[Bug 45666] Multiple Riot Games' anti-cheat / protection schemes need implementation of NtQuerySystemInformation 'SystemModuleInformationEx' info class (League of Legends 8.15+, Valorant/Vanguard)
WineHQ Bugzilla
wine-bugs at winehq.org
Thu Apr 23 06:52:10 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=45666
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|League of Legends 8.15+ |Multiple Riot Games'
|fails due to missing |anti-cheat / protection
|implementation of |schemes need implementation
|NtQuerySystemInformation(Sy |of NtQuerySystemInformation
|stemModuleInformationEx) in |'SystemModuleInformationEx'
|Windows Vista+ mode |info class (League of
| |Legends 8.15+,
| |Valorant/Vanguard)
--- Comment #13 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
Riot's Vanguard (Valorant) also needs this. Actually a slightly improved
variant of the Wine-Staging patch.
--- snip ---
$ WINEDEBUG=+seh,+loaddll,+process,+ntoskrnl,+int,+relay,+ntdll wine net start
vgc >>log2.txt 2>&1
...
001b:Call
ntoskrnl.exe.ZwQuerySystemInformation(0000004d,00000000,00000000,00d4f600)
ret=0115ca41
001b:Call ntdll.NtQuerySystemInformation(0000004d,00000000,00000000,00d4f600)
ret=7bca21df
001b:trace:ntdll:NtQuerySystemInformation
(0x0000004d,(nil),0x00000000,0xd4f600)
001b:Ret ntdll.NtQuerySystemInformation() retval=c0000005 ret=7bca21df
001b:Ret ntoskrnl.exe.ZwQuerySystemInformation() retval=c0000005 ret=0115ca41
001b:trace:seh:raise_exception code=c0000096 flags=0 addr=0x115ec76 ip=115ec76
tid=001b
001b:trace:seh:raise_exception rax=00001ce570abf47e rbx=0000000000000000
rcx=0000000000000000 rdx=00000000ffffffff
001b:trace:seh:raise_exception rsi=0000000000d4f7bc rdi=0000000000000000
rbp=0000000000d4f3e0 rsp=0000000000d4f2e0
001b:trace:seh:raise_exception r8=0000000000e8ae30 r9=00000000c0000005
r10=0000000000000000 r11=0000000000000000
001b:trace:seh:raise_exception r12=0000000000000000 r13=0000000000000000
r14=0000000000000006 r15=0000000000000000
001b:trace:seh:call_vectored_handlers calling handler at 0x18000b9f0
code=c0000096 flags=0
001b:trace:int:emulate_instruction mov cr8,rax at 115ec76
--- snip ---
Most drivers do something like this:
--- snip ---
ULONG len = 0;
NtQuerySystemInformation( SystemModuleInformation, NULL, 0, &len);
--- snip ---
This is entirely reasonable as they want to figure out how much memory is
needed to allocate a SYSTEM_MODULE_INFORMATION structure of the right size.
After allocating the buffer they call 'NtQuerySystemInformation' again.
Wine-Staging is too restrictive with parameter validation:
https://github.com/wine-staging/wine-staging/blob/master/patches/ntdll-SystemModuleInformation/0003-ntdll-Add-stub-for-NtQuerySystemInformation-SystemMo.patch#L21
IMHO this might apply for the non-ex variant as well.
With fixed version:
--- snip ---
$ WINEDEBUG=+seh,+loaddll,+process,+ntoskrnl,+int,+relay,+ntdll wine net start
vgc >>log2.txt 2>&1
...
001b:Call
ntoskrnl.exe.ZwQuerySystemInformation(0000004d,00000000,00000000,00d4f600)
ret=0115ca41
001b:Call ntdll.NtQuerySystemInformation(0000004d,00000000,00000000,00d4f600)
ret=7bca21cf
001b:trace:ntdll:NtQuerySystemInformation
(0x0000004d,(nil),0x00000000,0xd4f600)
001b:Ret ntdll.NtQuerySystemInformation() retval=c0000004 ret=7bca21cf
001b:Ret ntoskrnl.exe.ZwQuerySystemInformation() retval=c0000004 ret=0115ca41
001b:Call ntoskrnl.exe.ExAllocatePoolWithTag(00000200,00000140,656e6f4e)
ret=0115fcbe
001b:Call ntdll.RtlAllocateHeap(008a0000,00000000,00000140) ret=180010a2d
001b:Ret ntdll.RtlAllocateHeap() retval=008a0330 ret=180010a2d
001b:trace:ntoskrnl:ExAllocatePoolWithTag 320 pool 512 -> 00000000008A0330
001b:Ret ntoskrnl.exe.ExAllocatePoolWithTag() retval=008a0330 ret=0115fcbe
001b:Call
ntoskrnl.exe.ZwQuerySystemInformation(0000004d,008a0330,00000140,00d4f600)
ret=0115ca41
001b:Call ntdll.NtQuerySystemInformation(0000004d,008a0330,00000140,00d4f600)
ret=7bca21cf
001b:trace:ntdll:NtQuerySystemInformation
(0x0000004d,0x8a0330,0x00000140,0xd4f600)
001b:fixme:ntdll:NtQuerySystemInformation info_class SystemModuleInformationEx
stub!
001b:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=7bca21cf
001b:Ret ntoskrnl.exe.ZwQuerySystemInformation() retval=00000000 ret=0115ca41
001b:Call ntoskrnl.exe.ExFreePoolWithTag(008a0330,656e6f4e) ret=00e73ad4
001b:trace:ntoskrnl:ExFreePoolWithTag 00000000008A0330
001b:Call KERNEL32.HeapFree(008a0000,00000000,008a0330) ret=7bca21cf
001b:Ret KERNEL32.HeapFree() retval=00000001 ret=7bca21cf
001b:Ret ntoskrnl.exe.ExFreePoolWithTag() retval=00000001 ret=00e73ad4
--- snip ---
It's still not enough in case of Vanguard as only 'ntdll' module is returned
but at least the basic code is in place.
Tidbit:
--- snip ---
001b:Call ntoskrnl.exe._stricmp(00d4f590 "Consider this a final friendly
warning... There are one of two paths from this point.",00d4f530
"http://bit.ly/good-side | OR | http://bit.ly/bad-side") ret=0115b29c
001b:Call msvcrt._stricmp(00d4f590 "Consider this a final friendly warning...
There are one of two paths from this point.",00d4f530 "http://bit.ly/good-side
| OR | http://bit.ly/bad-side") ret=7bca21df
001b:Call ntdll.RtlAllocateHeap(00010000,00000008,000004f8) ret=7fa8dc2c59e4
001b:Ret ntdll.RtlAllocateHeap() retval=007290d0 ret=7fa8dc2c59e4
001b:Ret msvcrt._stricmp() retval=fffffffb ret=7bca21df
001b:Ret ntoskrnl.exe._stricmp() retval=fffffffb ret=0115b29c
--- snip ---
;-)
What's the blocking part here? Although not being sufficient for the most
recent incarnations it's still working for other games, right?
$ wine --version
wine-5.6-258-gf31a29b8d1
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list