Hi, I’m running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here https://github.com/Spajed/processrefund)
.
In my setup there’s also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that “If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing.”
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
.
I wish to understand better the nature of this error code and why it’s triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.
.
// Created a transaction, handle hTransaction
HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);
//CreateFileTransacted on file %fileFullPath, handle %hTransactedFile
HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,
GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL);
...
// process may be terminated somewhere here
...
//rolling back the original svchost
RollbackTransaction(hTransaction))
Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?
thanks !