Hi
I am trying to print out all the USB devices connected to my system using an upper filter driver.
I have registered myself as an upper filter driver for the class HKEY_LOCAL_MACHINE.…\Class{36fc9e60-c465-11cf-8056-444553540000}
The problem I am facing is that the driver BSODs with 0x0000a.
Here is the output of my !analyze -v
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: ffffcf818abf0d32, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8005cdb6491, address which referenced memory
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 10.0.10240.16384 (th1.150709-1700)
DUMP_TYPE: 0
BUGCHECK_P1: ffffcf818abf0d32
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8005cdb6491
READ_ADDRESS: ffffcf818abf0d32 Special pool
CURRENT_IRQL: 2
FAULTING_IP:
nt!IovpCompleteRequest4+71
fffff800`5cdb6491 8a4342 mov al,byte ptr [rbx+42h]
CPU_COUNT: 1
CPU_MHZ: cdd
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3a
CPU_STEPPING: 9
CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 19’00000000 (cache) 19’00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: HARSHAD
ANALYSIS_SESSION_TIME: 08-01-2017 13:59:27.0722
ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
TRAP_FRAME: ffffd001d2208ac0 – (.trap 0xffffd001d2208ac0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=ffffe00157b19378
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8005cdb6491 rsp=ffffd001d2208c50 rbp=0000000000000000
r8=fffff800200e1000 r9=ffffd001d2208e50 r10=fffff8005cdde800
r11=ffffe001578159b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz ac pe cy
nt!IovpCompleteRequest4+0x71:
fffff8005cdb6491 8a4342 mov al,byte ptr [rbx+42h] ds:00000000
00000042=??
Resetting default scope
LOCK_ADDRESS: fffff8005c9bf6a0 – (!locks fffff8005c9bf6a0)
Resource @ nt!PiEngineLock (0xfffff8005c9bf6a0) Exclusively owned
Contention Count = 2
NumberOfExclusiveWaiters = 1
Threads: ffffe001572d6040-01<*>
Threads Waiting On Exclusive Access:
ffffe00155a97040
1 total locks, 1 locks currently held
PNP_TRIAGE:
Lock address : 0xfffff8005c9bf6a0
Thread Count : 1
Thread address: 0xffffe001572d6040
Thread wait : 0x1cd
IP_IN_FREE_BLOCK: 0
LAST_CONTROL_TRANSFER: from fffff8005c8764a2 to fffff8005c7d4300
STACK_TEXT:
ffffd001d22081c8 fffff800
5c8764a2 : 000000000000000a 00000000
00000003 ffffd001d2208330 fffff800
5c70a888 : nt!DbgBreakPointWithStatus
ffffd001d22081d0 fffff800
5c875dd2 : 0000000000000003 ffffd001
d2208330 fffff8005c7db710 00000000
0000000a : nt!KiBugCheckDebugBreak+0x12
ffffd001d2208230 fffff800
5c7ced24 : fffff8005c8fdc88 fffff800
5cdb0000 ffffcf818abf0cf0 fffff800
200e1000 : nt!KeBugCheck2+0x93e
ffffd001d2208940 fffff800
5c7d95a9 : 000000000000000a ffffcf81
8abf0d32 0000000000000002 00000000
00000000 : nt!KeBugCheckEx+0x104
ffffd001d2208980 fffff800
5c7d7dc8 : ffffcf818abf0f70 fffff800
5cdb0a3f ffffcf818abf0f70 ffffe001
57ae4850 : nt!KiBugCheckDispatch+0x69
ffffd001d2208ac0 fffff800
5cdb6491 : ffffe00157ae4850 ffffd001
d2208c20 fffff8005c74d5e8 00000000
e000071b : nt!KiPageFault+0x248
ffffd001d2208c50 fffff800
5cdb0a3f : ffffcf818abf0ee0 ffffcf81
8abf0cf0 0000000000000000 ffffd001
d2208e78 : nt!IovpCompleteRequest4+0x71
ffffd001d2208d00 fffff800
5c6cd36d : ffffcf818abf0cf0 ffffe001
00000000 0000000000000007 ffffd001
d2208d80 : nt!IovpLocalCompletionRoutine+0x197
ffffd001d2208d60 fffff800
5cdb028d : ffffcf818abf0e50 ffffcf81
8abf0c00 ffffe001572d5060 00000000
00000000 : nt!IopfCompleteRequest+0x20d
ffffd001d2208e20 fffff800
1e911695 : ffffe001572d5060 00000000
00000000 0000000000000000 ffffcf81
8abf0cf0 : nt!IovCompleteRequest+0x1c1
ffffd001d2208f00 fffff800
5cdb0044 : ffffcf818abf0cf0 ffffe001
572d5060 0000000000000002 ffffe001
579108d0 : pci!PciDispatchPnpPower+0xc5
ffffd001d2208f40 fffff800
5c714252 : ffffe00157a6db50 ffffe001
57a75020 0000000000000000 ffffe001
579108d0 : nt!IovCallDriver+0x3d8
ffffd001d2208fa0 fffff800
1e63e38d : 0000000000000001 ffffd001
d22090a0 ffffe00157a75d40 ffffe001
57a75d40 : nt!IofCallDriver+0x72
ffffd001d2208fe0 fffff800
1e621347 : ffffe00157a75020 00000000
00000007 0000000000000000 fffff800
5cdb5844 : Wdf01000!FxPkgFdo::_PnpQueryDeviceRelations+0xad [d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgfdo.cpp @ 394]
ffffd001d2209030 fffff800
1e62197e : ffffcf818abf0cf0 ffffcf81
8abf0cf0 0000000000000002 fffff800
5cdbc239 : Wdf01000!FxPkgPnp::Dispatch+0xb7 [d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 658]
ffffd001d22090a0 fffff800
5cdb0044 : ffffe00157a75a30 00000000
00000002 fffff8005cdcd97e ffffcf81
8abf0cf0 : Wdf01000!FxDevice::DispatchWithLock+0x10e [d:\th\minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1402]
ffffd001d22090f0 fffff800
5c714252 : ffffcf818abf0cf0 ffffe001
57a7ebc0 ffffe00157a7ebc0 ffffe001
57951930 : nt!IovCallDriver+0x3d8
ffffd001d2209150 fffff800
5cdcd97e : ffffcf818abf0cf0 ffffe001
57a7ebc0 ffffe00157a7ebc0 00000000
00000000 : nt!IofCallDriver+0x72
ffffd001d2209190 fffff800
5cdb0044 : ffffe00157a7ed10 ffffcf81
8abf0cf0 ffffe00157a7ebc0 00000000
00000002 : nt!ViFilterDispatchPnp+0x1a2
ffffd001d22091d0 fffff800
5c714252 : ffffe00157a7f080 ffffe001
57a80080 0000000000000000 ffffe001
5791a390 : nt!IovCallDriver+0x3d8
ffffd001d2209230 fffff800
1e63e38d : 0000000000000000 ffffd001
d2209330 ffffe00157a80c20 00000000
00000000 : nt!IofCallDriver+0x72
ffffd001d2209270 fffff800
1e621347 : ffffe00157a80080 00000000
00000000 0000000000000000 ffffcf81
8abf0f70 : Wdf01000!FxPkgFdo::_PnpQueryDeviceRelations+0xad [d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgfdo.cpp @ 394]
ffffd001d22092c0 fffff800
1e621ede : ffffcf818abf0cf0 ffffe001
57a7f080 ffffe00157a6c6f0 ffff3b47
1c956d8a : Wdf01000!FxPkgPnp::Dispatch+0xb7 [d:\th\minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 658]
ffffd001d2209330 fffff800
200e1453 : ffffcf818abf0cf0 00000001
00000000 000000000000001b ffffe001
57a7f080 : Wdf01000!imp_WdfDeviceWdmDispatchPreprocessedIrp+0x11e [d:\th\minkernel\wdf\framework\shared\core\km\fxdeviceapikm.cpp @ 257]
ffffd001d2209390 fffff800
200e6204 : 00001ffea8580f78 ffffcf81
8abf0cf0 fffff800200e62e0 00000000
00000001 : HelloWorld!WdfDeviceWdmDispatchPreprocessedIrp+0x33 [c:\program files (x86)\windows kits\10\include\wdf\kmdf\1.15\wdfdevice.h @ 2101]
ffffd001d22093c0 fffff800
1e621a61 : 00001ffea8580f78 ffffcf81
8abf0cf0 ffffe00157a807a0 ffffe001
57a81940 : HelloWorld!SetCompletionFunction+0xc4 [c:\users\atharva\documents\visual studio 2015\projects\helloworld\helloworld\driver.c @ 75]
ffffd001d2209420 fffff800
1e5ae030 : ffffd001d22094a0 ffffe001
57a807a0 fffff8005cdcd97e fffff800
1e621870 : Wdf01000!FxDevice::DispatchWithLock+0x1f1 [d:\th\minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1402]
ffffd001d2209470 fffff800
5cdb0044 : ffffcf818abf0cf0 00000000
00000002 0000000000000000 fffff800
5cdc5de6 : VerifierExt!xdv_IRP_MJ_PNP_wrapper+0xe0
ffffd001d22094d0 fffff800
5c714252 : ffffcf818abf0cf0 ffffe001
57a81940 ffffe00157a81940 ffffe001
57919cb0 : nt!IovCallDriver+0x3d8
ffffd001d2209530 fffff800
5cdcd97e : ffffcf818abf0cf0 ffffe001
57a81940 ffffe00157a81940 00000000
00000000 : nt!IofCallDriver+0x72
ffffd001d2209570 fffff800
5cdb0044 : ffffe00157a81a90 ffffcf81
8abf0cf0 ffffe00157a81940 00000000
00000002 : nt!ViFilterDispatchPnp+0x1a2
ffffd001d22095b0 fffff800
5c714252 : ffffcf818abf0cf0 ffffd001
d22096c0 ffffe00157a81940 ffffe001
5788d010 : nt!IovCallDriver+0x3d8
ffffd001d2209610 fffff800
5cb76b05 : 0000000000000000 ffffd001
d22096c0 ffffe00157a81940 ffffe001
572d5060 : nt!IofCallDriver+0x72
ffffd001d2209650 fffff800
5cb7695c : 0000000000000000 ffffd001
d22096e9 fffff8005c74d5e8 fffff800
5c9dcd80 : nt!PnpAsynchronousCall+0xe5
ffffd001d2209690 fffff800
5cb76721 : ffffe00157ae4850 ffffe001
57ae4850 ffffe00155af8c70 ffffe001
55af8c70 : nt!PnpQueryDeviceRelations+0x8c
ffffd001d2209750 fffff800
5cad50b7 : ffffe001572eaa50 ffffe001
572eaa50 0000000000000002 00000000
00000000 : nt!PipEnumerateDevice+0xe9
ffffd001d22097d0 fffff800
5cc1cf4f : 0000000000000000 00000000
00000001 0000000000000000 fffff800
5cad596e : nt!PipProcessDevNodeTree+0x19f
ffffd001d2209a50 fffff800
5c74876a : 0000000100000003 00000000
00000000 fffff8005c9be140 00000000
009f72bc : nt!PiProcessStartSystemDevices+0x87
ffffd001d2209aa0 fffff800
5c6fa7a9 : ffffe001572d6040 fffff800
5c9be140 fffff8005ca5b340 ffffe001
57201148 : nt!PnpDeviceActionWorker+0x436
ffffd001d2209b70 fffff800
5c7676d8 : 03f893ff30244489 00000000
00000080 fffff8005ca5b340 ffffe001
572d6040 : nt!ExpWorkerThread+0xe9
ffffd001d2209c00 fffff800
5c7d3d06 : fffff8005c9e5180 ffffe001
572d6040 ffffe00155b19040 7208fb83
c3ffd572 : nt!PspSystemThreadStartup+0x58
ffffd001d2209c60 00000000
00000000 : ffffd001d220a000 ffffd001
d2204000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: de3d2b4db6b43a8b13e12ff1dfa3dab628435874
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: fb4c50e6b867dfa21df2112f8299b28cf3f25204
THREAD_SHA1_HASH_MOD: 83b844ff1ca16382f4e1fbac2099ac154f144e47
running !ln at my address gives me
ln 0xFFFFF8005CDB6491
(fffff8005cdb6420) nt!IovpCompleteRequest4+0x71 | (fffff800
5cdb6558) nt!IovpExamineDevObjForwarding
!pool ffffcf818abf0d32
Pool page ffffcf818abf0d32 region is Special pool
CompressedPageDataReader warning: failed to get _SM_PAGE_KEY symbol.
ffffcf818abf0000: Unable to get contents of special pool block
!pte ffffcf818abf0d32
VA ffffcf818abf0d32
PXE at FFFFF6FB7DBEDCF8 PPE at FFFFF6FB7DB9F030 PDE at FFFFF6FB73E062A8 PTE at FFFFF6E7C0C55F80
contains 0000000003D41863 contains 0000000003B40863 contains 0000000004ECF863 contains 78005C9C40000000
pfn 3d41 —DA–KWEV pfn 3b40 —DA–KWEV pfn 4ecf —DA–KWEV not valid
Page has been freed
So i am referencing a page that is freed?
And Finally here are the relevant parts of the code
NTSTATUS EvtDeviceAdd(In WDFDRIVER Driver, Inout PWDFDEVICE_INIT DeviceInit)
{
…
UCHAR minorFunction = IRP_MN_QUERY_DEVICE_RELATIONS;
PAGED_CODE();
WdfFdoInitSetFilter(DeviceInit);
status = WdfDeviceInitAssignWdmIrpPreprocessCallback(DeviceInit, &SetCompletionFunction, IRP_MJ_PNP, &minorFunction, 1);
if (!NT_SUCCESS(status)) {
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “preprocessor callback declaration failed\n”));
return status;
}
else
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “After declarin preprocessor callback\n”));
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes, DEVICE_CONTEXT);
status = WdfDeviceCreate(&DeviceInit, &deviceAttributes, &hDevice);
if (!NT_SUCCESS(status)) {
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “Device Creation failed\n”));
return status;
}
else
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “After device creation\n”));
return status;
}
NTSTATUS
SetCompletionFunction(WDFDEVICE Device, PIRP Irp)
/*
This Function is invoked whenever the specific IRP is called
This function is responsible for setting the function to be called after completion of the specific IRP
*/
{
…
PAGED_CODE();
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “callback function started\n”));
pStackLocation = IoGetCurrentIrpStackLocation(Irp);
IoCopyCurrentIrpStackLocationToNext(Irp);
if (pStackLocation->Parameters.QueryDeviceRelations.Type == BusRelations) {
IoSetCompletionRoutine(Irp, &GetDeviceRelationPointer, NULL, TRUE, TRUE, FALSE);
KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “Inside callback function\n”));
}
status = WdfDeviceWdmDispatchPreprocessedIrp(Device, Irp);
KdBreakPoint();
return status;
}
And finally the completin routine
NTSTATUS
GetDeviceRelationPointer(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
if (Irp->PendingReturned) {
IoMarkIrpPending(Irp);
return STATUS_PENDING;
}
else if (Irp->IoStatus.Status == STATUS_SUCCESS) {
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
// Get Device relation pointer here.
IoCompleteRequest(Irp, IO_NO_INCREMENT);
}
return STATUS_SUCCESS;
}
I am really stumped here, I am probably doing something silly.
If anyone could help me out I would be really grateful.
Thanks in advance.