lhmon.sys and F-Secure antivirus

Home Forums Discussions Support Portal lhmon.sys and F-Secure antivirus

This topic contains 3 replies, has 2 voices, and was last updated by  Vadim Smirnov 10 years ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #5151

    alex_s
    Participant

    Did anybody experienced any problem with lhmon and F-Secure ?

    #6495

    Vadim Smirnov
    Moderator

    F-Secure package contains a driver named fsndis5.sys which is TDI filter + NDIS filter + … in one module. TDI filter part is implemented by patching TCPIP.SYS dispatcher table method. Since this driver is loaded before TCPIP.SYS it applies its patch when it detects the first access attempt to DeviceTcp. However, unlike most filter drivers which patch this table only once, fsndis5.sys checks if anyone patches the TCPIP.SYS dispatcher table after him and re-patches it so that fsndis5.sys is always on the top of the stack. But the re-patching implementation is buggy and this bug reveals if another TDI filter driver based on patching dispatcher table is present. An example, when LNM (Local Network Monitor) driver is loaded it gets the fsndis5.sys installed hooks from the TCPIP.SYS dispatcher table, saves them as original handlers and modifies dispatcher table. So far so good, LNM driver gets the request first, processes it, and then passes to fsndis5.sys which after its own processing passes the request to TCPIP.SYS. However, after short amount of time fsndis5.sys detects that handlers in the TCPIP.SYS dispatcher table have changed and patches this table again BUT it saves LNM driver handlers as original (it already has the correct handlers after previous patch, but for some reason prefers to take the incorrect ones). After this any request directed to DeviceTcp first comes to fsndis5.sys, which after processing passes it to LNM driver, which also after processing passes the request to fsndis5.sys which again calls LNM driver and so on until stack overflow.

    Same crash scenario can be also reproduced with TDIMon (from Mark Russinovich).

    If fsndis5.sys would not take the new modified (LNM driver) handlers from TCPIP.SYS dispatcher table it could just exclude LNM driver from the stack and keep system stable. However, in general the re-patching approach in F-Secure driver is not compatible with any other TDI filter based on patching the dispatcher table.

    #6496

    alex_s
    Participant

    @SerpentFly wrote:

    If fsndis5.sys would not take the new modified (LNM driver) handlers from TCPIP.SYS dispatcher table it could just exclude LNM driver from the stack and keep system stable. However, in general the re-patching approach in F-Secure driver is not compatible with any other TDI filter based on patching the dispatcher table.

    Thanks for this comprehensive report. All in all this is a good news in way 🙂

    #6497

    Vadim Smirnov
    Moderator

    We have managed to find a workaround for LHMON problem with F-Secure by hooking TCPIP dispatcher table just before F-Secure driver. The solution is not ideal because any other similar TDI filter may break this balance but this is still better than nothing. The Local Network Monitor was updated on the web site to version 2.2.4.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.