EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem with Open and CreateFile

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#15145
Posted: 11/28/2010 01:34:21
by Mehdi  (Basic support level)
Joined: 11/24/2010
Posts: 7

Well it was my stupidest fault (corrected the path, it worked without error), but
Your driver created a BSOD on my stsem!
Code
Windows 7 (6.1.7600) 32 bit
IRQL_NOT_LESS_OR_EQUAL
0xA (0x34, 0x2, 0x1, 0xFFFFFFFF83C10829)
(elrawdsk+0x2A6D)
file path: C:\Windows\system32\drivers\elrawdsk.sys


So, I ran the program using debug version of driver.
The exact location of BSOD in my code is when I use ReadFile with the handle I got from CRawDisk::CreateFile
and the location of BSOD in the debug version of driver:
Code
IRQL_NOT_LESS_OR_EQUAL
0xA (0x34, 0x2, 0x1, 0xFFFFFFFF84032829)
(elrawdsk+0x468A)
result of !analyze -v:
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 83d87718
Unable to read MiSystemVaType memory at 83d67160
00000034

CURRENT_IRQL:  2

FAULTING_IP:
hal!KeAcquireInStackQueuedSpinLockRaiseToSynch+19
84032829 8711            xchg    edx,dword ptr [ecx]


I analyzed your sys file in IDA:
the exact source of BSOD is after ExAcquireResourceExclusiveLite in DDiskFileReadWrite
(I'll analyze the crash file and driver in more detail and will inform you via email)

another bad thing about your driver:
After I deleted the elrawdsk.sys from System32 folder, my Avast notified me of a hidden rootkit:
"A suspicious hidden object (rootkit) has been detected on your system....."
File name: C:\Windows\system32\Drivers\elrawdsk.sys
well, I deleted the driver and I'm wondering how it managed to hide itself ??
I checked the drivers folder with gmer and Xuetr and RKUnhooker and none of them showed anything suspicious
(but, vba32arkit and RKUnhooker showed the elrawdsk.sys in the list of drivers, although I'd deleted the file!)
Anyway I think it was a false alarm from Avast (I thought maybe the file was pending for move/delete but I checked it with sysinternal's pendmoves and it wasn't)
#15146
Posted: 11/28/2010 05:15:01
by Eugene Mayevski (EldoS Corp.)

Regarding BSOD: please capture a small dump (the procedure is described in the help file) and send it to us, we will handle the rest.

Quote
another bad thing about your driver: After I deleted the elrawdsk.sys from System32 folder, my Avast notified me of a hidden rootkit: "A suspicious hidden object (rootkit) has been detected on your system....." File name: C:\Windows\system32\Drivers\elrawdsk.sys well, I deleted the driver and I'm wondering how it managed to hide itself ??


Sometimes being too smart doesn't pay: the driver will be removed upon reboot. There are no tricks there and the same behavior is exposed by all our driver products.


Sincerely yours
Eugene Mayevski
#15218
Posted: 12/05/2010 08:34:20
by Mehdi  (Basic support level)
Joined: 11/24/2010
Posts: 7

Hi
I used OpenEx method (instead of CreateFile) and now it's working on Vista and 7.
Thank you

Reply

Statistics

Topic viewed 14679 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!