[Bug 44499] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented function ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Feb 11 07:42:50 CST 2018 

https://bugs.winehq.org/show_bug.cgi?id=44499

            Bug ID: 44499
           Summary: BattlEye 'BEDaisy' kernel service crashes on
                    unimplemented function
                    ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx
           Product: Wine
           Version: 3.1
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntoskrnl
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

continuation of bug 44497

The kernel driver uses multiple methods to implement process
protection/supervision.

* ObRegisterCallbacks
* ObUnRegisterCallbacks
* ObGetFilterVersion 

-> covered by bug 44497

Another method:

* PsSetCreateProcessNotifyRoutineEx

Example kernel driver code to show how the API is being used:

https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obcallback

--- quote ---
ObCallback Callback Registration Driver

The ObCallback sample driver demonstrates the use of registered callbacks for
process protection. The driver registers control callbacks which are called at
process creation.
Design and Operation

The sample exercises both the PsSetCreateProcessNotifyRoutineEx and the
ObRegisterCallbacks routines. The first example uses the ObRegisterCallbacks
routine and a callback to restrict requested access rights during a open
process action. The second example uses the PsSetCreateProcessNotifyRoutineEx
routine to reject a process creation by examining the command line.
--- quote ---

Another article:

https://malwaretips.com/threads/av-self-protection-process-c-c.66200/

For BattlEye 'BEDaisy' service to succeed the driver init routine it is enough
to implement a stub for 'PsSetCreateProcessNotifyRoutineEx' like it was done
with 'PsSetCreateProcessNotifyRoutine' -> return STATUS_SUCCESS

https://source.winehq.org/git/wine.git/blob/354fa7eb7921c3317e7943c18871febe5570dd52:/dlls/ntoskrnl.exe/ntoskrnl.c#l2381

--- snip ---
2381 /***********************************************************************
2382  *           PsSetCreateProcessNotifyRoutine   (NTOSKRNL.EXE.@)
2383  */
2384 NTSTATUS WINAPI PsSetCreateProcessNotifyRoutine(
PCREATE_PROCESS_NOTIFY_ROUTINE callback, BOOLEAN remove )
2385 {
2386     FIXME( "stub: %p %d\n", callback, remove );
2387     return STATUS_SUCCESS;
2388 }
--- snip ---

$ sha1sum Tibia_Setup.exe 
50951008ccc402cc32407bfc56a88da873e3e9bd  Tibia_Setup.exe

$ du -sh Tibia_Setup.exe 
5.2M    Tibia_Setup.exe

$ wine --version
wine-3.1-193-g354fa7eb79

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list