Code Change Request

# 15661

Back to Code Changes

Christopher
Technical Support
StableBit CloudDrive
1.0.0.282
Windows 8.1 (64 bit)
Public
Alex

Success: http://i.imgur.com/1XFQH4i.png
Public
Alex

* [D] [Issue #15661] Added workaround for a bug in Bitdefender Antivirus 2015 (trufos.sys).
                     Details: https://stablebit.com/Admin/IssueAnalysis/15661
* [D] [Issue #15661] Cloud drives will now report a disk serial number.
* [D] [Issue #15661] Drive sector size was always 4096 bytes.
Public
Alex

Ok, I've figures it out after stepping through their assembly code.
  • trufos tries to open our driver object by name.
  • It constructs that name by taking our driver file name (cloudfs_disk.sys), removing the extension and prepending "\Driver\".
  • This gives it the following kernel path "\Driver\cloudfs_disk".
  • This path doesn't exist, and NT returns an error STATUS_OBJECT_NAME_NOT_FOUND.
  • When this fails, trufos attempts to free its memory buffers that it has built up until now, in order to construct this incorrect path, but due to a bug in their driver, it frees the buffer containing our driver name (cloudfs_disk.sys) twice. The second free causes the BSOD.
Obviously trufos has 2 major issues:
  1. It assumes that the driver object path can be inferred from the driver file name. This is a 100% wrong assumption to begin with.
  2. When #1 fails, it crashes due to a memory management bug.
We can work around this issue by renaming our driver object to match our driver file name. Because the driver object is derived from the service name, we would have to rename our kernel service. I've already tried this workaround, and it does resolve the crash.

On a personal note, it seems to me that this A/V driver is badly coded and, in general, I would stay away from it.