The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Hi, I'm running POC for process doppelganger injection method which create NTFS transaction on unsuspected file (svchost.exe) to copy a malicious payload,
execute it and eventually rolling back the transaction before closing the file so it will be undetected by AV. (see code here https://github.com/Spajed/processrefund)
In my setup there's also a minifilter driver installed, that gets callback on file preCleanup events. The callback function calls kernel API FltGetFileNameInformation with nameOption param set to FLT_FILE_NAME_OPENED | FLT_FILE_NAME_QUERY_DEFAULT.
The option FLT_FILE_NAME_QUERY_DEFAULT says according to documentation that "If it is not currently safe to query the file system for the file name, FltGetFileNameInformation does nothing."
In my scenario it sometimes fails the method FltGetFileNameInformation due to error c0190003 (STATUS_TRANSACTION_NOT_ACTIVE).
I wish to understand better the nature of this error code and why it's triggered. My best guess is that somewhere before the file transaction is rolled back, the process that runs the POC terminated, so that the file gets closed with a pending transaction that is neither rolled back nor committed.
// Created a transaction, handle hTransaction HANDLE hTransaction = CreateTransaction(NULL,0,0,0,0,0, temp); //CreateFileTransacted on file %fileFullPath, handle %hTransactedFile HANDLE hTransactedFile = CreateFileTransacted(fileFullPath, GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL, hTransaction, NULL, NULL); ... // process may be terminated somewhere here ... //rolling back the original svchost RollbackTransaction(hTransaction))
Perhaps anybody ever encounter this error code and can confirm or contradict my theory ?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|