InstanceCallback and FltIsVolumeWritable crash

NTFSD
1

Hi,

I found a minidump where FltIsVolumeWritable call crashed in this callback
(and I googled several other dumps with the same callstack). It seems to me,
DeviceObject hasn’t been fully initialized yet (?), because
atapi!IdePortDispatchDeviceControl reads DO->DeviceExtension (which is
probably NULL and it crashed). Could you please help me to understand what
is exactly wrong here?

Thank you, Petr

ATAPI!IdePortDispatchDeviceControl+0xb:

b9f3b71d 833900 cmp dword ptr [ecx],0 ds:0023:00000000=00000000

3: kd> dt nt!_DEVICE_OBJECT

+0x028 DeviceExtension : Ptr32 Void

ATAPI!IdePortDispatchDeviceControl:

b9f3b712 8bff mov edi,edi

b9f3b714 55 push ebp

b9f3b715 8bec mov ebp,esp

b9f3b717 8b4508 mov eax,dword ptr [ebp+8]

b9f3b71a 8b4828 mov ecx,dword ptr [eax+28h]

b9f3b71d 833900 cmp dword ptr [ecx],0

b37f56e4 804ef19f ATAPI!IdePortDispatchDeviceControl+0xb (FPO: [Non-Fpo])

b37f56f4 b9f29a48 nt!IopfCallDriver+0x31 (FPO: [0,0,0])

b37f5720 b6b28bac fltmgr!FltIsVolumeWritable+0x58 (FPO: [Non-Fpo])

b37f5784 b9f228ff ##myDriver+0x2bac

b37f57b8 b9f22e86 fltmgr!FltpDoInstanceSetupNotification+0x4b (FPO:
[Non-Fpo])

b37f5818 b9f23211 fltmgr!FltpInitInstance+0x272 (FPO: [Non-Fpo])

b37f5888 b9f2331c fltmgr!FltpCreateInstanceFromName+0x295 (FPO: [Non-Fpo])

b37f58f0 b9f2a342 fltmgr!FltpEnumerateRegistryInstances+0xf4 (FPO:
[Non-Fpo])

b37f5940 b9f216da fltmgr!FltpDoFilterNotificationForNewVolume+0xe4 (FPO:
[Non-Fpo])

b37f5974 804ef19f fltmgr!FltpCreate+0x1f0 (FPO: [Non-Fpo])

b37f5984 b68dd9d5 nt!IopfCallDriver+0x31 (FPO: [0,0,0])

b37f59ec 804ef19f Tmpreflt+0x79d5

b37f59fc b9f14e9b nt!IopfCallDriver+0x31 (FPO: [0,0,0])

b37f5a20 b9f21754
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO: [Non-Fpo])

b37f5a5c 804ef19f fltmgr!FltpCreate+0x26a (FPO: [Non-Fpo])

b37f5a6c 80583220 nt!IopfCallDriver+0x31 (FPO: [0,0,0])

b37f5b4c 805bf488 nt!IopParseDevice+0xa12 (FPO: [Non-Fpo])

b37f5bc4 805bba14 nt!ObpLookupObjectName+0x53c (FPO: [Non-Fpo])

b37f5c18 80576057 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])

b37f5c94 805769ce nt!IopCreateFile+0x407 (FPO: [Non-Fpo])

b37f5cf0 805790d8 nt!IoCreateFile+0x8e (FPO: [Non-Fpo])

b37f5d30 8054167c nt!NtCreateFile+0x30 (FPO: [Non-Fpo])

b37f5d30 7c90e514 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b37f5d64)

010bedd8 00000000 0x7c90e514

another dump from internet:

9d6d6ff0 82c7648c ataport!IdePortDispatchDeviceControl+0xb

9d6d7008 82e284eb nt!IofCallDriver+0x63

9d6d7868 a1bf9aaa nt!IoVolumeDeviceToDosName+0x7e

9d6d7880 836cbbf5 mbam+0xaaa

9d6d78b4 836cc417 fltmgr!FltpDoInstanceSetupNotification+0x69

9d6d7900 836cc7d1 fltmgr!FltpInitInstance+0x25d

9d6d7970 836cc8d7 fltmgr!FltpCreateInstanceFromName+0x285

9d6d79dc 836d5cde fltmgr!FltpEnumerateRegistryInstances+0xf9

9d6d7a2c 836ca7f4 fltmgr!FltpDoFilterNotificationForNewVolume+0xe0

9d6d7a70 82c7648c fltmgr!FltpCreate+0x206

9d6d7a88 82e7aafd nt!IofCallDriver+0x63

9d6d7b60 82e5b57b nt!IopParseDevice+0xed7

9d6d7bdc 82e81729 nt!ObpLookupObjectName+0x4fa

9d6d7c38 82e79a7b nt!ObOpenObjectByName+0x165

9d6d7cb4 82e85392 nt!IopCreateFile+0x673

9d6d7d00 82c7d41a nt!NtCreateFile+0x34

9d6d7d00 77c96344 nt!KiFastCallEntry+0x12a

00cae848 00000000 0x77c96344

2

Hi!

It seems that there TDL4 (TDSS, Alureon, Tidserv) rootkit is present in crashed system. This rootkit create fake device with type = FILE_DEVICE_DISK and without device extension. So, Vpb field will be initialized for this fake device object (real disk PDOs never has correct Vpb). Then rootkit change field LowerDeviceObject in _COMMON_DEVICE_EXTENSION of infected DR. And when irp come to this fake device, rootkit handler will filter it and send to original disk PDO device object.

So, if anyone try access to this physical drive (using \.\PhysicalDrive??? or ??\ide#disk??? link ) then raw file system will be mounted (due to Vpb). And if your minifilter try to make requests to this “volume object”, this fake device object will be sended to disk port driver (Atapi). And… there will be crash.

Crash stack says that request was send to port driver:
b37f56e4 804ef19f ATAPI!IdePortDispatchDeviceControl+0xb (FPO: [Non-Fpo])
b37f56f4 b9f29a48 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
b37f5720 b6b28bac fltmgr!FltIsVolumeWritable+0x58 (FPO: [Non-Fpo])
b37f5784 b9f228ff ##myDriver+0x2bac

but it must be send to Volume driver.

This is one of many bugs of this rootkit… :frowning:

3

Thanks, you gave a really detailed answer.
Petr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, July 07, 2011 8:37 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] InstanceCallback and FltIsVolumeWritable crash

Hi!

It seems that there TDL4 (TDSS, Alureon, Tidserv) rootkit is present in
crashed system. This rootkit create fake device with type = FILE_DEVICE_DISK
and without device extension. So, Vpb field will be initialized for this
fake device object (real disk PDOs never has correct Vpb). Then rootkit
change field LowerDeviceObject in _COMMON_DEVICE_EXTENSION of infected DR.
And when irp come to this fake device, rootkit handler will filter it and
send to original disk PDO device object.

So, if anyone try access to this physical drive (using \.\PhysicalDrive???
or ??\ide#disk??? link ) then raw file system will be mounted (due to Vpb).
And if your minifilter try to make requests to this “volume object”, this
fake device object will be sended to disk port driver (Atapi). And… there
will be crash.

Crash stack says that request was send to port driver:
b37f56e4 804ef19f ATAPI!IdePortDispatchDeviceControl+0xb (FPO: [Non-Fpo])
b37f56f4 b9f29a48 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
b37f5720 b6b28bac fltmgr!FltIsVolumeWritable+0x58 (FPO: [Non-Fpo])
b37f5784 b9f228ff ##myDriver+0x2bac

but it must be send to Volume driver.

This is one of many bugs of this rootkit… :frowning:

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer