[Bug 49192] New: Denuvo Anti-Cheat needs support for NtQuerySystemInformation 'SystemCodeIntegrityInformation' info class (Driver Signature Enforcement)

WineHQ Bugzilla wine-bugs at winehq.org
Mon May 18 10:26:37 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=49192

            Bug ID: 49192
           Summary: Denuvo Anti-Cheat needs support for
                    NtQuerySystemInformation
                    'SystemCodeIntegrityInformation' info class (Driver
                    Signature Enforcement)
           Product: Wine
           Version: 5.8
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ntdll
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says. Part of Doom Eternal. The Denuvo Anti-Cheat installer is baked into
the main executable 'DOOMEternalx64vk.exe' which contains several PE payloads.
I'm not aware of any other games that use it (yet).

Trace log:

--- snip ---
$ pwd
/home/focht/wine-games/wineprefix64-steam/drive_c/Program Files (x86)/Steam

$ WINEDEBUG=+seh,+relay,+loaddll,+ntoskrnl wine ./steam.exe -no-cef-sandbox
-applaunch 782330 >>log.txt 2>&1
...
0464:Call KERNEL32.LoadLibraryW(0091ea80
L"C:\\users\\focht\\Temp\\denuvo-anti-cheat-update-service-launcher.dll")
ret=01d3db68 
...
0464:Ret  KERNEL32.LoadLibraryW() retval=03180000 ret=01d3db68
...
0464:Call KERNEL32.GetProcAddress(03180000,14722b1f0 "startService3")
ret=147244518
0464:Ret  KERNEL32.GetProcAddress() retval=03193350 ret=147244518
...
0464:Call KERNEL32.LoadLibraryW(01919a10 L"C:\\Program Files
(x86)\\Steam\\steamapps\\common\\DOOMEternal\\denuvo-anticheat-gui.dll")
ret=01d3db68 
...
0464:Ret  KERNEL32.LoadLibraryW() retval=00000000 ret=01d3db68
...
0464:Call version.GetFileVersionInfoW(0191b8c0
L"C:\\users\\focht\\Temp\\denuvo-anti-cheat-update-service-launcher.dll",00000000,000008ac,0191c8f0)
ret=03195497
...
0464:Ret  version.GetFileVersionInfoW() retval=00000001 ret=03195497
0464:Call version.VerQueryValueW(0191c8f0,03202928 L"\\",0091e628,0091e618)
ret=031954c3
...
0464:Ret  version.VerQueryValueW() retval=00000001 ret=031954c3
...
0464:Call KERNEL32.GetProcAddress(7bc20000,032044d0 "NtQuerySystemInformation")
ret=0318ef65
0464:Ret  KERNEL32.GetProcAddress() retval=7bc2d2b0 ret=0318ef65
0464:Call ntdll.NtQuerySystemInformation(00000067,0091e680,00000008,0091e678)
ret=0318ef9d
0464:fixme:ntdll:NtQuerySystemInformation
(0x00000067,0x91e680,0x00000008,0x91e678) stub
0464:Ret  ntdll.NtQuerySystemInformation() retval=c0000003 ret=0318ef9d
0464:Call ntdll.NtQuerySystemInformation(00000023,0091e670,00000002,0091e678)
ret=0318efb5
0464:Ret  ntdll.NtQuerySystemInformation() retval=00000000 ret=0318efb5 
...
--- snip ---

0x67 -> SYSTEM_CODEINTEGRITY_INFORMATION

'denuvo-anti-cheat-update-service-launcher-2020-05-18-16.12.57.645.log'

--- snip ---
2020-05-18-16.12.57.679 [INF] Got reporter binary, version 2.7.0.40281
2020-05-18-16.12.57.731 [INF] Launcher 2.7.0.40281 started. Transaction id:
4e7c49ed-40f1-448f-a762-898049b26608
2020-05-18-16.12.57.731 [ERR] Environment check failed!
2020-05-18-16.12.57.805 [INF] Reporter 2.7.0.40281 started, passing error 2
2020-05-18-16.14.45.721 [INF] Reporter completed: 0
--- snip ---

https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation

--- quote ---
SYSTEM_CODEINTEGRITY_INFORMATION

When the SystemInformationClass parameter is SystemCodeIntegrityInformation,
the buffer pointed to by the SystemInformation parameter should be large enough
to hold a single SYSTEM_CODEINTEGRITY_INFORMATION structure having the
following layout:

typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
    ULONG  Length;
    ULONG  CodeIntegrityOptions;
} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;

The Length member contains the size of the structure in bytes. This must be set
by the caller.

The CodeIntegrityOptions member contains a bitmask to identify code integrity
options.

Table 2

Value         Meaning

0x01     CODEINTEGRITY_OPTION_ENABLED     Enforcement of kernel mode Code
Integrity is enabled.
--- quote ---

It seems sufficient to set 'CODEINTEGRITY_OPTION_ENABLED' (0x1) to pass the DSE
check. The Denuvo bootstrapper will then extract and install the update service
and kernel driver.

--- snip ---
....
2020-05-18-17.10.52.450 [INF] Got reporter binary, version 2.7.0.40281
2020-05-18-17.10.52.455 [INF] Launcher 2.7.0.40281 started. Transaction id:
4e7c49ed-40f1-448f-a762-898049b26608
2020-05-18-17.10.52.472 [INF] Saving update service binary
2020-05-18-17.10.52.486 [INF] Saving update service binary to path: C:\Program
Files (x86)\Steam\steamapps\common\DOOMEternal\Denuvo Anti-Cheat Installer.exe
2020-05-18-17.10.52.496 [INF] Saving update service binary
2020-05-18-17.10.52.508 [INF] Saving update service binary to path: C:\Program
Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat-runtime.dll
2020-05-18-17.10.52.515 [INF] Saving update service binary
2020-05-18-17.10.52.526 [INF] Saving update service binary to path: C:\Program
Files (x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat.sys
2020-05-18-17.10.52.537 [INF] Update service not installed.
2020-05-18-17.10.52.542 [INF] Running installer: 2.7.0.40281
2020-05-18-17.10.52.550 [INF] Installer arguments: install
"4e7c49ed-40f1-448f-a762-898049b26608" "C:\Program Files
(x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat-runtime.dll"
"C:\Program Files
(x86)\Steam\steamapps\common\DOOMEternal\denuvo-anti-cheat.sys"
2020-05-18-17.10.55.278 [INF] Elevated installer run finished successfully.
2020-05-18-17.10.55.298 [INF] Update service not running. Starting the service
2020-05-18-17.10.55.892 [INF] Performing software update
2020-05-18-17.10.55.895 [INF] Sending clean check request
2020-05-18-17.10.55.897 [INF] Waiting for clean check response
2020-05-18-17.10.56.000 [INF] Sending update request
2020-05-18-17.10.56.004 [INF] Waiting for update response
2020-05-18-17.11.04.498 [ERR] Received updateFailureResponse. Reason: start
driver failed
2020-05-18-17.11.04.559 [INF] Reporter 2.7.0.40281 started, passing error 2003
--- snip ---

$ wine --version
wine-5.8-173-g9e26bc8116

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list