Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

getting error STATUS_TRANSACTION_NOT_ACTIVE while calling FltGetFileNameInformation from minifilter.

iradization42iradization42 Member Posts: 3
edited July 7 in NTFSD

Hi, I'm running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here https://github.com/Spajed/processrefund)
.
In my setup there's also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that "If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing."
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
.
I wish to understand better the nature of this error code and why it's triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.
.

// Created a transaction, handle hTransaction
HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);

//CreateFileTransacted on file %fileFullPath, handle %hTransactedFile
HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,
    GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL);

...
    // process may be terminated somewhere here 
    ...

//rolling back the original svchost
    RollbackTransaction(hTransaction))

Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?

thanks !

Post edited by iradization42 on

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,409

    Answer me this: Why would we help you do this?

    Wouldn’t we be helping you perfect a method for malware injection?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • iradization42iradization42 Member Posts: 3

    Hi Peter, by no means my intensions are to create new malware injection method, but a Technic to block them (although today doppelganger is detected by Microsoft defender) - not commercially yet, but for educational purpose, hoping to gain some relevant experience and get into the cyber defense industry.

    What I've seen is when the transacted file is being closed I get the STATUS_TRANSACTION_NOT_ACTIVE error, after the transaction was rolled back perfectly.

    Therefore, I'd like to know if there's a way to distinguish between regular file and transacted file on preCleanup callback.

    thanks !

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,409

    by no means my intensions are to create new malware injection method

    I believe you. Really, I do.

    Can I have your bank account number, please? Just so I can check to see what a bank account number in your country looks like?

    By no means are my intensions to steal your money. But for educational purposes.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE