FltMgr hang

I am looking at an issue that occurs only when a rootkit driver is installed. It is a legacy driver. When this driver is loaded and any other minifilter is also loaded (even the passthrough example) and someone tries to access the rootkit driver the create call hangs. In the debugger I can see that the filter manager has completed callbacks and is waiting on something (see stack below). This wait is never satisfied.

Now I know the first instinct is to say that if a malware driver is installed then all bets are off and anything can happen, etc. All I am asking here is what is the filter manager waiting for? Anything that sheds light on why this is happening may help to avoid it and when you are trying to write a utility to remove this type of malware avoiding it is crucial to the success of that effort.

THREAD 82035d80 Cid 0260.0258 Teb: 7ffdf000 Win32Thread: e20da990 WAIT: (Executive) KernelMode Non-Alertable
81ff9120 SynchronizationEvent
IRP List:
821e7cb8: (0006,01b4) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap e1984050
Owning Process 0 Image:
Attached Process 821ef158 Image: cmd.exe
Wait Start TickCount 9026 Ticks: 114 (0:00:00:01.781)
Context Switch Count 445 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:04.750
Win32 Start Address 0x4ad05046
Start Address 0x7c810705
Stack Init b2377000 Current b237698c Base b2377000 Limit b2373000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr
b23769a4 80500cf0 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b23769b0 804f9d72 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b23769d8 f8488ec2 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
b2376a10 f8495754 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x232 (FPO: [Non-Fpo])
b2376a4c 804ee129 fltMgr!FltpCreate+0x26a (FPO: [Non-Fpo])
b2376a5c 80578728 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
b2376b3c 805b4e10 nt!IopParseDevice+0xa12 (FPO: [Non-Fpo])
b2376bc4 805b11b9 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
b2376c18 8056b333 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
b2376c94 8056bcaa nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
b2376cf0 8056e3bc nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
b2376d30 8053d6d8 nt!NtCreateFile+0x30 (FPO: [Non-Fpo])
b2376d30 7c90e514 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2376d64)
0013e6e4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

Hi Rick,

As far as I remember FltpLegacyProcessingAfterPreCallbacksCompleted is a
pretty complicated function, and I expect there are quite a few different
things it could wait for. One thing it does generally wait for is the
completion of the operation if the operation was pended by a driver below.
But there are other cases where it waits for thingsā€¦ Any chance you could
either post the bytes before the call ?

Also, which OS is this ?

Thanks,
Alex.

Hi Alex,

It is Windows XP. It is interesting that the minifilter does not even need to register for any callbacks. As long as it is registered as a minifilter it hangs. If it is not registered the create returns an error.

I think it is waiting for the IRP completion:

fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x17f:
f8488e0f 807d1000 cmp byte ptr [ebp+10h],0
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x183:
f8488e13 c7401c048348f8 mov dword ptr [eax+1Ch],offset fltMgr!FltpGeneralCompletion (f8488304)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18a:
f8488e1a 895820 mov dword ptr [eax+20h],ebx
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d:
f8488e1d c64003e0 mov byte ptr [eax+3],0E0h
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x191:
f8488e21 7565 jne fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1f8 (f8488e88)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x193:
f8488e23 8b45f8 mov eax,dword ptr [ebp-8]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x196:
f8488e26 806003fe and byte ptr [eax+3],0FEh
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x19a:
f8488e2a c645ff00 mov byte ptr [ebp-1],0
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x19e:
f8488e2e eb58 jmp fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1f8 (f8488e88)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1f8:
f8488e88 33ff xor edi,edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1fa:
f8488e8a 8b450c mov eax,dword ptr [ebp+0Ch]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1fd:
f8488e8d 8b4028 mov eax,dword ptr [eax+28h]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x200:
f8488e90 8b4804 mov ecx,dword ptr [eax+4]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x203:
f8488e93 8bd6 mov edx,esi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x205:
f8488e95 ff1584d248f8 call dword ptr [fltMgr!_imp_IofCallDriver (f848d284)]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b:
f8488e9b 89450c mov dword ptr [ebp+0Ch],eax
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20e:
f8488e9e 8b4508 mov eax,dword ptr [ebp+8]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x211:
f8488ea1 397810 cmp dword ptr [eax+10h],edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x214:
f8488ea4 7409 je fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21f (f8488eaf)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21f:
f8488eaf 397df0 cmp dword ptr [ebp-10h],edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x222:
f8488eb2 747e je fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2a2 (f8488f32)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x224:
f8488eb4 57 push edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x225:
f8488eb5 57 push edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x226:
f8488eb6 57 push edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x227:
f8488eb7 8d4310 lea eax,[ebx+10h]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a:
f8488eba 57 push edi
kd> p
mbamchameleon!MBpPreOperationCreate: Entered
mbamchameleon!Opening VMware Tools
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22b:
f8488ebb 50 push eax
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22c:
f8488ebc ff15f0d148f8 call dword ptr [fltMgr!_imp__KeWaitForSingleObject (f848d1f0)]
kd> r
eax=81e76d78 ebx=81e76d68 ecx=f857245c edx=71f20002 esi=822c1600 edi=00000000
eip=f8488ebc esp=b1f799e0 ebp=b1f79a10 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22c:
f8488ebc ff15f0d148f8 call dword ptr [fltMgr!_imp__KeWaitForSingleObject (f848d1f0)] ds:0023:f848d1f0={nt!KeWaitForSingleObject (804f9bb0)}