getting error STATUS_TRANSACTION_NOT_ACTIVE while calling FltGetFileNameInformation from minifilter.

Hi, I’m running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here https://github.com/Spajed/processrefund)
.
In my setup there’s also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that “If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing.”
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
.
I wish to understand better the nature of this error code and why it’s triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.
.

// Created a transaction, handle hTransaction
HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp);

//CreateFileTransacted on file %fileFullPath, handle %hTransactedFile
HANDLE hTransactedFile = CreateFileTransacted(fileFullPath,
	GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL);

...
    // process may be terminated somewhere here 
    ...

//rolling back the original svchost
    RollbackTransaction(hTransaction))

Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?

thanks !

Answer me this: Why would we help you do this?

Wouldn’t we be helping you perfect a method for malware injection?

Peter

Hi Peter, by no means my intensions are to create new malware injection method, but a Technic to block them (although today doppelganger is detected by Microsoft defender) - not commercially yet, but for educational purpose, hoping to gain some relevant experience and get into the cyber defense industry.

What I’ve seen is when the transacted file is being closed I get the STATUS_TRANSACTION_NOT_ACTIVE error, after the transaction was rolled back perfectly.

Therefore, I’d like to know if there’s a way to distinguish between regular file and transacted file on preCleanup callback.

thanks !

by no means my intensions are to create new malware injection method

I believe you. Really, I do.

Can I have your bank account number, please? Just so I can check to see what a bank account number in your country looks like?

By no means are my intensions to steal your money. But for educational purposes.

Peter