Hello all
I’m trying to find a way to close a handle to a rootkit device driver in the system process so that I can delete the driver file. On XP we do this by calling usermode NtDuplicateObject and set the DUPLICATE_CLOSE_SOURCE option so that the original handle is closed. On Windows 7 though this setting appears to be ignored. Instead, NtDuplicateObject creates a handle to the same fileobject within the _HANDLE_TABLE of the calling process (and increments the reference count of the target fileobject). When I close the duplicated handle, the reference count is decremented and the duplicated handle is removed from the handle table of my process but not from the system process.

I am able to close the handle by injecting some code into a kernel watchdog thread that the rootkit has conveniently provided so that the close is called in the correct (system) context but would like to understand more about why the original approach doesn’t work. Should DUPLICATE_CLOSE_SOURCE be supported on Windows 7 ??

And to preempt the inevitable flaming, yes I am aware of the risks of these methods. But malware in general and rootkits in particular don’t follow the rules and sometimes we need to use unorthodox methods to remove them.



Not exactly what you asked but,

I wonder what you’ll do if they have reference an object from handle and have closed the handle?
In fact its very common for a malware’s user mode component to keep a pointer of section of the driver file. (using mapviewoffile)

So you closed the handle; but still you will not be able to delete the file.

>rootkits in particular don’t follow the rules and sometimes we need to use unorthodox methods to remove them.

Separate boot from CD for an AV scan is the best.

Maxim S. Shatskih
Windows DDK MVP

Hi Aditya
Thanks for your input - I agree this is common but at least when the handle is held by a rogue usermode process, we are able to detect and remove that usermode process to close the handle. It’s somewhat more tricky when it’s held by the system process.

And Maxim, although you are of course correct, we have to work within the capabilities of the products we have which does limit our options.

But I only added the explanation of what I’m trying to achieve for context. The real question is how does the DUPLICATE_CLOSE_SOURCE for NtDuplicateObject work (is it the object manager for example that handles the close of the source handle when a duplicate handle is closed) and how is this different on Windows 7 ??