Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

getting error STATUS_TRANSACTION_NOT_ACTIVE while calling FltGetFileNameInformation from minifilter.

iradization42iradization42 Member Posts: 2
edited July 7 in NTFSD

Hi, I'm running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here https://github.com/Spajed/processrefund)
.
In my setup there's also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that "If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing."
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
.
I wish to understand better the nature of this error code and why it's triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.
.

// Created a transaction, handle hTransaction
HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);

//CreateFileTransacted on file %fileFullPath, handle %hTransactedFile
HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,
    GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL);

...
    // process may be terminated somewhere here 
    ...

//rolling back the original svchost
    RollbackTransaction(hTransaction))

Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?

thanks !

Post edited by iradization42 on

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,339

    Answer me this: Why would we help you do this?

    Wouldn’t we be helping you perfect a method for malware injection?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • iradization42iradization42 Member Posts: 2

    Hi Peter, by no means my intensions are to create new malware injection method, but a Technic to block them (although today doppelganger is detected by Microsoft defender) - not commercially yet, but for educational purpose, hoping to gain some relevant experience and get into the cyber defense industry.

    What I've seen is when the transacted file is being closed I get the STATUS_TRANSACTION_NOT_ACTIVE error, after the transaction was rolled back perfectly.

    Therefore, I'd like to know if there's a way to distinguish between regular file and transacted file on preCleanup callback.

    thanks !

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,339

    by no means my intensions are to create new malware injection method

    I believe you. Really, I do.

    Can I have your bank account number, please? Just so I can check to see what a bank account number in your country looks like?

    By no means are my intensions to steal your money. But for educational purposes.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA