[Bug 49194] New: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs 'netio.sys' (Winsock Kernel Sockets API / WSK)

WineHQ Bugzilla wine-bugs at winehq.org
Mon May 18 11:19:53 CDT 2020 

https://bugs.winehq.org/show_bug.cgi?id=49194

            Bug ID: 49194
           Summary: Denuvo Anti-Cheat 'denuvo-anti-cheat.sys' needs
                    'netio.sys' (Winsock Kernel Sockets API / WSK)
           Product: Wine
           Version: 5.8
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

as it says. Continuation of bug 49192 

Disclaimer for the general populace, to avoid these stupid comments on
Reddit/your-favourite-gossip-site: This is not an attempt to make anything
work.

--- snip ---
$ WINEDEBUG=+seh,+relay,+ntoskrnl wine net start "Denuvo Anti-Cheat" >>log.txt
2>&1
...
00d0:trace:ntoskrnl:load_driver loading driver L"C:\\Program Files\\Denuvo
Anti-Cheat\\denuvo-anti-cheat.sys"
00d0:Call KERNEL32.LoadLibraryW(0078eff0 L"C:\\Program Files\\Denuvo
Anti-Cheat\\denuvo-anti-cheat.sys") ret=00236828 
...
00d0:err:module:import_dll Library netio.sys (which is needed by L"C:\\Program
Files\\Denuvo Anti-Cheat\\denuvo-anti-cheat.sys") not found 
...
00d0:err:module:import_dll Library wdfldr.sys (which is needed by L"C:\\Program
Files\\Denuvo Anti-Cheat\\denuvo-anti-cheat.sys") not found
00d0:Ret  ntdll.LdrLoadDll() retval=c0000135 ret=7b01d770
...
00d0:Ret  KERNEL32.LoadLibraryW() retval=00000000 ret=00236828
...
00d0:trace:ntoskrnl:IoDeleteDriver (00000000000FB930)
...
00d0:err:ntoskrnl:ZwLoadDriver failed to create driver
L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Denuvo Anti-Cheat":
c0000142
--- snip ---

--- snip ---
$ winedump -j import drive_c/Program\ Files/Denuvo\
Anti-Cheat/denuvo-anti-cheat.sys
Contents of drive_c/Program Files/Denuvo Anti-Cheat/denuvo-anti-cheat.sys:
1553128 bytes

Import Table size: 00000050
  offset 0017381c netio.sys
  Hint/Name Table: 0017F670
  TimeDateStamp:   00000000 (Thu Jan  1 01:00:00 1970)
  ForwarderChain:  00000000
  First thunk RVA: 0017F000
   Thunk    Ordn  Name
  0017f000     1  WskDeregister
  0017f008     2  WskRegister
  0017f010     3  WskReleaseProviderNPI
  0017f018     0  WskCaptureProviderNPI

  offset 00173830 ntoskrnl.exe
  Hint/Name Table: 0017F698
  TimeDateStamp:   00000000 (Thu Jan  1 01:00:00 1970)
  ForwarderChain:  00000000
  First thunk RVA: 0017F028
   Thunk    Ordn  Name
  0017f028     0  ExAcquireFastMutex
  0017f030     1  ExAllocatePoolWithQuotaTag
  0017f038     2  ExAllocatePoolWithTag
  0017f040     3  ExCreateCallback
  0017f048     4  ExFreePoolWithTag
  0017f050     5  ExRegisterCallback
  0017f058     6  ExReleaseFastMutex
  0017f060     7  ExUnregisterCallback
  0017f068     8  IoAllocateIrp
  0017f070     9  IoAllocateMdl
  0017f078    10  IoFreeIrp
  0017f080    11  IoFreeMdl
  0017f088    12  IoGetCurrentProcess
  0017f090    13  IoGetInitialStack
  0017f098    14  IoReuseIrp
  0017f0a0    15  KdDebuggerEnabled
  0017f0a8    16  KdRefreshDebuggerNotPresent
  0017f0b0    17  KeAcquireSpinLockAtDpcLevel
  0017f0b8    18  KeAcquireSpinLockRaiseToDpc
  0017f0c0    19  KeBugCheckEx
  0017f0c8    20  KeCancelTimer
  0017f0d0    21  KeDelayExecutionThread
  0017f0d8    22  KeGenericCallDpc
  0017f0e0    23  KeGetCurrentProcessorNumberEx
  0017f0e8    24  KeInitializeDpc
  0017f0f0    25  KeInitializeEvent
  0017f0f8    26  KeInitializeMutex
  0017f100    27  KeInitializeTimer
  0017f108    28  KeLowerIrql
  0017f110    29  KeQueryActiveProcessorCountEx
  0017f118    30  KeReleaseMutex
  0017f120    31  KeReleaseSpinLock
  0017f128    32  KeReleaseSpinLockFromDpcLevel
  0017f130    33  KeRevertToUserAffinityThreadEx
  0017f138    34  KeSetEvent
  0017f140    35  KeSetSystemAffinityThreadEx
  0017f148    36  KeSetTimer
  0017f150    37  KeSignalCallDpcDone
  0017f158    38  KeSignalCallDpcSynchronize
  0017f160    39  KeStackAttachProcess
  0017f168    40  KeUnstackDetachProcess
  0017f170    41  KeWaitForSingleObject
  0017f178    42  KfRaiseIrql
  0017f180    43  MmBuildMdlForNonPagedPool
  0017f188    44  MmGetPhysicalAddress
  0017f190    45  MmGetSystemRoutineAddress
  0017f198    46  MmGetVirtualForPhysical
  0017f1a0    47  MmIsAddressValid
  0017f1a8    48  MmMapIoSpace
  0017f1b0    49  MmUnmapIoSpace
  0017f1b8    50  ObOpenObjectByPointer
  0017f1c0    51  ObReferenceObjectByHandle
  0017f1c8    52  ObRegisterCallbacks
  0017f1d0    53  ObUnRegisterCallbacks
  0017f1d8    54  ObfDereferenceObject
  0017f1e0    55  ObfReferenceObject
  0017f1e8    56  PsCreateSystemThread
  0017f1f0    57  PsGetCurrentProcessId
  0017f1f8    58  PsGetCurrentThreadTeb
  0017f200    59  PsGetProcessId
  0017f208    60  PsGetThreadProcessId
  0017f210    61  PsGetVersion
  0017f218    62  PsLookupProcessByProcessId
  0017f220    63  PsProcessType
  0017f228    64  PsRemoveLoadImageNotifyRoutine
  0017f230    65  PsSetLoadImageNotifyRoutine
  0017f238    66  PsTerminateSystemThread
  0017f240    67  PsThreadType
  0017f248    68  RtlAnsiCharToUnicodeChar
  0017f250    69  RtlAnsiStringToUnicodeString
  0017f258    70  RtlCheckRegistryKey
  0017f260    71  RtlCopyUnicodeString
  0017f268    72  RtlFreeUnicodeString
  0017f270    73  RtlGetVersion
  0017f278    74  RtlInitAnsiString
  0017f280    75  RtlInitUnicodeString
  0017f288    76  RtlQueryRegistryValues
  0017f290    77  RtlRandomEx
  0017f298    78  RtlUnicodeToMultiByteN
  0017f2a0    79  ZwClose
  0017f2a8    80  ZwCreateFile
  0017f2b0    81  ZwCreateKey
  0017f2b8    82  ZwDeleteFile
  0017f2c0    83  ZwDeleteKey
  0017f2c8    84  ZwDeleteValueKey
  0017f2d0    85  ZwDuplicateObject
  0017f2d8    86  ZwLoadDriver
  0017f2e0    87  ZwOpenFile
  0017f2e8    88  ZwOpenProcess
  0017f2f0    89  ZwQuerySystemInformation
  0017f2f8    90  ZwQueryVirtualMemory
  0017f300    91  ZwReadFile
  0017f308    92  ZwSetValueKey
  0017f310    93  ZwUnloadDriver
  0017f318    94  ZwWriteFile
  0017f320    95  __C_specific_handler
  0017f328    96  __chkstk
  0017f330    97  _purecall

  offset 00173844 wdfldr.sys
  Hint/Name Table: 0017F9B0
  TimeDateStamp:   00000000 (Thu Jan  1 01:00:00 1970)
  ForwarderChain:  00000000
  First thunk RVA: 0017F340
   Thunk    Ordn  Name
  0017f340     1  WdfVersionBindClass
  0017f348     2  WdfVersionUnbind
  0017f350     3  WdfVersionUnbindClass
  0017f358     0  WdfVersionBind

Done dumping drive_c/Program Files/Denuvo Anti-Cheat/denuvo-anti-cheat.sys
--- snip ---

Looks like the driver registers itself as Winsock Kernel (WSK) client. This is
the "new" way as the TDI API is considered legacy on modern Windows versions.

--- quote ---
The TDI feature is deprecated and will be removed in future versions of
Microsoft Windows. Depending on how you use TDI, use either the Winsock Kernel
(WSK) or Windows Filtering Platform (WFP). 
--- quote ---

Just mentioning here since Wine has this component as well, albeit different
design: 'http.sys' is a WSK client on Windows.

https://docs.microsoft.com/en-us/windows-hardware/drivers/network/registering-a-winsock-kernel-application

$ wine --version
wine-5.8-173-g9e26bc8116

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list