Dead lock on NtCreateFile in PsCreateProcessNotifyRoutin

Hi,
i have some issue in this scenario
my routine of driver is that:
PsCreateprocessNotifyRoutin
{
KinitializeEvent(kevent…)
IoAllocWorkitem

KeWaitforsingobject(kevent…)
free work item

}

workitem routin
{
ntcreatefile or zwopenfile
ZwQueryInformationFile
KsetEvent(…/* signaled Kevent*/)
}

but i have deadlock wen ntcreatefile called?
what am i missing?

Run:

!process 0 F System

Find your thread calling NtCreateFile and post it here.

1 Like

sorry for my late

THREAD ffff800dc136c440 Cid 0004.00d8 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable
ffffba8680ca7428 SynchronizationEvent
IRP List:
ffff800dc1377270: (0006,0478) Flags: 00000884 Mdl: 00000000
ffff800dc65de010: (0006,0478) Flags: 00000884 Mdl: 00000000
Impersonation token: ffff958caa481060 (Level Anonymous)
Owning Process ffff800dc12a0200 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 40117 Ticks: 250 (0:00:00:03.906)
Context Switch Count 1137 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.281
Win32 Start Address nt!ExpWorkerThread (0xfffff8074b541120)
Stack Init ffffba8680ca7fd0 Current ffffba8680ca6f70
Base ffffba8680ca8000 Limit ffffba8680ca1000 Call 0000000000000000
Priority 15 BasePriority 12 PriorityDecrement 16 IoPriority 2 PagePriority 5

    Child-SP          RetAddr               Call Site
    ffffba86`80ca6fb0 fffff807`4b40c970     nt!KiSwapContext+0x76
    ffffba86`80ca70f0 fffff807`4b40be9f     nt!KiSwapThread+0x500
    ffffba86`80ca71a0 fffff807`4b40b743     nt!KiCommitThreadWait+0x14f
    ffffba86`80ca7240 fffff807`4b40e61d     nt!KeWaitForSingleObject+0x233
    ffffba86`80ca7330 fffff807`4b40968a     nt!ExpWaitForResource+0x6d
    ffffba86`80ca73b0 fffff807`4b4090f4     nt!ExpAcquireResourceSharedLite+0x4da
    ffffba86`80ca7470 fffff807`4b7f3c03     nt!ExAcquireResourceSharedLite+0x44
    ffffba86`80ca74b0 fffff807`4f667779     nt!SeLockSubjectContext+0x53
    ffffba86`80ca74e0 fffff807`4f66726a     Ntfs!NtfsAccessCheck+0x1f9
    ffffba86`80ca7710 fffff807`4f666f2d     Ntfs!NtfsCheckExistingFile+0xda
    ffffba86`80ca77c0 fffff807`4f666564     Ntfs!NtfsOpenExistingAttr+0xdd
    ffffba86`80ca7880 fffff807`4f6655ca     Ntfs!NtfsOpenAttributeInExistingFile+0x494
    ffffba86`80ca7a70 fffff807`4f5fa44f     Ntfs!NtfsOpenExistingPrefixFcb+0x22a
    ffffba86`80ca7b80 fffff807`4f5fb350     Ntfs!NtfsFindStartingNode+0x3ff
    ffffba86`80ca7c70 fffff807`4f612592     Ntfs!NtfsCommonCreate+0x580
    ffffba86`80ca7f50 fffff807`4b5fa4fe     Ntfs!NtfsCommonCreateCallout+0x22
    ffffba86`80ca7f80 fffff807`4b5fa4bc     nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffba86`80ca7e40)
    ffffba86`7f9c0220 fffff807`4b498f2d     nt!KiSwitchKernelStackContinue
    ffffba86`7f9c0240 fffff807`4b498d22     nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19d
    ffffba86`7f9c02e0 fffff807`4b498b83     nt!KiExpandKernelStackAndCalloutSwitchStack+0xf2
    ffffba86`7f9c0350 fffff807`4b498b3d     nt!KeExpandKernelStackAndCalloutInternal+0x33
    ffffba86`7f9c03c0 fffff807`4f616f73     nt!KeExpandKernelStackAndCalloutEx+0x1d
    ffffba86`7f9c0400 fffff807`4f5f7924     Ntfs!NtfsCommonCreateOnNewStack+0x5b
    ffffba86`7f9c0470 fffff807`4b5185b5     Ntfs!NtfsFsdCreate+0x274
    ffffba86`7f9c06f0 fffff807`4e7d6ccf     nt!IofCallDriver+0x55
    ffffba86`7f9c0730 fffff807`4e80bbd4     FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f
    ffffba86`7f9c07a0 fffff807`4b5185b5     FLTMGR!FltpCreate+0x324
    ffffba86`7f9c0850 fffff807`4b519ba4     nt!IofCallDriver+0x55
    ffffba86`7f9c0890 fffff807`4b8e3e5d     nt!IoCallDriverWithTracing+0x34
    ffffba86`7f9c08e0 fffff807`4b7f23ce     nt!IopParseDevice+0x117d
    ffffba86`7f9c0a50 fffff807`4b9014aa     nt!ObpLookupObjectName+0x3fe
    ffffba86`7f9c0c20 fffff807`4b815c8f     nt!ObOpenObjectByNameEx+0x1fa
    ffffba86`7f9c0d50 fffff807`4b81574d     nt!IopCreateFile+0x40f
    ffffba86`7f9c0df0 fffff807`4e80df1f     nt!IoCreateFileEx+0x11d
    ffffba86`7f9c0e90 fffff807`4e80e5ea     FLTMGR!FltpExpandFilePathWorker+0x32f
    ffffba86`7f9c1000 fffff807`4e80a435     FLTMGR!FltpExpandFilePath+0x1e
    ffffba86`7f9c1050 fffff807`4e80aadb     FLTMGR!FltpGetNormalizedFileNameWorker+0x225
    ffffba86`7f9c10d0 fffff807`4e7d24c4     FLTMGR!FltpCreateFileNameInformation+0x2eb
    ffffba86`7f9c1150 fffff807`4e7d3504     FLTMGR!HandleStreamListNotSupported+0x134
    ffffba86`7f9c1190 fffff807`4e7d40a1     FLTMGR!FltpGetFileNameInformation+0x5c4

thank you a lot

@“Scott_Noone_(OSR)” said:
Run:

!process 0 F System

Find your thread calling NtCreateFile and post it here.

Please guide me that what I should do

Hi again,
I fixed :slight_smile:
my problem was the order of the call
my old code is:
SeCaptureSubjectContext
SeLockSubjectContext
ZwCreateFile

It cause dead lock on my system
And I still do not know exactly why this problem happend ?