Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
17 May 18 02:38
m sld
xxxxxx@gmail.com
Join Date: 06 Sep 2017
Posts To This List: 11
INVALID KERNEL HANDLE by KasperSky installation

Hi, I have a file system minifilter driver that protects Office Word files by encrypting data and attaching a header file (contains special keys and other information) to it. First, minifilter driver creates a kernel handle of file object. This handle is Valid in PreCreate operation. All things is successful, there isn?t any error in all pre and post operations after it. After I install KasperSky in the windows, in PreSetInformation operation that occurs immediately after PreCreate to SetEndOfFileInformation, I get STATUS_INVALID_HANDLE from ObReferenceObjectByHandle function. Note: This is occurred even if protection of kaspersky disabled or trusted application and files, folders are defined. Bug occurred by installing Kaspersky. In logs of ProcMon there isn?t any operation from kasper application between PreCreate and PreSetInfo operations. Any idea to solve the problem is helpful to me.
  Message 2 of 7  
17 May 18 10:35
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 989
List Moderator
INVALID KERNEL HANDLE by KasperSky installation

I'm assuming you've confirmed the handle *value* is the same, correct? And you're 100% sure you're creating a kernel handle? Should be something like 0x0`8000xxxx Assuming the above are correct, then I would try setting an access breakpoint on the handle count of the file object. Start by translating the handle into a file object: 1: kd> !handle 800002f4 ... Kernel handle table at fffff8a0000016b0 with 532 entries in use 800002f4: Object: fffffa801bb4fa20 GrantedAccess: 00020003 (Protected) Entry: fffff8a000003bd0 Object: fffffa801bb4fa20 Type: (fffffa8018e18de0) File ObjectHeader: fffffa801bb4f9f0 (new version) HandleCount: 1 PointerCount: 1 Directory Object: 00000000 Name: \Windows\ServiceProfiles\NetworkService\NTUSER.DAT {HarddiskVolume1} Then get the offset of the HandleCount field from the object header: 1: kd> dt nt!_object_header fffffa801bb4f9f0 +0x000 PointerCount : 0n1 +0x008 HandleCount : 0n1 ... And set the access breakpoint: 1: kd> ba w8 fffffa801bb4f9f0+8 I'm not sure why your handle would be getting closed, but it's a place to start at least. Definitely report back anything you find. -scott OSR @OSRDrivers
  Message 3 of 7  
21 May 18 02:51
m sld
xxxxxx@gmail.com
Join Date: 06 Sep 2017
Posts To This List: 11
INVALID KERNEL HANDLE by KasperSky installation

Yes, It's a kernel handle. I tested your command. It's correct, there is a close on my handle that I didn't expect it. How can below command help me? 1: kd> ba w8 fffffa801bb4f9f0+8 I checked procmon logs for kaspersky app. My driver does not allow to other applications that open special files. driver calls CreateFile on special file and get file handle, immediately kaspersky try to CreateFile this file, but my driver returns ACCESS DENIED to it. Later, Kaspersky try to ReadFile and WriteFile and this is successful !!! Finally, Kasper close this handle. It seems my handle stolen by Kasper. Minifilter's code has a CleanupContext function that defines as ContextCleanupCallback for FLT_CONTEXT_REGISTRATION array. In this function, I don't have access to FLT_CALLBACK_DATA to access process Id and decide about it. Any idea can help me.
  Message 4 of 7  
21 May 18 09:15
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 989
List Moderator
INVALID KERNEL HANDLE by KasperSky installation

Antivirus software can be nasty. It's possible they're directly calling the underlying file system to open the file and thus bypassing your filter. I'd track down where the handle close is coming from before making any further assumptions about what they're doing. <QUOTE> How can below command help me? 1: kd> ba w8 fffffa801bb4f9f0+8 </QUOTE> Using my example file object, that would put a write access breakpoint on the HandleCount field of the object. This breakpoint should fire when the handle is closed. The call stack might provide you some useful information. -scott OSR @OSRDrivers
  Message 5 of 7  
22 May 18 03:22
m sld
xxxxxx@gmail.com
Join Date: 06 Sep 2017
Posts To This List: 11
INVALID KERNEL HANDLE by KasperSky installation

Scott, Thanks for your response. I want to get process ID in CleanupContext and send it to user mode application to trust it. Driver prevent to call FltClose on handle, If it's KasperSky. But i don't have access to FLT_CALLBACK_DATA in this function to get processID. How can get processID in CleanUpContext? (It's PFLT_CONTEXT_CLEANUP_CALLBACK in FLT_CONTEXT_REGISTRATION)
  Message 6 of 7  
22 May 18 04:10
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 318
INVALID KERNEL HANDLE by KasperSky installation

Very interesting scenario, but how/why would they "steal" your handle ? Could it be some scenario you are missing ? In context cleanup just use PsGetCurrentProcess(Id) since this callback can potentially occur in arbitrary thread context, or at least you are not guaranteed that the system or other filters don't also hold an open handle or reference to your file object and your FltClose triggers some other threads to close as well and the context cleanup could appear arbitrary. If Kaspersky are trying to "reuse" you handle then there is probably a bug in their code where they also close the handle where they should leave that up to the creator, but this is a bit weird for me. If the FileObject is created and usable why would you create a handle, but more importantly why would you not simply call ObOpenObjectByPointer and get a handle for yourself to use. I guess another way you could track this down is through the IRP_MJ_CLEANUP routine which you should receive upon the last handle close. Just add a field in your StreamHandleContext ( for the FO you want to track) like DebugContext and set it to True for the file object you are interested in ( even from the debugger at the moment of creation ) and from IRP_MJ_CLEANUP break into the debugger when you see your streamhandle context with this bit set. This should catch the last Close of the handle as it happens and you can analyze the stack a bit and see who is closing the handle. Hope this helps. Cheers, Gabriel On Tue, May 22, 2018 at 9:21 AM xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > Scott, Thanks for your response. > > I want to get process ID in CleanupContext and send it to user mode > application to trust it. Driver prevent to call FltClose on handle, If it's > KasperSky. But i don't have access to FLT_CALLBACK_DATA in this function to > get processID. > > How can get processID in CleanUpContext? (It's > PFLT_CONTEXT_CLEANUP_CALLBACK in FLT_CONTEXT_REGISTRATION) > <...excess quoted lines suppressed...> -- Bercea. G. --
  Message 7 of 7  
22 May 18 11:45
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 989
List Moderator
INVALID KERNEL HANDLE by KasperSky installation

Do not confuse ContextCleanup with IRP_MJ_CLEANUP. Your context cleanup callbacks have nothing to do with user activity. They are called when the underlying system controlled object is destroyed (e.g. File Object, Stream, etc.). You should not care what PID you're in when these callbacks execute. Please set the access breakpoint on the HandleCount field and show the call stack. Unless you can definitively show where the handle is being closed then you're just chasing random things. -scott OSR @OSRDrivers
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 15:31.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license