[Bug 44500] New: BattlEye 'BEDaisy' kernel service crashes on unimplemented fltmgr.sys functions ( FltRegisterFilter, FltStartFiltering, FltUnregisterFilter)
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Feb 11 08:13:12 CST 2018
https://bugs.winehq.org/show_bug.cgi?id=44500
Bug ID: 44500
Summary: BattlEye 'BEDaisy' kernel service crashes on
unimplemented fltmgr.sys functions (FltRegisterFilter,
FltStartFiltering, FltUnregisterFilter)
Product: Wine
Version: 3.1
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: fltmgr
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 44499
The kernel driver uses multiple methods to implement process
protection/supervision.
* ObRegisterCallbacks
* ObUnRegisterCallbacks
* ObGetFilterVersion
-> covered by bug 44497
* PsSetCreateProcessNotifyRoutineEx
-> covered by bug 44499
* FltRegisterFilter
* FltStartFiltering
* FltUnregisterFilter
BattlEye 'BEDaisy' needs semi-stubs. Pure stubs returning
'STATUS_NOT_IMPLEMENTED' is not enough. The driver init routine will fail.
* FltRegisterFilter -> return STATUS_SUCCESS and some dummy handle as "out"
* FltStartFiltering -> return STATUS_SUCCESS
* FltUnregisterFilter -> just empty stub is enough (needed when driver unloads)
With this and all previous bug reports fixed/worked around, the driver init
routine runs to completion and the kernel service starts successfully.
Proof:
--- snip ---
...
0048:trace:winedevice:load_driver loading driver L"C:\\Program Files\\Common
Files\\BattlEye\\BEDaisy.sys"
...
0048:trace:module:process_attach (L"BEDaisy.sys",(nil)) - END
0048:Ret KERNEL32.LoadLibraryW() retval=00780000 ret=7effaa20
...
0048:trace:winedevice:load_driver_module L"C:\\Program Files\\Common
Files\\BattlEye\\BEDaisy.sys": relocating from 0x400000 to 0x780000
...
0048:Call driver init 0x7fdf6e
(obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy")
0048:Call
--- snip ---
Map the driver image via Mdl in order to hot-patch.
--- snip ---
...
ntoskrnl.exe.IoAllocateMdl(00780000,00040409,00000000,00000000,00000000)
ret=0080bf37
0048:trace:ntoskrnl:IoAllocateMdl (0x780000, 263177, 0, 0, (nil))
0048:Call ntdll.RtlAllocateHeap(00110000,00000008,00000120) ret=7ecdf800
0048:Ret ntdll.RtlAllocateHeap() retval=0011cd38 ret=7ecdf800
0048:fixme:ntoskrnl:IoGetCurrentProcess () semi-stub
0048:Ret ntoskrnl.exe.IoAllocateMdl() retval=0011cd38 ret=0080bf37
0048:Call ntoskrnl.exe.MmProbeAndLockPages(0011cd38,00000000,00000001)
ret=0080bf37
0048:fixme:ntoskrnl:MmProbeAndLockPages (0x11cd38, 0, 1): stub
0048:Ret ntoskrnl.exe.MmProbeAndLockPages() retval=0000003f ret=0080bf37
0048:Call
ntoskrnl.exe.MmMapLockedPagesSpecifyCache(0011cd38,00000000,00000000,00000001,00000000,00000000)
ret=0080bf37
0048:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x11cd38, 0, 0, 0x1, 0, 0):
stub
0048:Call ntdll.RtlAllocateHeap(00110000,00000000,00040409) ret=7ece28a9
0048:Ret ntdll.RtlAllocateHeap() retval=0011d978 ret=7ece28a9
0048:Call KERNEL32.OpenProcess(001fffff,00000000,00000042) ret=7ece28d4
0048:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ece28d4
0048:Call
KERNEL32.ReadProcessMemory(00000040,00780000,0011d978,00040409,00000000)
ret=7ece2907
0048:Ret KERNEL32.ReadProcessMemory() retval=00000001 ret=7ece2907
0048:Call KERNEL32.CloseHandle(00000040) ret=7ece2929
0048:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ece2929
0048:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache Success!
0048:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=0011d978
ret=0080bf37
--- snip ---
Manually resolve 'ntoskrnl.exe' and other module imports. Most activity is
invisible from any trace log (walking in-memory lists, obfuscated strings).
--- snip ---
0048:Call ntdll.NtQuerySystemInformation(0000000b,008100a0,00001400,0065f350)
ret=008034e1
0048:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
...
0048:Call ntdll.NtQuerySystemInformation(0000000b,0065f39c,00000000,0065f398)
ret=0080732b
0048:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=0080732b
0048:Call ntoskrnl.exe.ExAllocatePool(00000000,00001400) ret=007fe2fc
0048:Call ntdll.RtlAllocateHeap(00110000,00000000,00001400) ret=7ece16d9
0048:Ret ntdll.RtlAllocateHeap() retval=008100a0 ret=7ece16d9
0048:trace:ntoskrnl:ExAllocatePoolWithTag 5120 pool 0 -> 0x8100a0
0048:Ret ntoskrnl.exe.ExAllocatePool() retval=008100a0 ret=007fe2fc
0048:Call ntdll.NtQuerySystemInformation(0000000b,008100a0,00001400,0065f398)
ret=008034e1
0048:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=008034e1
...
--- snip ---
Commit the changes to the memory image -> 'MmUnlockPages'.
--- snip ---
...
0048:Call ntoskrnl.exe.MmUnlockPages(0011cd38) ret=0080bf37
0048:fixme:ntoskrnl:MmUnlockPages (0x11cd38): stub
0048:Call KERNEL32.OpenProcess(001fffff,00000000,00000042) ret=7ece2be8
0048:Ret KERNEL32.OpenProcess() retval=00000040 ret=7ece2be8
0048:Call
KERNEL32.WriteProcessMemory(00000040,00780000,0011d978,00040409,00000000)
ret=7ece2c17
0048:Ret KERNEL32.WriteProcessMemory() retval=00000001 ret=7ece2c17
0048:Call KERNEL32.CloseHandle(00000040) ret=7ece2c25
0048:Ret KERNEL32.CloseHandle() retval=00000001 ret=7ece2c25
0048:Call ntdll.RtlFreeHeap(00110000,00000000,0011d978) ret=7ece2c45
0048:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ece2c45
0048:fixme:ntoskrnl:MmUnlockPages Success!
0048:Ret ntoskrnl.exe.MmUnlockPages() retval=0000002b ret=0080bf37
0048:Call ntoskrnl.exe.IoFreeMdl(0011cd38) ret=0080bf37
0048:trace:ntoskrnl:IoFreeMdl 0x11cd38
0048:Call ntdll.RtlFreeHeap(00110000,00000000,0011cd38) ret=7ecdf8fa
0048:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7ecdf8fa
0048:Ret ntoskrnl.exe.IoFreeMdl() retval=00000001 ret=0080bf37
...
--- snip ---
Register object manager/process/mini driver callbacks and create driver
symlinks.
--- snip ---
...
0048:Call ntoskrnl.exe.ObGetFilterVersion() ret=0078c6be
0048:fixme:ntoskrnl:ObGetFilterVersion stub
0048:Ret ntoskrnl.exe.ObGetFilterVersion() retval=00000100 ret=0078c6be
0048:Call ntoskrnl.exe.KeInitializeMutex(00785020,00000000) ret=0079e1f6
0048:fixme:ntoskrnl:KeInitializeMutex stub: 0x785020, 0
0048:Ret ntoskrnl.exe.KeInitializeMutex() retval=00000038 ret=0079e1f6
0048:Call
ntoskrnl.exe.IoCreateDevice(0011cb58,00000000,0065f1a8,00000022,00000000,00000000,0065f1e8)
ret=007a2653
0048:trace:ntoskrnl:IoCreateDevice (0x11cb58, 0, L"\\Device\\BattlEye", 34, 0,
0, 0x65f1e8)
...
0048:Ret ntoskrnl.exe.IoCreateDevice() retval=00000000 ret=007a2653
0048:Call ntoskrnl.exe.IoCreateSymbolicLink(0065f1cc,0065f1a8) ret=007a2834
0048:trace:ntoskrnl:IoCreateSymbolicLink L"\\DosDevices\\BattlEye" ->
L"\\Device\\BattlEye"
0048:Call ntdll.NtCreateSymbolicLinkObject(0065f064,000f0001,0065f04c,0065f1a8)
ret=7ece06af
0048:Ret ntdll.NtCreateSymbolicLinkObject() retval=00000000 ret=7ece06af
0048:Ret ntoskrnl.exe.IoCreateSymbolicLink() retval=00000000 ret=007a2834
0048:Call
ntoskrnl.exe.KeWaitForSingleObject(00785020,00000000,00000000,00000000,00000000)
ret=007b8643
0048:fixme:ntoskrnl:KeWaitForSingleObject stub: 0x785020, 0, 0, 0, (nil)
0048:Ret ntoskrnl.exe.KeWaitForSingleObject() retval=c0000002 ret=007b8643
0048:Call ntdll.RtlInitUnicodeString(0065f0c8,00783a7c L"363220") ret=00794e44
0048:Ret ntdll.RtlInitUnicodeString() retval=0065f0c8 ret=00794e44
0048:Call ntoskrnl.exe.ObRegisterCallbacks(0065f0c4,00785040) ret=007b869d
0048:fixme:ntoskrnl:ObRegisterCallbacks : stub
0048:Ret ntoskrnl.exe.ObRegisterCallbacks() retval=00000000 ret=007b869d
0048:Call ntoskrnl.exe.KeReleaseMutex(00785020,00000000) ret=007a4ee7
0048:fixme:ntoskrnl:KeReleaseMutex stub: 0x785020, 0
0048:Ret ntoskrnl.exe.KeReleaseMutex() retval=c0000002 ret=007a4ee7
0048:Call ntoskrnl.exe.PsSetLoadImageNotifyRoutine(007817a0) ret=00797911
0048:fixme:ntoskrnl:PsSetLoadImageNotifyRoutine (0x7817a0) stub
0048:Ret ntoskrnl.exe.PsSetLoadImageNotifyRoutine() retval=00000000
ret=00797911
0048:Call ntoskrnl.exe.PsSetCreateThreadNotifyRoutine(007811c4) ret=0079e1fb
0048:fixme:ntoskrnl:PsSetCreateThreadNotifyRoutine stub: 0x7811c4
0048:Ret ntoskrnl.exe.PsSetCreateThreadNotifyRoutine() retval=00000000
ret=0079e1fb
0048:Call ntoskrnl.exe.memset(0065f108,00000000,00000038) ret=007b63ab
0048:Ret ntoskrnl.exe.memset() retval=0065f108 ret=007b63ab
0048:Call fltmgr.sys.FltRegisterFilter(0011cb58,0065f108,00785500) ret=007afad8
0048:fixme:fltmgr:FltRegisterFilter (0x11cb58, 0x65f108): stub
...
0048:Ret fltmgr.sys.FltRegisterFilter() retval=00000000 ret=007afad8
0048:Call fltmgr.sys.FltStartFiltering(0011d978) ret=00795697
0048:fixme:fltmgr:FltStartFiltering (0x11d978): stub
0048:Ret fltmgr.sys.FltStartFiltering() retval=00000000 ret=00795697
0048:Call ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx(00781aba,00000000)
ret=0079d0f5
0048:fixme:ntoskrnl:PsSetCreateProcessNotifyRoutineEx stub: 0x781aba 0
0048:Ret ntoskrnl.exe.PsSetCreateProcessNotifyRoutineEx() retval=00000000
ret=0079d0f5
...
--- snip ---
Driver init successful return:
--- snip ---
...
0048:Call ntdll.RtlInitUnicodeString(0065f190,0065f444 L"\\Driver")
ret=0078ee45
0048:Ret ntdll.RtlInitUnicodeString() retval=0065f190 ret=0078ee45
0048:Call ntdll.ZwOpenDirectoryObject(0065f1c8,00000001,0065f1b0) ret=0079a425
0048:Ret ntdll.ZwOpenDirectoryObject() retval=00000000 ret=0079a425
0048:Call
ntdll.ZwQueryDirectoryObject(00000048,0065f1f4,00000100,00000001,00000000,0065f458,00000000)
ret=007a78fb
0048:Ret ntdll.ZwQueryDirectoryObject() retval=8000001a ret=007a78fb
0048:Call ntdll.ZwClose(00000048) ret=00795dcc
0048:Ret ntdll.ZwClose() retval=00000000 ret=00795dcc
0048:Ret driver init 0x7fdf6e
(obj=0x11cb58,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BEDaisy")
retval=00000000
0048:trace:winedevice:init_driver init done for L"BEDaisy" obj 0x11cb58
0048:trace:winedevice:init_driver - DriverInit = 0x7fdf6e
0048:trace:winedevice:init_driver - DriverStartIo = (nil)
0048:trace:winedevice:init_driver - DriverUnload = 0x781de8
0048:trace:winedevice:init_driver - MajorFunction[0] = 0x781dc4
0048:trace:winedevice:init_driver - MajorFunction[1] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[2] = 0x781d54
0048:trace:winedevice:init_driver - MajorFunction[3] = 0x7820c2
0048:trace:winedevice:init_driver - MajorFunction[4] = 0x7829b4
0048:trace:winedevice:init_driver - MajorFunction[5] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[6] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[7] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[8] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[9] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[10] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[11] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[12] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[13] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[14] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[15] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[16] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[17] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[18] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[19] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[20] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[21] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[22] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[23] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[24] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[25] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[26] = 0x7ecdfeb0
0048:trace:winedevice:init_driver - MajorFunction[27] = 0x7ecdfeb0
0048:Ret ntoskrnl.exe.IoCreateDriver() retval=00000000 ret=7effb7c8
0048:Call
ntoskrnl.exe.ObReferenceObjectByName(0065fdc0,00000040,00000000,00000000,00000000,00000000,00000000,0065fdc8)
ret=7effb852
0048:trace:ntoskrnl:ObReferenceObjectByName mostly-stub:L"\\Driver\\BEDaisy" 64
(nil) 0 (nil) 0 (nil) 0x65fdc8
...
0048:Ret ntoskrnl.exe.ObReferenceObjectByName() retval=00000000 ret=7effb852
...
0048:Call advapi32.SetServiceStatus(0011b788,0065fd84) ret=7effb41b
...
0048:Ret advapi32.SetServiceStatus() retval=00000001 ret=7effb41b
--- snip ---
NOTE:
This doesn't really make BattlEye functional. It enables both services to run
and prevents the initial driver service crashes/errors (2).
The "Tibia" client I used to test with
(http://static.tibia.com/download/Tibia_Setup.exe) still reports BattlEye not
working properly.
--- snip ---
...
[ 11:53:26,282 ] BattlEye: "Initialized (v1.243)"
[ 11:53:26,374 ] Request connection to gameserver
"tcp://tibia-ip-eu.ciproxy.com:7171" (unprotected:
"tcp://tibia-pool-eu.ciproxy.com:7171" ) requested (Charakter "Da Beef" )
[ 11:53:26,374 ] Request connection to gameserver
"tcp://tibia-ip-eu.ciproxy.com:7171" "Damora"
[ 11:53:26,405 ] Connected to gameserver "tcp://tibia-ip-eu.ciproxy.com:7171"
"Damora"
[ 11:53:26,637 ] QObject::connect: Cannot connect
(null)::stateChanged(QNetworkSession::State) to
QNetworkReplyHttpImpl::_q_networkSessionStateChanged(QNetworkSession::State)
[ 11:53:26,691 ] QObject::connect: Cannot connect
(null)::stateChanged(QNetworkSession::State) to
QNetworkReplyHttpImpl::_q_networkSessionStateChanged(QNetworkSession::State)
[ 11:53:27,317 ] BattlEye: "Restarting client is necessary, service isn't
running properly"
[ 11:53:27,318 ] BattlEye: "Restarting client is necessary, update required"
...
--- snip ---
I have no intention to look further unless there is some progress on previous
tickets.
$ sha1sum Tibia_Setup.exe
50951008ccc402cc32407bfc56a88da873e3e9bd Tibia_Setup.exe
$ du -sh Tibia_Setup.exe
5.2M Tibia_Setup.exe
$ wine --version
wine-3.1-193-g354fa7eb79
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list