Hi, I'm running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here https://github.com/Spajed/processrefund)
In my setup there's also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that "If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing."
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
I wish to understand better the nature of this error code and why it's triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.
// Created a transaction, handle hTransaction HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp); //CreateFileTransacted on file %fileFullPath, handle %hTransactedFile HANDLE hTransactedFile = CreateFileTransacted(fileFullPath, GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL); ... // process may be terminated somewhere here ... //rolling back the original svchost RollbackTransaction(hTransaction))
Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|