I am looking at an issue that occurs only when a rootkit driver is installed. It is a legacy driver. When this driver is loaded and any other minifilter is also loaded (even the passthrough example) and someone tries to access the rootkit driver the create call hangs. In the debugger I can see that the filter manager has completed callbacks and is waiting on something (see stack below). This wait is never satisfied.
Now I know the first instinct is to say that if a malware driver is installed then all bets are off and anything can happen, etc. All I am asking here is what is the filter manager waiting for? Anything that sheds light on why this is happening may help to avoid it and when you are trying to write a utility to remove this type of malware avoiding it is crucial to the success of that effort.
As far as I remember FltpLegacyProcessingAfterPreCallbacksCompleted is a
pretty complicated function, and I expect there are quite a few different
things it could wait for. One thing it does generally wait for is the
completion of the operation if the operation was pended by a driver below.
But there are other cases where it waits for thingsā¦ Any chance you could
either post the bytes before the call ?
It is Windows XP. It is interesting that the minifilter does not even need to register for any callbacks. As long as it is registered as a minifilter it hangs. If it is not registered the create returns an error.
I think it is waiting for the IRP completion:
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x17f:
f8488e0f 807d1000 cmp byte ptr [ebp+10h],0
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x183:
f8488e13 c7401c048348f8 mov dword ptr [eax+1Ch],offset fltMgr!FltpGeneralCompletion (f8488304)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18a:
f8488e1a 895820 mov dword ptr [eax+20h],ebx
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d:
f8488e1d c64003e0 mov byte ptr [eax+3],0E0h
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x191:
f8488e21 7565 jne fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1f8 (f8488e88)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x193:
f8488e23 8b45f8 mov eax,dword ptr [ebp-8]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x196:
f8488e26 806003fe and byte ptr [eax+3],0FEh
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x19a:
f8488e2a c645ff00 mov byte ptr [ebp-1],0
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x19e:
f8488e2e eb58 jmp fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1f8 (f8488e88)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1f8:
f8488e88 33ff xor edi,edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1fa:
f8488e8a 8b450c mov eax,dword ptr [ebp+0Ch]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1fd:
f8488e8d 8b4028 mov eax,dword ptr [eax+28h]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x200:
f8488e90 8b4804 mov ecx,dword ptr [eax+4]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x203:
f8488e93 8bd6 mov edx,esi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x205:
f8488e95 ff1584d248f8 call dword ptr [fltMgr!_imp_IofCallDriver (f848d284)]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b:
f8488e9b 89450c mov dword ptr [ebp+0Ch],eax
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20e:
f8488e9e 8b4508 mov eax,dword ptr [ebp+8]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x211:
f8488ea1 397810 cmp dword ptr [eax+10h],edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x214:
f8488ea4 7409 je fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21f (f8488eaf)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x21f:
f8488eaf 397df0 cmp dword ptr [ebp-10h],edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x222:
f8488eb2 747e je fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2a2 (f8488f32)
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x224:
f8488eb4 57 push edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x225:
f8488eb5 57 push edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x226:
f8488eb6 57 push edi
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x227:
f8488eb7 8d4310 lea eax,[ebx+10h]
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a:
f8488eba 57 push edi
kd> p
mbamchameleon!MBpPreOperationCreate: Entered
mbamchameleon!Opening VMware Tools
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22b:
f8488ebb 50 push eax
kd> p
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22c:
f8488ebc ff15f0d148f8 call dword ptr [fltMgr!_imp__KeWaitForSingleObject (f848d1f0)]
kd> r
eax=81e76d78 ebx=81e76d68 ecx=f857245c edx=71f20002 esi=822c1600 edi=00000000
eip=f8488ebc esp=b1f799e0 ebp=b1f79a10 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22c:
f8488ebc ff15f0d148f8 call dword ptr [fltMgr!_imp__KeWaitForSingleObject (f848d1f0)] ds:0023:f848d1f0={nt!KeWaitForSingleObject (804f9bb0)}