sennin
1
Hi,
i have some issue in this scenario
my routine of driver is that:
PsCreateprocessNotifyRoutin
{
KinitializeEvent(kevent…)
IoAllocWorkitem
KeWaitforsingobject(kevent…)
free work item
}
workitem routin
{
ntcreatefile or zwopenfile
ZwQueryInformationFile
KsetEvent(…/* signaled Kevent*/)
}
but i have deadlock wen ntcreatefile called?
what am i missing?
Run:
!process 0 F System
Find your thread calling NtCreateFile and post it here.
1 Like
sennin
3
sorry for my late
THREAD ffff800dc136c440 Cid 0004.00d8 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable
ffffba8680ca7428 SynchronizationEvent
IRP List:
ffff800dc1377270: (0006,0478) Flags: 00000884 Mdl: 00000000
ffff800dc65de010: (0006,0478) Flags: 00000884 Mdl: 00000000
Impersonation token: ffff958caa481060 (Level Anonymous)
Owning Process ffff800dc12a0200 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 40117 Ticks: 250 (0:00:00:03.906)
Context Switch Count 1137 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.281
Win32 Start Address nt!ExpWorkerThread (0xfffff8074b541120)
Stack Init ffffba8680ca7fd0 Current ffffba8680ca6f70
Base ffffba8680ca8000 Limit ffffba8680ca1000 Call 0000000000000000
Priority 15 BasePriority 12 PriorityDecrement 16 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffffba86`80ca6fb0 fffff807`4b40c970 nt!KiSwapContext+0x76
ffffba86`80ca70f0 fffff807`4b40be9f nt!KiSwapThread+0x500
ffffba86`80ca71a0 fffff807`4b40b743 nt!KiCommitThreadWait+0x14f
ffffba86`80ca7240 fffff807`4b40e61d nt!KeWaitForSingleObject+0x233
ffffba86`80ca7330 fffff807`4b40968a nt!ExpWaitForResource+0x6d
ffffba86`80ca73b0 fffff807`4b4090f4 nt!ExpAcquireResourceSharedLite+0x4da
ffffba86`80ca7470 fffff807`4b7f3c03 nt!ExAcquireResourceSharedLite+0x44
ffffba86`80ca74b0 fffff807`4f667779 nt!SeLockSubjectContext+0x53
ffffba86`80ca74e0 fffff807`4f66726a Ntfs!NtfsAccessCheck+0x1f9
ffffba86`80ca7710 fffff807`4f666f2d Ntfs!NtfsCheckExistingFile+0xda
ffffba86`80ca77c0 fffff807`4f666564 Ntfs!NtfsOpenExistingAttr+0xdd
ffffba86`80ca7880 fffff807`4f6655ca Ntfs!NtfsOpenAttributeInExistingFile+0x494
ffffba86`80ca7a70 fffff807`4f5fa44f Ntfs!NtfsOpenExistingPrefixFcb+0x22a
ffffba86`80ca7b80 fffff807`4f5fb350 Ntfs!NtfsFindStartingNode+0x3ff
ffffba86`80ca7c70 fffff807`4f612592 Ntfs!NtfsCommonCreate+0x580
ffffba86`80ca7f50 fffff807`4b5fa4fe Ntfs!NtfsCommonCreateCallout+0x22
ffffba86`80ca7f80 fffff807`4b5fa4bc nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffba86`80ca7e40)
ffffba86`7f9c0220 fffff807`4b498f2d nt!KiSwitchKernelStackContinue
ffffba86`7f9c0240 fffff807`4b498d22 nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19d
ffffba86`7f9c02e0 fffff807`4b498b83 nt!KiExpandKernelStackAndCalloutSwitchStack+0xf2
ffffba86`7f9c0350 fffff807`4b498b3d nt!KeExpandKernelStackAndCalloutInternal+0x33
ffffba86`7f9c03c0 fffff807`4f616f73 nt!KeExpandKernelStackAndCalloutEx+0x1d
ffffba86`7f9c0400 fffff807`4f5f7924 Ntfs!NtfsCommonCreateOnNewStack+0x5b
ffffba86`7f9c0470 fffff807`4b5185b5 Ntfs!NtfsFsdCreate+0x274
ffffba86`7f9c06f0 fffff807`4e7d6ccf nt!IofCallDriver+0x55
ffffba86`7f9c0730 fffff807`4e80bbd4 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f
ffffba86`7f9c07a0 fffff807`4b5185b5 FLTMGR!FltpCreate+0x324
ffffba86`7f9c0850 fffff807`4b519ba4 nt!IofCallDriver+0x55
ffffba86`7f9c0890 fffff807`4b8e3e5d nt!IoCallDriverWithTracing+0x34
ffffba86`7f9c08e0 fffff807`4b7f23ce nt!IopParseDevice+0x117d
ffffba86`7f9c0a50 fffff807`4b9014aa nt!ObpLookupObjectName+0x3fe
ffffba86`7f9c0c20 fffff807`4b815c8f nt!ObOpenObjectByNameEx+0x1fa
ffffba86`7f9c0d50 fffff807`4b81574d nt!IopCreateFile+0x40f
ffffba86`7f9c0df0 fffff807`4e80df1f nt!IoCreateFileEx+0x11d
ffffba86`7f9c0e90 fffff807`4e80e5ea FLTMGR!FltpExpandFilePathWorker+0x32f
ffffba86`7f9c1000 fffff807`4e80a435 FLTMGR!FltpExpandFilePath+0x1e
ffffba86`7f9c1050 fffff807`4e80aadb FLTMGR!FltpGetNormalizedFileNameWorker+0x225
ffffba86`7f9c10d0 fffff807`4e7d24c4 FLTMGR!FltpCreateFileNameInformation+0x2eb
ffffba86`7f9c1150 fffff807`4e7d3504 FLTMGR!HandleStreamListNotSupported+0x134
ffffba86`7f9c1190 fffff807`4e7d40a1 FLTMGR!FltpGetFileNameInformation+0x5c4
thank you a lot
sennin
4
@“Scott_Noone_(OSR)” said:
Run:
!process 0 F System
Find your thread calling NtCreateFile and post it here.
Please guide me that what I should do
sennin
5
Hi again,
I fixed
my problem was the order of the call
my old code is:
SeCaptureSubjectContext
SeLockSubjectContext
ZwCreateFile
It cause dead lock on my system
And I still do not know exactly why this problem happend ?