Announcement

**oiaohm** · 27 May 2020, 12:28 PM

Originally posted by CochainComplex View Post

Since wine is totally in the userspace there is no Ring 0 hack to make it runable.

Not quite wine uses winedevice to run windows drivers that would normally run in kernelspace(ring 0) in userspace(ring 3). So yes a ring 0 hack under windows can run under wine just when it does its run as ring 3 and only sees 1 wineprefix memory space.

**CochainComplex** · 27 May 2020, 06:15 PM

Originally posted by oiaohm View Post

Not quite wine uses winedevice to run windows drivers that would normally run in kernelspace(ring 0) in userspace(ring 3). So yes a ring 0 hack under windows can run under wine just when it does its run as ring 3 and only sees 1 wineprefix memory space.

Ok maybe it is my native tongue but I meant that there is no Linux Kernel Hack needed which squezzes some "rootkit" into ring 0 of the Linux Kernel to make Denuvo under wine runable which is the concern. If it is possible to "emulated" - I know wine is no emulator- the ring 0 in ring 3 there is no concern about compromised kernel security in Linux land.

**oiaohm** · 28 May 2020, 03:44 AM

Originally posted by CochainComplex View Post

Ok maybe it is my native tongue but I meant that there is no Linux Kernel Hack needed which squezzes some "rootkit" into ring 0 of the Linux Kernel to make Denuvo under wine runable which is the concern. If it is possible to "emulated" - I know wine is no emulator- the ring 0 in ring 3 there is no concern about compromised kernel security in Linux land.

To make a third party driver to Microsoft standard that runs in kernel mode NT to windows 10 you are not meant to use any native ring 0 only Assembly. So all the code of a windows NT-10 third party driver should in fact be able to execute in ring3. So what wine is doing with the driver is not exactly emulating but running the driver where it can be run there is a bit of history why this is the case. NT/Windows kernel was based of microkernel idea except for performance the drivers that by pure microkernel should be running in ring 3 are running in ring 0. Wine is basically running the driver as it would have run under early NT before release yes we are talking before 1993 here yes this is how something that happened now almost 3 decades ago is having direct effect today.

Basically that is the reason why wine can run some NT-10 drivers but there was no way to do Windows 9x VXDs as those in fact used real ring 0 only Assembly.

So in theory Microsoft could provide their Windows end users with option of running particular kernel mode ring 0 drivers in userspace ring 3 with isolated memory access if they wanted to.

Do note it is important to take note of what I said. A driver running under winedevice can see the complete memory space of that wineprefix. So if you are a person who put all applications in 1 wineprefix the Denuvo driver rootkit sill might cause nice big security problems not as big as windows or linux kernel rootkit but still not good.

**CochainComplex** · 28 May 2020, 05:13 AM

Originally posted by oiaohm View Post

To make a third party driver to Microsoft standard that runs in kernel mode NT to windows 10 you are not meant to use any native ring 0 only Assembly. So all the code of a windows NT-10 third party driver should in fact be able to execute in ring3. So what wine is doing with the driver is not exactly emulating but running the driver where it can be run there is a bit of history why this is the case. NT/Windows kernel was based of microkernel idea except for performance the drivers that by pure microkernel should be running in ring 3 are running in ring 0. Wine is basically running the driver as it would have run under early NT before release yes we are talking before 1993 here yes this is how something that happened now almost 3 decades ago is having direct effect today.

Basically that is the reason why wine can run some NT-10 drivers but there was no way to do Windows 9x VXDs as those in fact used real ring 0 only Assembly.

So in theory Microsoft could provide their Windows end users with option of running particular kernel mode ring 0 drivers in userspace ring 3 with isolated memory access if they wanted to.

Do note it is important to take note of what I said. A driver running under winedevice can see the complete memory space of that wineprefix. So if you are a person who put all applications in 1 wineprefix the Denuvo driver rootkit sill might cause nice big security problems not as big as windows or linux kernel rootkit but still not good.

That is very interesting input, I was not aware about this - thank you!

Announcement

Wine-Staging 5.9 Picks Up A Patch In The Effort To Deal With Denuvo Anti-Cheat

Comment

Comment

Comment

Comment