[Bug 49192] New: Denuvo Anti-Cheat needs support for NtQuerySystemInformation 'SystemCodeIntegrityInformation' info class (Driver Signature Enforcement)
WineHQ Bugzilla
wine-bugs at winehq.org
Mon May 18 10:26:37 CDT 2020
https://bugs.winehq.org/show_bug.cgi?id=49192
Bug ID: 49192
Summary: Denuvo Anti-Cheat needs support for
NtQuerySystemInformation
'SystemCodeIntegrityInformation' info class (Driver
Signature Enforcement)
Product: Wine
Version: 5.8
Hardware: x86-64
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ntdll
Assignee: wine-bugs at winehq.org
Reporter: focht at gmx.net
Distribution: ---
Hello folks,
as it says. Part of Doom Eternal. The Denuvo Anti-Cheat installer is baked into
the main executable 'DOOMEternalx64vk.exe' which contains several PE payloads.
I'm not aware of any other games that use it (yet).
Trace log:
--- snip ---
$ pwd
/home/focht/wine-games/wineprefix64-steam/drive_c/Program Files (x86)/Steam
$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl wine ./steam.exe -no-cef-sandbox
-applaunch 782330 >>log.txt 2>&1
...
0464:Call KERNEL32.LoadLibraryW(0091ea80
L"C:\\users\\focht\\Temp\\denuvo-anti-cheat-update-service-launcher.dll")
ret=01d3db68
...
0464:Ret KERNEL32.LoadLibraryW() retval=03180000 ret=01d3db68
...
0464:Call KERNEL32.GetProcAddress(03180000,14722b1f0 "startService3")
ret=147244518
0464:Ret KERNEL32.GetProcAddress() retval=03193350 ret=147244518
...
0464:Call KERNEL32.LoadLibraryW(01919a10 L"C:\\Program Files
(x86)\\Steam\\steamapps\\common\\DOOMEternal\\denuvo-anticheat-gui.dll")
ret=01d3db68
...
0464:Ret KERNEL32.LoadLibraryW() retval=00000000 ret=01d3db68
...
0464:Call version.GetFileVersionInfoW(0191b8c0
L"C:\\users\\focht\\Temp\\denuvo-anti-cheat-update-service-launcher.dll",00000000,000008ac,0191c8f0)
ret=03195497
...
0464:Ret version.GetFileVersionInfoW() retval=00000001 ret=03195497
0464:Call version.VerQueryValueW(0191c8f0,03202928 L"\\",0091e628,0091e618)
ret=031954c3
...
0464:Ret version.VerQueryValueW() retval=00000001 ret=031954c3
...
0464:Call KERNEL32.GetProcAddress(7bc20000,032044d0 "NtQuerySystemInformation")
ret=0318ef65
0464:Ret KERNEL32.GetProcAddress() retval=7bc2d2b0 ret=0318ef65
0464:Call ntdll.NtQuerySystemInformation(00000067,0091e680,00000008,0091e678)
ret=0318ef9d
0464:fixme:ntdll:NtQuerySystemInformation
(0x00000067,0x91e680,0x00000008,0x91e678) stub
0464:Ret ntdll.NtQuerySystemInformation() retval=c0000003 ret=0318ef9d
0464:Call ntdll.NtQuerySystemInformation(00000023,0091e670,00000002,0091e678)
ret=0318efb5
0464:Ret ntdll.NtQuerySystemInformation() retval=00000000 ret=0318efb5
...
--- snip ---
0x67 -> SYSTEM_CODEINTEGRITY_INFORMATION
'denuvo-anti-cheat-update-service-launcher-2020-05-18-16.12.57.645.log'
--- snip ---
2020-05-18-16.12.57.679 [INF] Got reporter binary, version 2.7.0.40281
2020-05-18-16.12.57.731 [INF] Launcher 2.7.0.40281 started. Transaction id:
4e7c49ed-40f1-448f-a762-898049b26608
2020-05-18-16.12.57.731 [ERR] Environment check failed!
2020-05-18-16.12.57.805 [INF] Reporter 2.7.0.40281 started, passing error 2
2020-05-18-16.14.45.721 [INF] Reporter completed: 0
--- snip ---
https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation
--- quote ---
SYSTEM_CODEINTEGRITY_INFORMATION
When the SystemInformationClass parameter is SystemCodeIntegrityInformation,
the buffer pointed to by the SystemInformation parameter should be large enough
to hold a single SYSTEM_CODEINTEGRITY_INFORMATION structure having the
following layout:
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
ULONG Length;
ULONG CodeIntegrityOptions;
} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
The Length member contains the size of the structure in bytes. This must be set
by the caller.
The CodeIntegrityOptions member contains a bitmask to identify code integrity
options.
Table 2
Value Meaning
0x01 CODEINTEGRITY_OPTION_ENABLED Enforcement of kernel mode Code
Integrity is enabled.
--- quote ---
It seems sufficient to set 'CODEINTEGRITY_OPTION_ENABLED' (0x1) to pass the DSE
check. The Denuvo bootstrapper will then extract and install the update service
and kernel driver.
--- snip ---
....
2020-05-18-17.10.52.450 [INF] Got reporter binary, version 2.7.0.40281
2020-05-18-17.10.52.455 [INF] Launcher 2.7.0.40281 started. Transaction id:
4e7c49ed-40f1-448f-a762-898049b26608
2020-05-18-17.10.52.472 [INF] Saving update service binary
2020-05-18-17.10.52.486 [INF] Saving update service binary to path: C:\Program
Files (x86)\Steam\steamapps\common\DOOMEternal\Denuvo Anti-Cheat Installer.exe
2020-05-18-17.10.52.496 [INF] Saving update service binary
2020-05-18-17.10.52.508 [INF] Saving update service binary to path: C:\Program
Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat-runtime.dll
2020-05-18-17.10.52.515 [INF] Saving update service binary
2020-05-18-17.10.52.526 [INF] Saving update service binary to path: C:\Program
Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat.sys
2020-05-18-17.10.52.537 [INF] Update service not installed.
2020-05-18-17.10.52.542 [INF] Running installer: 2.7.0.40281
2020-05-18-17.10.52.550 [INF] Installer arguments: install
"4e7c49ed-40f1-448f-a762-898049b26608" "C:\Program Files
(x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat-runtime.dll"
"C:\Program Files
(x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat.sys"
2020-05-18-17.10.55.278 [INF] Elevated installer run finished successfully.
2020-05-18-17.10.55.298 [INF] Update service not running. Starting the service
2020-05-18-17.10.55.892 [INF] Performing software update
2020-05-18-17.10.55.895 [INF] Sending clean check request
2020-05-18-17.10.55.897 [INF] Waiting for clean check response
2020-05-18-17.10.56.000 [INF] Sending update request
2020-05-18-17.10.56.004 [INF] Waiting for update response
2020-05-18-17.11.04.498 [ERR] Received updateFailureResponse. Reason: start
driver failed
2020-05-18-17.11.04.559 [INF] Reporter 2.7.0.40281 started, passing error 2003
--- snip ---
$ wine --version
wine-5.8-173-g9e26bc8116
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list