[Bug 48268] ESEA Client - anti-cheat software detects system monitor (debugger) and refuses to start.

WineHQ Bugzilla wine-bugs at winehq.org
Wed Dec 11 11:38:39 CST 2019 

https://bugs.winehq.org/show_bug.cgi?id=48268

Paul Gofman <gofmanp at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gofmanp at gmail.com

--- Comment #1 from Paul Gofman <gofmanp at gmail.com> ---
Created attachment 65941
  --> https://bugs.winehq.org/attachment.cgi?id=65941
PoC patch

At this point it wants K32QueryWorkingSetEx() implementation, or, otherwise,
NtQueryVirtualMemory(... MemoryWorkingSetList) which K32QueryWorkingSetEx()
calls for actual work. As far as I could guess, MemoryWorkingSetList is similar
to MemoryWorkingSetExInformation stubbed in staging, but the stub return value
which is currently there is not enough. I am attaching the patch which seems to
make Esea client happy at this stage.

But it fails later when its rootkit driver ESEADriver2.sys fails to initialize.
Maybe that is be due to a bunch of functions it is calling being a stub:

> ...
> 003d:fixme:ntoskrnl:MmProbeAndLockPages (00000000005C4CD0, 0, 1): stub
> 003d:fixme:ntoskrnl:MmMapLockedPagesSpecifyCache (00000000005C4CD0, 0, 1, 0000000000000000, 0, 32): stub
> 003d:fixme:ntoskrnl:MmUnlockPages (00000000005C4CD0): stub
> 003d:trace:ntoskrnl:IoFreeMdl 00000000005C4CD0
> DbgPrint says: Initialization error 1

Please note that Esea client was some (rather long) time ago spotted mining
bitcoins on client's computers [1], so it used to be basically a malware. So I
would recommend to always keep it in a separate Wine prefix and take other
reasonable precautions when using it, like running at least as a separate user
without the access to sensible data and so it is easy to kill the potentially
leftover processes.

1.
https://www.reddit.com/r/GlobalOffensive/comments/1dgad2/esea_client_basically_a_virus/

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list