Need to resolve virus file handle held by FS Filter driver

Prasad_Talekar-2 · September 2, 2015, 7:19am

Hi,

I have antivirus and other sample FS filter drivers installed on Windows 7 64 bit machine. Here in one of the scenario Antivirus detects the virus (mentioned as virus.com in below call stack) and cleans virus content to make the virus file 0 kb size but by the time antivirus tries to deletes the virus, it hangs the explorer. Found that after cleaning up virus contents when AV tries to delete the Virus file, it can not delete it as handle of virus file is with MyFSFlt filter driver. If I disable MyFSFtl then AV is able to delete the virus so it is clear that MYFSFtl is holding the virus file handle. At the time of hang, I have generated dump using NotMyFault. Dump and debugging details as below.

kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks…

Resource @ MyAVScanner (0xfffff88003d64ed0) Shared 1 owning threads
Threads: fffffa8004e33b50-02<*>
KD: Scanning for held locks…
18364 total locks, 1 locks currently held

kd> !thread fffffa8004e33b50
THREAD fffffa8004e33b50 Cid 0004.00e4 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertable
fffff88002ef17c8 NotificationEvent
IRP List:
fffffa8003f513e0: (0006,0478) Flags: 00000884 Mdl: 00000000
Impersonation token: fffff8a00b15c040 (Level Impersonation)
DeviceMap fffff8a008b00690
Owning Process fffffa8003c72890 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 196121 Ticks: 1470 (0:00:00:22.932)
Context Switch Count 6646 IdealProcessor: 0 NoStackSwap
UserTime 00:00:00.000
KernelTime 00:00:05.506
Win32 Start Address MyAVScanner (0xfffff88003da7340)
Stack Init fffff88002ef2c70 Current fffff88002ef13c0
Base fffff88002ef3000 Limit fffff88002eed000 Call 0
Priority 1 BasePriority 1 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88002ef1400 fffff80002a8fa02 : fffff8800165d470 fffffa8004e33b50 0000000000000000 0000000000000000 : nt!KiSwapContext+0x7a
fffff88002ef1540 fffff80002a9371f : fffffa8004e33b00 0000000000000000 0000000000000000 8000000068feb963 : nt!KiCommitThreadWait+0x1d2
fffff88002ef15d0 fffff880016cf84d : fffffa8007c1fe00 0000000000000000 0000000000000001 0000000000000000 : nt!KeWaitForSingleObject+0x19f
fffff88002ef1670 fffff880016f5e16 : 0000000000000367 fffff88002ef18a0 fffffa8003f513e0 fffffa8003f513e0 : Ntfs!NtfsWaitForCreateEvent+0x4d
fffff88002ef16b0 fffff8800110bbcf : fffffa8004b8b030 fffffa8003f513e0 0000000000000000 fffff88002ef1de0 : Ntfs!NtfsFsdCreate+0x216
fffff88002ef1860 fffff8800112b2b9 : fffffa8003f513e0 fffffa8004c2f010 fffffa8003f51300 fffffa8004b89420 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff88002ef18f0 fffff8800117995b : 0000000100000060 fffffa8000000001 fffffa8007e0f8c8 fffff8a00019a3d0 : fltmgr!FltpCreate+0x2a9
fffff88002ef19a0 fffff880011e41bf : fffffa8004b89420 fffffa8003f513e0 fffff88002ef1a44 fffffa8007bb1010 : MyFSFlt!Filter::Send+0x19b
fffff88002ef1a20 fffff880011e66b8 : fffffa8004bdc668 fffffa8003f513e0 fffffa8004e86340 0000000000000001 : MyFSFlt!Filter::FileCheck+0x5df
fffff88002ef1bc0 fffff880011be54c : fffffa8004bdc668 fffffa8003f513e0 fffffa8004e86340 fffffa8007bb1010 : MyFSFlt!Filter::PreCreate+0x638
fffff88002ef1c70 fffff8800110bbcf : fffffa8004bdc4d0 fffffa8003f513e0 fffff88002ef1ec0 0000000000000000 : MyFSFlt!Filter::DispatchCreate+0x49c
fffff88002ef1d10 fffff8800112b2b9 : fffffa8003f513e0 fffffa8004bdc800 fffffa8003f51300 fffffa8004b82910 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff88002ef1da0 fffff80002d88b5b : 0000000000000060 0000000000000240 fffffa8007e0f8c8 fffff8a00019a3d0 : fltmgr!FltpCreate+0x2a9
fffff88002ef1e50 fffff80002d84b6e : fffffa8004b82090 0000000000000000 fffffa8005ba7900 0000000000000000 : nt!IopParseDevice+0x14e2
fffff88002ef1fb0 fffff80002d85656 : 0000000000000000 fffff88002ef2130 0000000000000240 fffffa8003d09600 : nt!ObpLookupObjectName+0x784
fffff88002ef20b0 fffff80002d86f5c : fffffa8004e33b50 0000000000000000 fffff8a00afcbc00 fffffa8004b8b180 : nt!ObOpenObjectByName+0x306
fffff88002ef2180 fffff80002d2ddfb : fffff8a0089a4a50 fffffa8000110000 fffff88002ef2570 fffff88002ef25a0 : nt!IopCreateFile+0x2bc
fffff88002ef2220 fffff8800112d49c : 0000000000000000 fffffa8004e3ba10 0000000000000000 0000000000110000 : nt!IoCreateFileEx+0xfb
fffff88002ef22c0 fffff8800113ca21 : fffff8a0089a4a50 0000000000000000 fffff8a0089a4a50 fffff8a0089a4a40 : fltmgr!FltCreateFileEx2+0x18c
fffff88002ef23d0 fffff88003dbf8b4 : 000000000000003a fffff88003d0daea fffffa8007bb1000 000000000000003a : fltmgr!FltCreateFileEx+0x91
fffff88002ef2460 fffff88003dc265b : fffff8a0089a4a30 fffff8a00afc0db8 fffffa8004e3ba10 fffff8800110bd1b : MyAVScanner!PerformScan::FltCreateFileEx+0xa4
fffff88002ef24f0 fffff88003dc41e2 : 0000000000000001 fffffa8003e7f660 0000000000000001 fffff8a0089a4a30 : MyAVScanner!PerformScan::Initialize+0x1eb
fffff88002ef2620 fffff88003dc7832 : 0000000000000000 fffff8a0004d7010 fffff88003d634b8 fffff8a0089a4a30 : MyAVScanner!PerformScan::FileDelete+0xd2
fffff88002ef26a0 fffff88003ddf4b7 : fffff88002ef2701 fffff8a000000020 000000000000225c 000000000000225c : MyAVScanner!PerformScan::Repair+0x1f5
fffff88002ef2770 fffff88003ddd2b8 : fffff88003d634b8 fffff8a00000000c fffff88003d634b8 fffff8a006374da0 : MyAVScanner!PerformScan::Scan+0x1ee
fffff88002ef2910 fffff88003d3b638 : fffff88002ef3000 fffff88002eed000 0000000080000005 00000000000007ff : MyAVScanner!PerformScan::Init+0x88
fffff88002ef2c00 fffff80002a7d626 : fffff80002c0ae80 fffffa8004e33b50 fffffa8004e34040 fffff8a000251101 : nt!PspSystemThreadStartup+0x5a
fffff88002ef2c40 0000000000000000 : fffff88002ef3000 fffff88002eed000 fffff88002ef1d50 0000000000000000 : nt!KiStartSystemThread+0x16

kd> !irp fffffa8003f513e0
Irp is active with 13 stacks 10 is current (= 0xfffffa8003f51738)
No Mdl: No System Buffer: Thread fffffa8004e33b50: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 2 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 ffffffffc0000034
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

[0, 0] 0 e1 fffffa8004b8b030 fffffa8004453690 fffff8800110d8f0-fffffa8004406600 Success Error Cancel pending
\FileSystem\Ntfs fltmgr!FltpSynchronizedOperationCompletion
Args: fffff88002ef1f58 01000048 00070000 00000000
[0, 0] 0 e0 fffffa8004b89420 fffffa8004453690 fffff880011799b0-fffff88002ef19d8 Success Error Cancel
\FileSystem\FltMgr MyFSFlt!Filter::SimpleCompletion
Args: fffff88002ef1f58 01000048 00070000 00000000
[0, 0] 0 e0 fffffa8004bdc4d0 fffffa80044537c0 fffff8800110d8f0-fffffa8007bb1010 Success Error Cancel
\FileSystem\Encryptfs fltmgr!FltpSynchronizedOperationCompletion
Args: fffff88002ef1f58 04201960 00070000 00000000
[0, 0] 0 0 fffffa8004b82910 fffffa80044537c0 00000000-00000000
\FileSystem\FltMgr
Args: fffff88002ef1f58 04201960 00070000 00000000

kd> !fileobj fffffa8004453690

\Users\ABC\Desktop\TEST\Virus.com

Device Object: 0xfffffa8004b82090 \Driver\volmgr
Vpb is NULL
Access: Read SharedRead SharedWrite SharedDelete

Flags: 0x4010a
Synchronous IO
No Intermediate Buffering
Stream File
Handle Created

CurrentByteOffset: 0

=================================================================

As per Send() written in MyFSFtl

Send(DEVICE_OBJECT *device, IRP *irp)
{
KEVENT event;
KeInitializeEvent(&event, NotificationEvent, false);

IoSetCompletionRoutine(irp, SimpleCompletion, &event, true, true, true);

NTSTATUS status = IoCallDriver(device, irp);

if(STATUS_PENDING == status)
{
KeWaitForSingleObject(&event, Executive, KernelMode, false, 0);

status = irp->IoStatus.Status;
}

return status;
}

Trying to figure out how to resolve this lock and let AV to delete the virus file. Any pointers to tackle this issue further?

\PT

Peter_Scott · September 2, 2015, 3:12pm

Hello,

Are you opening the file in your driver and sending a request to user
mode for processing? And in the meantime the AV filter detects the virus
but is unable to delete it due to your open on the file?

How are you opening the file? Maybe opening it with share_delete share
access rights would allow it to be opened and deleted though not sure
how the AV is opening the file. I would investigate this, playing around
with how you open the file as well as determining if you can simply
piggy-back off of an existing open to perform what you want to do on teh
file. Possibly avoiding you opening the file altogether?

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295

------ Original Message ------
From: xxxxx@yahoo.com
To: “Windows File Systems Devs Interest List”
Sent: 9/2/2015 5:18:53 AM
Subject: [ntfsd] Need to resolve virus file handle held by FS Filter
driver

>Hi,
>
>I have antivirus and other sample FS filter drivers installed on
>Windows 7 64 bit machine. Here in one of the scenario Antivirus detects
>the virus (mentioned as virus.com in below call stack) and cleans virus
>content to make the virus file 0 kb size but by the time antivirus
>tries to deletes the virus, it hangs the explorer. Found that after
>cleaning up virus contents when AV tries to delete the Virus file, it
>can not delete it as handle of virus file is with MyFSFlt filter
>driver. If I disable MyFSFtl then AV is able to delete the virus so it
>is clear that MYFSFtl is holding the virus file handle. At the time of
>hang, I have generated dump using NotMyFault. Dump and debugging
>details as below.
>
>
>kd> !locks
> DUMP OF ALL RESOURCE OBJECTS
>KD: Scanning for held locks…
>
>Resource @ MyAVScanner (0xfffff88003d64ed0) Shared 1 owning threads
> Threads: fffffa8004e33b50-02<*>
>KD: Scanning for held
>locks…
>18364 total locks, 1 locks currently held
>
>kd> !thread fffffa8004e33b50
>THREAD fffffa8004e33b50 Cid 0004.00e4 Teb: 0000000000000000
>Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertable
> fffff88002ef17c8 NotificationEvent
>IRP List:
> fffffa8003f513e0: (0006,0478) Flags: 00000884 Mdl: 00000000
>Impersonation token: fffff8a00b15c040 (Level Impersonation)
>DeviceMap fffff8a008b00690
>Owning Process fffffa8003c72890 Image: System
>Attached Process N/A Image: N/A
>Wait Start TickCount 196121 Ticks: 1470 (0:00:00:22.932)
>Context Switch Count 6646 IdealProcessor: 0 NoStackSwap
>UserTime 00:00:00.000
>KernelTime 00:00:05.506
>Win32 Start Address MyAVScanner (0xfffff88003da7340)
>Stack Init fffff88002ef2c70 Current fffff88002ef13c0
>Base fffff88002ef3000 Limit fffff88002eed000 Call 0
>Priority 1 BasePriority 1 UnusualBoost 0 ForegroundBoost 0 IoPriority 2
>PagePriority 5
>Child-SP RetAddr : Args to Child
> : Call Site
>fffff88002ef1400 fffff80002a8fa02 : fffff8800165d470 >fffffa8004e33b50 0000000000000000 0000000000000000 :
>nt!KiSwapContext+0x7a
>fffff88002ef1540 fffff80002a9371f : fffffa8004e33b00 >0000000000000000 0000000000000000 8000000068feb963 :
>nt!KiCommitThreadWait+0x1d2
>fffff88002ef15d0 fffff880016cf84d : fffffa8007c1fe00 >0000000000000000 0000000000000001 0000000000000000 :
>nt!KeWaitForSingleObject+0x19f
>fffff88002ef1670 fffff880016f5e16 : 0000000000000367 >fffff88002ef18a0 fffffa8003f513e0 fffffa8003f513e0 :
>Ntfs!NtfsWaitForCreateEvent+0x4d
>fffff88002ef16b0 fffff8800110bbcf : fffffa8004b8b030 >fffffa8003f513e0 0000000000000000 fffff88002ef1de0 :
>Ntfs!NtfsFsdCreate+0x216
>fffff88002ef1860 fffff8800112b2b9 : fffffa8003f513e0 >fffffa8004c2f010 fffffa8003f51300 fffffa8004b89420 :
>fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
>fffff88002ef18f0 fffff8800117995b : 0000000100000060 >fffffa8000000001 fffffa8007e0f8c8 fffff8a00019a3d0 :
>fltmgr!FltpCreate+0x2a9
>fffff88002ef19a0 fffff880011e41bf : fffffa8004b89420 >fffffa8003f513e0 fffff88002ef1a44 fffffa8007bb1010 :
>MyFSFlt!Filter::Send+0x19b
>fffff88002ef1a20 fffff880011e66b8 : fffffa8004bdc668 >fffffa8003f513e0 fffffa8004e86340 0000000000000001 :
>MyFSFlt!Filter::FileCheck+0x5df
>fffff88002ef1bc0 fffff880011be54c : fffffa8004bdc668 >fffffa8003f513e0 fffffa8004e86340 fffffa8007bb1010 :
>MyFSFlt!Filter::PreCreate+0x638
>fffff88002ef1c70 fffff8800110bbcf : fffffa8004bdc4d0 >fffffa8003f513e0 fffff88002ef1ec0 0000000000000000 :
>MyFSFlt!Filter::DispatchCreate+0x49c
>fffff88002ef1d10 fffff8800112b2b9 : fffffa8003f513e0 >fffffa8004bdc800 fffffa8003f51300 fffffa8004b82910 :
>fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
>fffff88002ef1da0 fffff80002d88b5b : 0000000000000060 >0000000000000240 fffffa8007e0f8c8 fffff8a00019a3d0 :
>fltmgr!FltpCreate+0x2a9
>fffff88002ef1e50 fffff80002d84b6e : fffffa8004b82090 >0000000000000000 fffffa8005ba7900 0000000000000000 :
>nt!IopParseDevice+0x14e2
>fffff88002ef1fb0 fffff80002d85656 : 0000000000000000 >fffff88002ef2130 0000000000000240 fffffa8003d09600 :
>nt!ObpLookupObjectName+0x784
>fffff88002ef20b0 fffff80002d86f5c : fffffa8004e33b50 >0000000000000000 fffff8a00afcbc00 fffffa8004b8b180 :
>nt!ObOpenObjectByName+0x306
>fffff88002ef2180 fffff80002d2ddfb : fffff8a0089a4a50 >fffffa8000110000 fffff88002ef2570 fffff88002ef25a0 :
>nt!IopCreateFile+0x2bc
>fffff88002ef2220 fffff8800112d49c : 0000000000000000 >fffffa8004e3ba10 0000000000000000 0000000000110000 :
>nt!IoCreateFileEx+0xfb
>fffff88002ef22c0 fffff8800113ca21 : fffff8a0089a4a50 >0000000000000000 fffff8a0089a4a50 fffff8a0089a4a40 :
>fltmgr!FltCreateFileEx2+0x18c
>fffff88002ef23d0 fffff88003dbf8b4 : 000000000000003a >fffff88003d0daea fffffa8007bb1000 000000000000003a :
>fltmgr!FltCreateFileEx+0x91
>fffff88002ef2460 fffff88003dc265b : fffff8a0089a4a30 >fffff8a00afc0db8 fffffa8004e3ba10 fffff8800110bd1b :
>MyAVScanner!PerformScan::FltCreateFileEx+0xa4
>fffff88002ef24f0 fffff88003dc41e2 : 0000000000000001 >fffffa8003e7f660 0000000000000001 fffff8a0089a4a30 :
>MyAVScanner!PerformScan::Initialize+0x1eb
>fffff88002ef2620 fffff88003dc7832 : 0000000000000000 >fffff8a0004d7010 fffff88003d634b8 fffff8a0089a4a30 :
>MyAVScanner!PerformScan::FileDelete+0xd2
>fffff88002ef26a0 fffff88003ddf4b7 : fffff88002ef2701 >fffff8a000000020 000000000000225c 000000000000225c :
>MyAVScanner!PerformScan::Repair+0x1f5
>fffff88002ef2770 fffff88003ddd2b8 : fffff88003d634b8 >fffff8a00000000c fffff88003d634b8 fffff8a006374da0 :
>MyAVScanner!PerformScan::Scan+0x1ee
>fffff88002ef2910 fffff88003d3b638 : fffff88002ef3000 >fffff88002eed000 0000000080000005 00000000000007ff :
>MyAVScanner!PerformScan::Init+0x88
>fffff88002ef2c00 fffff80002a7d626 : fffff80002c0ae80 >fffffa8004e33b50 fffffa8004e34040 fffff8a000251101 :
>nt!PspSystemThreadStartup+0x5a
>fffff88002ef2c40 0000000000000000 : fffff88002ef3000 >fffff88002eed000 fffff88002ef1d50 0000000000000000 :
>nt!KiStartSystemThread+0x16
>
>kd> !irp fffffa8003f513e0
>Irp is active with 13 stacks 10 is current (= 0xfffffa8003f51738)
> No Mdl: No System Buffer: Thread fffffa8004e33b50: Irp stack trace.
> cmd flg cl Device File Completion-Context
> [0, 0] 0 2 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 ffffffffc0000034
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
> [0, 0] 0 0 00000000 00000000 00000000-00000000
>
> Args: 00000000 00000000 00000000 00000000
>>[0, 0] 0 e1 fffffa8004b8b030 fffffa8004453690
>>fffff8800110d8f0-fffffa8004406600 Success Error Cancel pending
> \FileSystem\Ntfs fltmgr!FltpSynchronizedOperationCompletion
> Args: fffff88002ef1f58 01000048 00070000 00000000
> [0, 0] 0 e0 fffffa8004b89420 fffffa8004453690
>fffff880011799b0-fffff88002ef19d8 Success Error Cancel
> \FileSystem\FltMgr MyFSFlt!Filter::SimpleCompletion
> Args: fffff88002ef1f58 01000048 00070000 00000000
> [0, 0] 0 e0 fffffa8004bdc4d0 fffffa80044537c0
>fffff8800110d8f0-fffffa8007bb1010 Success Error Cancel
> \FileSystem\Encryptfs
>fltmgr!FltpSynchronizedOperationCompletion
> Args: fffff88002ef1f58 04201960 00070000 00000000
> [0, 0] 0 0 fffffa8004b82910 fffffa80044537c0 00000000-00000000
> \FileSystem\FltMgr
> Args: fffff88002ef1f58 04201960 00070000 00000000
>
>kd> !fileobj fffffa8004453690
>
>\Users\ABC\Desktop\TEST\Virus.com
>
>Device Object: 0xfffffa8004b82090 \Driver\volmgr
>Vpb is NULL
>Access: Read SharedRead SharedWrite SharedDelete
>
>Flags: 0x4010a
> Synchronous IO
> No Intermediate Buffering
> Stream File
> Handle Created
>
>CurrentByteOffset: 0
>
>=================================================================
>
>As per Send() written in MyFSFtl
>
>Send(DEVICE_OBJECT *device, IRP *irp)
>{
> KEVENT event;
> KeInitializeEvent(&event, NotificationEvent, false);
>
> IoSetCompletionRoutine(irp, SimpleCompletion, &event, true, true,
>true);
>
> NTSTATUS status = IoCallDriver(device, irp);
>
> if(STATUS_PENDING == status)
> {
> KeWaitForSingleObject(&event, Executive, KernelMode, false, 0);
>
> status = irp->IoStatus.Status;
> }
>
> return status;
>}
>
>Trying to figure out how to resolve this lock and let AV to delete the
>virus file. Any pointers to tackle this issue further?
>
>\PT
>
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer