Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


pointer to FCB is NULL & how to use !irp

Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB is
NULL, but I don't know who set NULL.
Can I find this information from memory.dmp?

And Do you know what the following parameters mean when I use !irp?
>[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 ---> What is [ 12,
0]?? And where can I get this?
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 --->
What's arguement???

1: kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd (FPO:
[Non-Fpo])
bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43 (FPO:
[Non-Fpo])
bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35 (FPO:
[0,0,2])
bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
[Non-Fpo])
bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo])
bb9bad44 bede0530 00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9 (FPO:
[0,0] TrapFrame @ bb9bad64)
0619f644 77e7be45 00000580 00000001 04857320 ntdll!NtClose+0xb (FPO:
[1,0,0])
0619f908 7862c71e 00000758 0483d128 00000000
KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo])
0619f930 7862d716 00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
(FPO: [Non-Fpo])
0619fe40 7862e584 00000000 00000000 048412d8 SHELL32!MoveCopyDriver+0x2dd
(FPO: [Non-Fpo])
0619fe8c 7863b12e 00000908 00000000 048412d8 SHELL32!SHFileOperationW+0x1a7
(FPO: [EBP 0x0619ff08] [1,13,4])
0619ff08 7863b445 00000007 00000000 04841310 SHELL32!_HandleMoveOrCopy+0x1da
(FPO: [Non-Fpo])
0619ff50 70c0b8fe 048412d8 00000000 0365ed74
SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo])
0619ffb4 77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
(FPO: [Non-Fpo])
0619ffec 00000000 70c0b86c 0365f1d4 00000000 KERNEL32!BaseThreadStart+0x52
(FPO: [Non-Fpo])
1: kd> !irp 87bb74c8
Irp is active with 3 stacks 3 is current (= 0x87bb7580)
No Mdl Thread 87bb8020: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
>[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12, 0]??
\FileSystem\Cdm
Args: 00000000 00000000 00000000 00000000 --->
What's arguement???
1: kd> !devobj 88a22790
Device object (88a22790) is for:
CdmRedirector \FileSystem\Cdm DriverObject 88a22910
Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040
DevExt 88a22848 DevObjExt 88a228a0
ExtensionFlags (0000000000)
Device queue is not busy.

Comments

  • Nathan_NesbitNathan_Nesbit Member Posts: 194
    [ 12, 0] is the major and minor function numbers (in hex).

    IRP_MJ_CLEANUP is 0x12, so this is a cleanup irp. Which makes sense
    given that the call stack shows "close" functions.

    -----Original Message-----
    From: [email protected] [mailto:[email protected]]

    Sent: Tuesday, April 23, 2002 8:35 PM
    To: Kernel Debugging Interest List
    Subject: [windbg] pointer to FCB is NULL & how to use !irp


    Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB
    is NULL, but I don't know who set NULL. Can I find this information from
    memory.dmp?

    And Do you know what the following parameters mean when I use !irp?
    >[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 ---> What is [
    12,
    0]?? And where can I get this?
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000 --->
    What's arguement???

    1: kd> kv
    *** Stack trace for last set context - .thread/.cxr resets it
    ChildEBP RetAddr Args to Child
    bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd
    (FPO:
    [Non-Fpo])
    bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43
    (FPO:
    [Non-Fpo])
    bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35
    (FPO:
    [0,0,2])
    bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
    [Non-Fpo])
    bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
    nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo]) bb9bad44 bede0530
    00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
    [Non-Fpo])
    WARNING: Stack unwind information not available. Following frames may be
    wrong. bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
    bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9
    (FPO: [0,0] TrapFrame @ bb9bad64) 0619f644 77e7be45 00000580 00000001
    04857320 ntdll!NtClose+0xb (FPO:
    [1,0,0])
    0619f908 7862c71e 00000758 0483d128 00000000
    KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo]) 0619f930 7862d716
    00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
    (FPO: [Non-Fpo])
    0619fe40 7862e584 00000000 00000000 048412d8
    SHELL32!MoveCopyDriver+0x2dd
    (FPO: [Non-Fpo])
    0619fe8c 7863b12e 00000908 00000000 048412d8
    SHELL32!SHFileOperationW+0x1a7
    (FPO: [EBP 0x0619ff08] [1,13,4])
    0619ff08 7863b445 00000007 00000000 04841310
    SHELL32!_HandleMoveOrCopy+0x1da
    (FPO: [Non-Fpo])
    0619ff50 70c0b8fe 048412d8 00000000 0365ed74
    SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo]) 0619ffb4
    77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
    (FPO: [Non-Fpo])
    0619ffec 00000000 70c0b86c 0365f1d4 00000000
    KERNEL32!BaseThreadStart+0x52
    (FPO: [Non-Fpo])
    1: kd> !irp 87bb74c8
    Irp is active with 3 stacks 3 is current (= 0x87bb7580)
    No Mdl Thread 87bb8020: Irp stack trace.
    cmd flg cl Device File Completion-Context
    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000
    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000
    >[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12,
    0]??
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000 --->
    What's arguement???
    1: kd> !devobj 88a22790
    Device object (88a22790) is for:
    CdmRedirector \FileSystem\Cdm DriverObject 88a22910
    Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040 DevExt
    88a22848 DevObjExt 88a228a0
    ExtensionFlags (0000000000)
    Device queue is not busy.

    ---
    You are currently subscribed to windbg as: [email protected] To
    unsubscribe send a blank email to %%email.unsub%%
  • Thank you very much. And I have one more quesion, do you know what does
    "Args" means?

    1: kd> !irp 87bb74c8
    Irp is active with 3 stacks 3 is current (= 0x87bb7580)
    No Mdl Thread 87bb8020: Irp stack trace.
    cmd flg cl Device File Completion-Context

    [ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000
    Thanks,
    Kimi

    -----Original Message-----
    From: Nathan Nesbit [mailto:[email protected]]
    Sent: Wednesday, April 24, 2002 3:28 PM
    To: Kernel Debugging Interest List
    Subject: [windbg] RE: pointer to FCB is NULL & how to use !irp


    [ 12, 0] is the major and minor function numbers (in hex).

    IRP_MJ_CLEANUP is 0x12, so this is a cleanup irp. Which makes sense
    given that the call stack shows "close" functions.

    -----Original Message-----
    From: [email protected] [mailto:[email protected]]

    Sent: Tuesday, April 23, 2002 8:35 PM
    To: Kernel Debugging Interest List
    Subject: [windbg] pointer to FCB is NULL & how to use !irp


    Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB
    is NULL, but I don't know who set NULL. Can I find this information from
    memory.dmp?

    And Do you know what the following parameters mean when I use !irp?
    >[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 ---> What is [
    12,
    0]?? And where can I get this?
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000 --->
    What's arguement???

    1: kd> kv
    *** Stack trace for last set context - .thread/.cxr resets it
    ChildEBP RetAddr Args to Child
    bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd
    (FPO:
    [Non-Fpo])
    bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43
    (FPO:
    [Non-Fpo])
    bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35
    (FPO:
    [0,0,2])
    bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
    [Non-Fpo])
    bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
    nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo]) bb9bad44 bede0530
    00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
    [Non-Fpo])
    WARNING: Stack unwind information not available. Following frames may be
    wrong. bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
    bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9
    (FPO: [0,0] TrapFrame @ bb9bad64) 0619f644 77e7be45 00000580 00000001
    04857320 ntdll!NtClose+0xb (FPO:
    [1,0,0])
    0619f908 7862c71e 00000758 0483d128 00000000
    KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo]) 0619f930 7862d716
    00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
    (FPO: [Non-Fpo])
    0619fe40 7862e584 00000000 00000000 048412d8
    SHELL32!MoveCopyDriver+0x2dd
    (FPO: [Non-Fpo])
    0619fe8c 7863b12e 00000908 00000000 048412d8
    SHELL32!SHFileOperationW+0x1a7
    (FPO: [EBP 0x0619ff08] [1,13,4])
    0619ff08 7863b445 00000007 00000000 04841310
    SHELL32!_HandleMoveOrCopy+0x1da
    (FPO: [Non-Fpo])
    0619ff50 70c0b8fe 048412d8 00000000 0365ed74
    SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo]) 0619ffb4
    77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
    (FPO: [Non-Fpo])
    0619ffec 00000000 70c0b86c 0365f1d4 00000000
    KERNEL32!BaseThreadStart+0x52
    (FPO: [Non-Fpo])
    1: kd> !irp 87bb74c8
    Irp is active with 3 stacks 3 is current (= 0x87bb7580)
    No Mdl Thread 87bb8020: Irp stack trace.
    cmd flg cl Device File Completion-Context
    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000
    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000
    >[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12,
    0]??
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000 --->
    What's arguement???
    1: kd> !devobj 88a22790
    Device object (88a22790) is for:
    CdmRedirector \FileSystem\Cdm DriverObject 88a22910
    Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040 DevExt
    88a22848 DevObjExt 88a228a0
    ExtensionFlags (0000000000)
    Device queue is not busy.

    ---
    You are currently subscribed to windbg as: [email protected] To
    unsubscribe send a blank email to %%email.unsub%%

    ---
    You are currently subscribed to windbg as: [email protected]
    To unsubscribe send a blank email to %%email.unsub%%
  • Nathan_NesbitNathan_Nesbit Member Posts: 194
    Open ntdkk.h and look at the definition of _IO_STACK_LOCATION

    There is a 1 to 1 corrispondance between what is printed and fields in
    the struct. You should be able to easily figure it all out. Here is a
    hint: Only 1 of the structs in the union gets printed. It has four
    fields named "Argument1" - "Argument4".




    -----Original Message-----
    From: [email protected] [mailto:[email protected]]

    Sent: Wednesday, April 24, 2002 9:29 AM
    To: Kernel Debugging Interest List
    Subject: [windbg] RE: pointer to FCB is NULL & how to use !irp


    Thank you very much. And I have one more quesion, do you know what does
    "Args" means?

    1: kd> !irp 87bb74c8
    Irp is active with 3 stacks 3 is current (= 0x87bb7580)
    No Mdl Thread 87bb8020: Irp stack trace.
    cmd flg cl Device File Completion-Context

    [ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000
    Thanks,
    Kimi

    -----Original Message-----
    From: Nathan Nesbit [mailto:[email protected]]
    Sent: Wednesday, April 24, 2002 3:28 PM
    To: Kernel Debugging Interest List
    Subject: [windbg] RE: pointer to FCB is NULL & how to use !irp


    [ 12, 0] is the major and minor function numbers (in hex).

    IRP_MJ_CLEANUP is 0x12, so this is a cleanup irp. Which makes sense
    given that the call stack shows "close" functions.

    -----Original Message-----
    From: [email protected] [mailto:[email protected]]

    Sent: Tuesday, April 23, 2002 8:35 PM
    To: Kernel Debugging Interest List
    Subject: [windbg] pointer to FCB is NULL & how to use !irp


    Hi, I am analyzing one memory.dmp. And this is caused why pointer to FCB
    is NULL, but I don't know who set NULL. Can I find this information from
    memory.dmp?

    And Do you know what the following parameters mean when I use !irp?
    >[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 ---> What is [
    12,
    0]?? And where can I get this?
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000 --->
    What's arguement???

    1: kd> kv
    *** Stack trace for last set context - .thread/.cxr resets it
    ChildEBP RetAddr Args to Child
    bb9babe8 beb7be49 00000000 00000001 00000001 cdm!CdmAcquireFcbLock+0xd
    (FPO:
    [Non-Fpo])
    bb9bac1c 8041d915 88a22790 87bb74c8 87f81e68 cdm!CdmFsdCleanup+0x43
    (FPO:
    [Non-Fpo])
    bb9bac30 804c1e67 80064ffc 890ae640 00000001 nt!IopfCallDriver+0x35
    (FPO:
    [0,0,2])
    bb9bac64 804d840b 883f1b00 88a22790 00120116 nt!IopCloseFile+0x267 (FPO:
    [Non-Fpo])
    bb9bac90 8044f37a 883f1b00 87f81e54 87f81e68
    nt!ObpDecrementHandleCount+0x13d (FPO: [Non-Fpo]) bb9bad44 bede0530
    00000580 00000000 00000000 nt!NtClose+0x1f0 (FPO:
    [Non-Fpo])
    WARNING: Stack unwind information not available. Following frames may be
    wrong. bb9bad58 80465679 00000580 00000001 bf9539f4 TMFilter+0x18530
    bb9bad58 77f82811 00000580 00000001 bf9539f4 nt!KiSystemService+0xc9
    (FPO: [0,0] TrapFrame @ bb9bad64) 0619f644 77e7be45 00000580 00000001
    04857320 ntdll!NtClose+0xb (FPO:
    [1,0,0])
    0619f908 7862c71e 00000758 0483d128 00000000
    KERNEL32!CreateDirectoryExW+0x840 (FPO: [Non-Fpo]) 0619f930 7862d716
    00000030 048573f4 048575fc SHELL32!EnterDir_Copy+0x48
    (FPO: [Non-Fpo])
    0619fe40 7862e584 00000000 00000000 048412d8
    SHELL32!MoveCopyDriver+0x2dd
    (FPO: [Non-Fpo])
    0619fe8c 7863b12e 00000908 00000000 048412d8
    SHELL32!SHFileOperationW+0x1a7
    (FPO: [EBP 0x0619ff08] [1,13,4])
    0619ff08 7863b445 00000007 00000000 04841310
    SHELL32!_HandleMoveOrCopy+0x1da
    (FPO: [Non-Fpo])
    0619ff50 70c0b8fe 048412d8 00000000 0365ed74
    SHELL32!FileDropTargetThreadProc+0x14d (FPO: [Non-Fpo]) 0619ffb4
    77e5758a 00000000 00000000 0365ed74 SHLWAPI!WrapperThreadProc+0x92
    (FPO: [Non-Fpo])
    0619ffec 00000000 70c0b86c 0365f1d4 00000000
    KERNEL32!BaseThreadStart+0x52
    (FPO: [Non-Fpo])
    1: kd> !irp 87bb74c8
    Irp is active with 3 stacks 3 is current (= 0x87bb7580)
    No Mdl Thread 87bb8020: Irp stack trace.
    cmd flg cl Device File Completion-Context
    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000
    [ 0, 0] 0 0 00000000 00000000 00000000-00000000

    Args: 00000000 00000000 00000000 00000000
    >[ 12, 0] 0 0 88a22790 87f81e68 00000000-00000000 What is [ 12,
    0]??
    \FileSystem\Cdm
    Args: 00000000 00000000 00000000 00000000 --->
    What's arguement???
    1: kd> !devobj 88a22790
    Device object (88a22790) is for:
    CdmRedirector \FileSystem\Cdm DriverObject 88a22910
    Current Irp 00000000 RefCount 12 Type 00000014 Flags 00000040 DevExt
    88a22848 DevObjExt 88a228a0
    ExtensionFlags (0000000000)
    Device queue is not busy.

    ---
    You are currently subscribed to windbg as: [email protected] To
    unsubscribe send a blank email to %%email.unsub%%

    ---
    You are currently subscribed to windbg as: [email protected]
    To unsubscribe send a blank email to %%email.unsub%%

    ---
    You are currently subscribed to windbg as: [email protected] To
    unsubscribe send a blank email to %%email.unsub%%
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA