCESS;
2388 }
--- snip ---
$ sha1sum Tibia_Setup.exe
50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe
5.2M Tibia_Setup.exe
$ wine --version
wine-3.1-193-g354fa7eb79
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list