[Bug 47047] New: 64-bit MRAC Anti-Cheat (My.Com Warface) kernel service crashes in driver entry point due to missing ' ntoskrnl.exe.MmGetPhysicalAddress' stub
wine-bugs at winehq.org
wine-bugs at winehq.org
Fri Apr 19 09:20:25 CDT 2019
https://bugs.winehq.org/show_bug.cgi?id=47047
Bug ID: 47047
Summary: 64-bit MRAC Anti-Cheat (My.Com Warface) kernel service
crashes in driver entry point due to missing
'ntoskrnl.exe.MmGetPhysicalAddress' stub
Product: Wine
Version: 4.6
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntoskrnl
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
continuation of bug 47044
Download:
https://web.archive.org/web/20190331063634/http://static.gc.my.com/WarfaceMycomLoader.exe#0.7927247509897362
--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl notepad >>log.txt 2>&1 &
$ wine net start mracdrv
The MRAC Driver service is starting.
No system resources.
...
00a3:Call driver init 0x140098005
(obj=0x27980,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\mracdrv")
...
00a3:Call ntoskrnl.exe.MmGetSystemRoutineAddress(0002ad38) ret=14062f1a6
...
00a3:Call KERNEL32.GetModuleHandleW(7efc0ebad580 L"ntoskrnl.exe")
ret=7efc0eb9b3bc
00a3:Ret KERNEL32.GetModuleHandleW() retval=7efc0eb80000 ret=7efc0eb9b3bc
00a3:Call KERNEL32.GetProcAddress(7efc0eb80000,00010eb0 "MmGetPhysicalAddress")
ret=7efc0eb9b3c9
00a3:Ret KERNEL32.GetProcAddress() retval=7efc0eb85328 ret=7efc0eb9b3c9
...
00a3:trace:ntoskrnl:MmGetSystemRoutineAddress L"MmGetPhysicalAddress" ->
0x7efc0eb85328
00a3:Ret ntoskrnl.exe.MmGetSystemRoutineAddress() retval=7efc0eb85328
ret=14062f1a6
...
00a3:Call ntoskrnl.exe.ExpInterlockedPushEntrySList(140091f80,00032030)
ret=140998163
00a3:Call ntdll.RtlInterlockedPushEntrySList(140091f80,00032030) ret=7bc8de4f
00a3:Ret ntdll.RtlInterlockedPushEntrySList() retval=0002ce10 ret=7bc8de4f
00a3:Ret ntoskrnl.exe.ExpInterlockedPushEntrySList() retval=0002ce10
ret=140998163
00a3:Call KERNEL32.RaiseException(80000100,00000001,00000002,0032f340)
ret=7efc0eba5b29
00a3:trace:seh:NtRaiseException code=80000100 flags=1 addr=0x7b452d3c
ip=7b452d3c tid=00a3
00a3:trace:seh:NtRaiseException info[0]=00007efc0eba5b4d
00a3:trace:seh:NtRaiseException info[1]=00007efc0eba877c
00a3:trace:seh:call_vectored_handlers calling handler at 0x7efc0eb8d4e0
code=80000100 flags=1
00a3:trace:seh:call_vectored_handlers handler at 0x7efc0eb8d4e0 returned 0
wine: Call from 0x7b452d3c to unimplemented function
ntoskrnl.exe.MmGetPhysicalAddress, aborting
...
--- snip ---
Microsoft docs:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-mmgetphysicaladdress
Wine source:
https://source.winehq.org/git/wine.git/blob/HEAD:/dlls/ntoskrnl.exe/ntoskrnl.exe.spec#l690
--- snip ---
690 @ stub MmGetPhysicalAddress
--- snip ---
Returning PHYSICAL_ADDRESS with PhysicalAddress.QuadPart == 0 won't do any
good. You have to return a non-zero address. It seems the address is located
within a non-paged pool allocation (8 KB) some calls earlier. I used kva == pa
(1:1) mapping to keep it happy.
--- snip ---
...
0031:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000000,00002000,4943414d)
ret=140ab5668
0031:Call ntdll.RtlAllocateHeap(00010000,00000000,00002000) ret=7f5fb4aec158
0031:Ret ntdll.RtlAllocateHeap() retval=000372e0 ret=7f5fb4aec158
0031:trace:ntoskrnl:ExAllocatePoolWithTag 8192 pool 0 -> 0x372e0
0031:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=000372e0 ret=140ab5668
...
0031:Call ntoskrnl.exe.ExpInterlockedPushEntrySList(140091f80,00031ff0)
ret=140998163
0031:Call ntdll.RtlInterlockedPushEntrySList(140091f80,00031ff0) ret=7bc8de4f
0031:Ret ntdll.RtlInterlockedPushEntrySList() retval=0002cdd0 ret=7bc8de4f
0031:Ret ntoskrnl.exe.ExpInterlockedPushEntrySList() retval=0002cdd0
ret=140998163
0031:Call ntoskrnl.exe.MmGetPhysicalAddress(00038000) ret=1403a839c
0031:fixme:ntoskrnl:MmGetPhysicalAddress stub: 0x38000
0031:Ret ntoskrnl.exe.MmGetPhysicalAddress() retval=00038000 ret=1403a839c
0031:Call ntoskrnl.exe.ExpInterlockedPopEntrySList(140091f80) ret=14008d019
0031:Call ntdll.RtlInterlockedPopEntrySList(140091f80) ret=7bc8de4f
0031:Ret ntdll.RtlInterlockedPopEntrySList() retval=00031ff0 ret=7bc8de4f
0031:Ret ntoskrnl.exe.ExpInterlockedPopEntrySList() retval=00031ff0
ret=14008d019
0031:Call ntoskrnl.exe.ExpInterlockedPushEntrySList(140091f80,00031ff0)
ret=140ab62ab
...
0031:Call
ntoskrnl.exe.IoAllocateMdl(00038000,00001000,00000000,00000000,00000000)
ret=140f3d8e4
0031:trace:ntoskrnl:IoAllocateMdl (0x38000, 4096, 0, 0, (nil))
0031:Call ntdll.RtlAllocateHeap(00010000,00000008,00000034) ret=7f5fb4aef514
0031:Ret ntdll.RtlAllocateHeap() retval=00027af0 ret=7f5fb4aef514
0031:Ret ntoskrnl.exe.IoAllocateMdl() retval=00027af0 ret=140f3d8e4
...
0031:Call ntoskrnl.exe.MmProbeAndLockPages(00027af0,00000000,00000000)
ret=1403e3800
0031:fixme:ntoskrnl:MmProbeAndLockPages (0x27af0, 0, 0): stub
0031:Ret ntoskrnl.exe.MmProbeAndLockPages() retval=0000003e ret=1403e3800
...
0031:Call
ntoskrnl.exe.MmMapLockedPagesSpecifyCache(00027af0,00000000,00000001,00000000,00000000,00000010)
ret=140a50460
0031:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (0x27af0, 0, 1, (nil), 0, 16):
stub
0031:Ret ntoskrnl.exe.MmMapLockedPagesSpecifyCache() retval=00000000
ret=140a50460
...
0031:Call ntoskrnl.exe.MmUnlockPages(00027af0) ret=140d4aa34
0031:fixme:ntoskrnl:MmUnlockPages (0x27af0): stub
0031:Ret ntoskrnl.exe.MmUnlockPages() retval=00000032 ret=140d4aa34
...
0031:Call ntoskrnl.exe.IoFreeMdl(00027af0) ret=140ea7c48
0031:trace:ntoskrnl:IoFreeMdl 0x27af0
0031:Call ntdll.RtlFreeHeap(00010000,00000000,00027af0) ret=7f5fb4aef6ef
0031:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7f5fb4aef6ef
0031:Ret ntoskrnl.exe.IoFreeMdl() retval=00000001 ret=140ea7c48
...
0033:Call ntoskrnl.exe.PsTerminateSystemThread(00000000) ret=1400112a1
0033:trace:ntoskrnl:PsTerminateSystemThread status 0.
0033:Call KERNEL32.ExitThread(00000000) ret=7f5fb4af90ee
...
0031:Ret ntdll.NtWaitForMultipleObjects() retval=00000000 ret=7f5fb4afeec1
...
0031:Ret driver init 0x140098005
(obj=0x27940,str=L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\mracdrv")
retval=c000009a
...
0031:trace:ntoskrnl:init_driver init done for L"mracdrv" obj 0x27940
0031:trace:ntoskrnl:init_driver - DriverInit = 0x140098005
0031:trace:ntoskrnl:init_driver - DriverStartIo = (nil)
0031:trace:ntoskrnl:init_driver - DriverUnload = 0x1400291c0
0031:trace:ntoskrnl:init_driver - MajorFunction[0] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[1] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[2] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[3] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[4] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[5] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[6] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[7] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[8] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[9] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[10] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[11] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[12] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[13] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[14] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[15] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[16] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[17] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[18] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[19] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[20] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[21] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[22] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[23] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[24] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[25] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[26] = 0x1400291d4
0031:trace:ntoskrnl:init_driver - MajorFunction[27] = 0x7f5fb4af35c0
0031:trace:ntoskrnl:ObDereferenceObject (0x27940) ref=0
...
0031:err:ntoskrnl:ZwLoadDriver failed to create driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\mracdrv": c000009a
...
--- snip ---
That's bug 37355
$ sha1sum WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe
b07e87a029d6697ad823dc03fdbf297c406a91b9
WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe
$ du -sh WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe
6.8M WarfaceMycomLoader_805e0da40d16630c2fe73ed12399cb48_.exe
$ wine --version
wine-4.6-61-g085e58878f
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list