Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

BAD POOL CALLER [BSOD] within miniFilter callback

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Bellow are the relevant code snippets:


FLT_PREOP_CALLBACK_STATUS
naGuardPreOperation(
_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID *CompletionContext
)
{
...
PNAGUARD_FMESSAGE msg = ExAllocatePoolWithTag(NonPagedPool, sizeof(NAGUARD_FMESSAGE), 'tfaN');
...
msg->preop_entropy = calculateEntropy(FltObjects, volumeProps.SectorSize);
...
}


float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
{
NTSTATUS status;

LARGE_INTEGER offset;
ULONG bytesRead = 0;
offset.QuadPart = bytesRead = 0;

ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, 'teaN');
if (buffer == NULL)
return 0;

status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset, file_size, buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL);


float entropy = 0;
float p = 0;
ULONG i;
ULONG hist[256] = { 0 };
for (i = 0; i < file_size; i++)
{
hist[((CHAR*)buffer)[i]]++;
}

for (i = 0; i < 256; i++) {
p = (float)(hist[i]) / (float)(file_size);
if (p > 0)
entropy = entropy - p * logf(p);
}

ExFreePoolWithTag(buffer, 'teaN');
return entropy / 8;
}


Getting BSOD [BAD POOL CALLER]

Bellow is !analyze -v from WinDbg

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000099, Attempt to free pool with invalid address (or corruption in pool header)
Arg2: ffff988918800ba1, Address being freed
Arg3: 0000000000000000, 0
Arg4: 0000000000000000, 0

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

DUMP_TYPE: 0

BUGCHECK_P1: 99

BUGCHECK_P2: ffff988918800ba1

BUGCHECK_P3: 0

BUGCHECK_P4: 0

FAULTING_IP:
naGuard!calculateEntropy+21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
fffff800`b5f4121b f30f10442460 movss xmm0,dword ptr [rsp+60h]

BUGCHECK_STR: 0xc2_99

CPU_COUNT: 4

CPU_MHZ: a98

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA'00000000 (cache) BA'00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: MsMpEng.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: NAFTALY-M5510

ANALYSIS_SESSION_TIME: 12-11-2017 20:36:01.0163

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

LAST_CONTROL_TRANSFER: from fffff800b6a79262 to fffff800b69edff0

STACK_TEXT:
ffffe680`92992788 fffff800`b6a79262 : 00000000`00000099 00000000`000000c2 ffffe680`929928f0 fffff800`b694f6c0 : nt!DbgBreakPointWithStatus
ffffe680`92992790 fffff800`b6a78b12 : 00000000`00000003 ffffe680`929928f0 fffff800`b6b2a610 00000000`000000c2 : nt!KiBugCheckDebugBreak+0x12
ffffe680`929927f0 fffff800`b69e8687 : ffffe680`92993001 ffff9889`175c8850 ffff9889`18800ba1 fffff80f`1aa6dea7 : nt!KeBugCheck2+0x922
ffffe680`92992f00 fffff800`b6fe803f : 00000000`000000c2 00000000`00000099 ffff9889`18800ba1 00000000`00000000 : nt!KeBugCheckEx+0x107
ffffe680`92992f40 fffff800`b6a93b5d : ffffe680`8e842a05 fffff800`b6afb4b0 00000000`00000001 fffff800`00000200 : nt!VerifierBugCheckIfAppropriate+0x6b
ffffe680`92992f80 fffff800`b6afd035 : 00000000`00000020 ffffe680`92993059 ffff9889`18800b91 00000000`000007ff : nt!VerifierFreeTrackedPool+0x41
ffffe680`92992fc0 fffff800`b5f4121b : ffff9889`176a2c00 3fe00000`00000000 00000000`00000000 ffff988a`00000000 : nt!ExFreePoolWithTag+0x1015
ffffe680`929930c0 fffff800`b5f415d3 : ffffe680`929936b0 ffffe680`92990200 ffff9889`176a2b80 ffff9889`1707aa70 : naGuard!calculateEntropy+0x21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
ffffe680`92993560 fffff80f`1aa64b4c : ffff9889`176a2c60 ffffe680`929936b0 ffffe680`92993690 ffff9889`176a2b80 : naGuard!naGuardPreOperation+0x223 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 111]
ffffe680`92993620 fffff80f`1aa646ec : ffffe680`92993810 ffff9889`148f3900 00000000`00000000 ffff9889`17792003 : FLTMGR!FltpPerformPreCallbacks+0x2ec
ffffe680`92993740 fffff80f`1aa636d8 : 00000000`00000000 ffffe680`92993810 ffff9889`17792010 ffffe680`92993820 : FLTMGR!FltpPassThroughInternal+0x8c
ffffe680`92993770 fffff80f`1aa634be : ffff9889`176a2b80 ffff9889`15e27c00 ffffe680`929938a0 fffff80f`1aa6333f : FLTMGR!FltpPassThrough+0x168
ffffe680`929937f0 fffff800`b6d119af : ffff9889`15e27c30 ffff9889`17792010 ffff9889`17792440 ffffe680`92993b00 : FLTMGR!FltpDispatch+0x9e
ffffe680`92993850 fffff800`b6d10719 : ffff9889`00000001 ffff9889`15e27c04 ffff9889`15e27c80 ffffe680`92993b00 : nt!IopSynchronousServiceTail+0x1af
ffffe680`92993910 fffff800`b69f3413 : 00000000`00000b68 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x6a9
ffffe680`92993a10 00007ffb`471f5464 : 00007ffb`437dec66 000000c3`078ff1b0 00000000`00000001 00000000`0000000e : nt!KiSystemServiceCopyEnd+0x13
000000c3`078ff0a8 00007ffb`437dec66 : 000000c3`078ff1b0 00000000`00000001 00000000`0000000e 00000000`00000028 : ntdll!NtReadFile+0x14
000000c3`078ff0b0 00007ffb`33307283 : 00000000`00000000 00000000`00000000 ffffffff`ffffffff 000000c3`078ff1e8 : KERNELBASE!ReadFile+0x76
000000c3`078ff130 00000000`00000000 : 00000000`00000000 ffffffff`ffffffff 000000c3`078ff1e8 00000000`00000000 : mpengine!GetSigFiles+0x29913


THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 26d74e95b55e3167b7aa9ed920d02c28405c093a

THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740

FOLLOWUP_IP:
naGuard!calculateEntropy+21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
fffff800`b5f4121b f30f10442460 movss xmm0,dword ptr [rsp+60h]

FAULT_INSTR_CODE: 44100ff3

FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

FAULTING_SOURCE_LINE_NUMBER: 51

FAULTING_SOURCE_CODE:
47: entropy = entropy - p * logf(p);
48: }
49:
50: ExFreePoolWithTag(buffer, 'teaN');
> 51: return entropy / 8;
52: }
53:
54:
55: /*************************************************************************
56: MiniFilter callback routines.


SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: naGuard!calculateEntropy+21b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: naGuard

IMAGE_NAME: naGuard.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5a2ecddd

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 21b

FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy

TARGET_TIME: 2017-12-11T18:33:56.000Z

OSBUILD: 15063

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-11-01 20:21:12

BUILDDATESTAMP_STR: 170317-1834

BUILDLAB_STR: rs2_release

BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

ANALYSIS_SESSION_ELAPSED_TIME: e59

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy

FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}

Followup: MachineOwner
---------

Comments

  • MikaeMikae Member Posts: 371
    Freeing routine doesn't match allocating routine. You have to call FltFreePoolAlignedWithTag (https://msdn.microsoft.com/en-us/library/windows/hardware/ff542979(v=vs.85).aspx) instead of ExFreePoolWithTag.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Code modified to:




    Still getting BSOD.
    float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
    {
    NTSTATUS status;

    LARGE_INTEGER offset;
    ULONG bytesRead = 0;
    offset.QuadPart = bytesRead = 0;

    ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

    PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, 'teaN');
    if (buffer == NULL)
    return 0;

    status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset,
    file_size, buffer,
    FLTFL_IO_OPERATION_NON_CACHED |
    FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
    &bytesRead,
    NULL,
    NULL);


    float entropy = 0;
    float p = 0;
    ULONG i;
    ULONG hist[256] = { 0 };
    for (i = 0; i < file_size; i++)
    {
    hist[ (int)((CHAR*)buffer)[i] ]++;
    }

    for (i = 0; i < 256; i++) {
    p = (float)(hist[i]) / (float)(file_size);
    if (p > 0)
    entropy = entropy - p * logf(p);
    }


    FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, 'teaN');

    return entropy;
    }











    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    BAD_POOL_CALLER (c2)
    The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
    Arguments:
    Arg1: 0000000000000099, Attempt to free pool with invalid address (or corruption in pool header)
    Arg2: ffffdf00c1e68e01, Address being freed
    Arg3: 0000000000000000, 0
    Arg4: 0000000000000000, 0

    Debugging Details:
    ------------------


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 0

    BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

    DUMP_TYPE: 0

    BUGCHECK_P1: 99

    BUGCHECK_P2: ffffdf00c1e68e01

    BUGCHECK_P3: 0

    BUGCHECK_P4: 0

    FAULTING_IP:
    naGuard!calculateEntropy+227 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
    fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]

    BUGCHECK_STR: 0xc2_99

    CPU_COUNT: 4

    CPU_MHZ: a98

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 5e

    CPU_STEPPING: 3

    CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA'00000000 (cache) BA'00000000 (init)

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    PROCESS_NAME: MsMpEng.exe

    CURRENT_IRQL: 0

    ANALYSIS_SESSION_HOST: NAFTALY-M5510

    ANALYSIS_SESSION_TIME: 12-11-2017 21:48:58.0252

    ANALYSIS_VERSION: 10.0.16299.15 amd64fre

    LAST_CONTROL_TRANSFER: from fffff8028cc7a262 to fffff8028cbeeff0

    STACK_TEXT:
    ffffce00`4947c788 fffff802`8cc7a262 : 00000000`00000099 00000000`000000c2 ffffce00`4947c8f0 fffff802`8cb506c0 : nt!DbgBreakPointWithStatus
    ffffce00`4947c790 fffff802`8cc79b12 : 00000000`00000003 ffffce00`4947c8f0 fffff802`8cd2b610 00000000`000000c2 : nt!KiBugCheckDebugBreak+0x12
    ffffce00`4947c7f0 fffff802`8cbe9687 : 00000000`00000000 00000000`00000000 ffffdf00`c1e68e01 00000000`00000000 : nt!KeBugCheck2+0x922
    ffffce00`4947cf00 fffff802`8d1e903f : 00000000`000000c2 00000000`00000099 ffffdf00`c1e68e01 00000000`00000000 : nt!KeBugCheckEx+0x107
    ffffce00`4947cf40 fffff802`8cc94b5d : 00000000`00000001 ffffdf00`c3491900 ffffdf00`c57a5ae0 fffff802`00000200 : nt!VerifierBugCheckIfAppropriate+0x6b
    ffffce00`4947cf80 fffff802`8ccfe035 : 00000000`00000020 ffffce00`4947d059 ffffdf00`c1e68df1 00000000`00000000 : nt!VerifierFreeTrackedPool+0x41
    ffffce00`4947cfc0 fffff802`c9681227 : ffffdf00`c654d800 3fe00000`00000000 00000000`00000000 ffffdf01`00000000 : nt!ExFreePoolWithTag+0x1015
    ffffce00`4947d0c0 fffff802`c96815d3 : ffffce00`4947d6b0 ffffce00`49470200 ffffdf00`c654d780 ffffdf00`c661ab60 : naGuard!calculateEntropy+0x227 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
    ffffce00`4947d560 fffff802`c6064b4c : ffffdf00`c654d860 ffffce00`4947d6b0 ffffce00`4947d690 ffffdf00`c654d780 : naGuard!naGuardPreOperation+0x223 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 114]
    ffffce00`4947d620 fffff802`c60646ec : ffffce00`4947d810 ffffdf00`c37c7d00 00000000`00000000 ffffdf00`c688bb03 : FLTMGR!FltpPerformPreCallbacks+0x2ec
    ffffce00`4947d740 fffff802`c60636d8 : 00000000`00000000 ffffce00`4947d810 ffffdf00`c688bb80 ffffce00`4947d820 : FLTMGR!FltpPassThroughInternal+0x8c
    ffffce00`4947d770 fffff802`c60634be : ffffdf00`c654d780 ffffdf00`c4318000 ffffce00`4947d8a0 fffff802`c606333f : FLTMGR!FltpPassThrough+0x168
    ffffce00`4947d7f0 fffff802`8cf129af : ffffdf00`c4318080 ffffdf00`c688bb80 ffffdf00`c688bfb0 ffffce00`4947db00 : FLTMGR!FltpDispatch+0x9e
    ffffce00`4947d850 fffff802`8cf11719 : ffffdf00`00000001 ffffdf00`c4318004 ffffdf00`c43180d0 ffffce00`4947db00 : nt!IopSynchronousServiceTail+0x1af
    ffffce00`4947d910 fffff802`8cbf4413 : 00000000`00000b40 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x6a9
    ffffce00`4947da10 00007ff9`0a145464 : 00007ff9`06bcec66 0000006b`834ff210 00000000`00000001 00000000`0000000e : nt!KiSystemServiceCopyEnd+0x13
    0000006b`834ff108 00007ff9`06bcec66 : 0000006b`834ff210 00000000`00000001 00000000`0000000e 00000000`00000028 : ntdll!NtReadFile+0x14
    0000006b`834ff110 00007ff8`f4097283 : 00000000`00000000 00000000`00000000 ffffffff`ffffffff 0000006b`834ff248 : KERNELBASE!ReadFile+0x76
    0000006b`834ff190 00000000`00000000 : 00000000`00000000 ffffffff`ffffffff 0000006b`834ff248 00000000`00000000 : mpengine!GetSigFiles+0x29913


    THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6ee8a037003fa202c2fe2abfbea6f3cd186c3ada

    THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740

    FOLLOWUP_IP:
    naGuard!calculateEntropy+227 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
    fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]

    FAULT_INSTR_CODE: 44100ff3

    FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

    FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

    FAULTING_SOURCE_LINE_NUMBER: 54

    FAULTING_SOURCE_CODE:
    50:
    51:
    52: FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, 'teaN');
    53:
    > 54: return entropy;
    55: }
    56:
    57:
    58: /*************************************************************************
    59: MiniFilter callback routines.


    SYMBOL_STACK_INDEX: 7

    SYMBOL_NAME: naGuard!calculateEntropy+227

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: naGuard

    IMAGE_NAME: naGuard.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 5a2edf82

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 227

    FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

    BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

    PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy

    TARGET_TIME: 2017-12-11T19:46:43.000Z

    OSBUILD: 15063

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 272

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2017-11-01 20:21:12

    BUILDDATESTAMP_STR: 170317-1834

    BUILDLAB_STR: rs2_release

    BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

    ANALYSIS_SESSION_ELAPSED_TIME: 9bc

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy

    FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}

    Followup: MachineOwner
    ---------
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 145
    Have you tried to run your driver under verifier ?

    On Mon, Dec 11, 2017 at 10:51 PM, xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > Code modified to:
    >
    >
    >
    >
    > Still getting BSOD.
    > float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT
    > SectorSize)
    > {
    > NTSTATUS status;
    >
    > LARGE_INTEGER offset;
    > ULONG bytesRead = 0;
    > offset.QuadPart = bytesRead = 0;
    >
    > ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);
    >
    > PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance,
    > NonPagedPool, file_size, 'teaN');
    > if (buffer == NULL)
    > return 0;
    >
    > status = FltReadFile(FltObjects->Instance,
    > FltObjects->FileObject, &offset,
    > file_size, buffer,
    > FLTFL_IO_OPERATION_NON_CACHED |
    > FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
    > &bytesRead,
    > NULL,
    > NULL);
    >
    >
    > float entropy = 0;
    > float p = 0;
    > ULONG i;
    > ULONG hist[256] = { 0 };
    > for (i = 0; i < file_size; i++)
    > {
    > hist[ (int)((CHAR*)buffer)[i] ]++;
    > }
    >
    > for (i = 0; i < 256; i++) {
    > p = (float)(hist[i]) / (float)(file_size);
    > if (p > 0)
    > entropy = entropy - p * logf(p);
    > }
    >
    >
    > FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, 'teaN');
    >
    > return entropy;
    > }
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > 0: kd> !analyze -v
    > ************************************************************
    > *******************
    > *
    > *
    > * Bugcheck Analysis
    > *
    > *
    > *
    > ************************************************************
    > *******************
    >
    > BAD_POOL_CALLER (c2)
    > The current thread is making a bad pool request. Typically this is at a
    > bad IRQL level or double freeing the same allocation, etc.
    > Arguments:
    > Arg1: 0000000000000099, Attempt to free pool with invalid address (or
    > corruption in pool header)
    > Arg2: ffffdf00c1e68e01, Address being freed
    > Arg3: 0000000000000000, 0
    > Arg4: 0000000000000000, 0
    >
    > Debugging Details:
    > ------------------
    >
    >
    > DUMP_CLASS: 1
    >
    > DUMP_QUALIFIER: 0
    >
    > BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834
    >
    > DUMP_TYPE: 0
    >
    > BUGCHECK_P1: 99
    >
    > BUGCHECK_P2: ffffdf00c1e68e01
    >
    > BUGCHECK_P3: 0
    >
    > BUGCHECK_P4: 0
    >
    > FAULTING_IP:
    > naGuard!calculateEntropy+227 [c:\users\naftaly
    > avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
    > fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]
    >
    > BUGCHECK_STR: 0xc2_99
    >
    > CPU_COUNT: 4
    >
    > CPU_MHZ: a98
    >
    > CPU_VENDOR: GenuineIntel
    >
    > CPU_FAMILY: 6
    >
    > CPU_MODEL: 5e
    >
    > CPU_STEPPING: 3
    >
    > CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA'00000000 (cache) BA'00000000
    > (init)
    >
    > DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
    >
    > PROCESS_NAME: MsMpEng.exe
    >
    > CURRENT_IRQL: 0
    >
    > ANALYSIS_SESSION_HOST: NAFTALY-M5510
    >
    > ANALYSIS_SESSION_TIME: 12-11-2017 21:48:58.0252
    >
    > ANALYSIS_VERSION: 10.0.16299.15 amd64fre
    >
    > LAST_CONTROL_TRANSFER: from fffff8028cc7a262 to fffff8028cbeeff0
    >
    > STACK_TEXT:
    > ffffce00`4947c788 fffff802`8cc7a262 : 00000000`00000099 00000000`000000c2
    > ffffce00`4947c8f0 fffff802`8cb506c0 : nt!DbgBreakPointWithStatus
    > ffffce00`4947c790 fffff802`8cc79b12 : 00000000`00000003 ffffce00`4947c8f0
    > fffff802`8cd2b610 00000000`000000c2 : nt!KiBugCheckDebugBreak+0x12
    > ffffce00`4947c7f0 fffff802`8cbe9687 : 00000000`00000000 00000000`00000000
    > ffffdf00`c1e68e01 00000000`00000000 : nt!KeBugCheck2+0x922
    > ffffce00`4947cf00 fffff802`8d1e903f : 00000000`000000c2 00000000`00000099
    > ffffdf00`c1e68e01 00000000`00000000 : nt!KeBugCheckEx+0x107
    > ffffce00`4947cf40 fffff802`8cc94b5d : 00000000`00000001 ffffdf00`c3491900
    > ffffdf00`c57a5ae0 fffff802`00000200 : nt!VerifierBugCheckIfAppropriate+
    > 0x6b
    > ffffce00`4947cf80 fffff802`8ccfe035 : 00000000`00000020 ffffce00`4947d059
    > ffffdf00`c1e68df1 00000000`00000000 : nt!VerifierFreeTrackedPool+0x41
    > ffffce00`4947cfc0 fffff802`c9681227 : ffffdf00`c654d800 3fe00000`00000000
    > 00000000`00000000 ffffdf01`00000000 : nt!ExFreePoolWithTag+0x1015
    > ffffce00`4947d0c0 fffff802`c96815d3 : ffffce00`4947d6b0 ffffce00`49470200
    > ffffdf00`c654d780 ffffdf00`c661ab60 : naGuard!calculateEntropy+0x227
    > [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
    > ffffce00`4947d560 fffff802`c6064b4c : ffffdf00`c654d860 ffffce00`4947d6b0
    > ffffce00`4947d690 ffffdf00`c654d780 : naGuard!naGuardPreOperation+0x223
    > [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 114]
    > ffffce00`4947d620 fffff802`c60646ec : ffffce00`4947d810 ffffdf00`c37c7d00
    > 00000000`00000000 ffffdf00`c688bb03 : FLTMGR!FltpPerformPreCallbacks+0x2ec
    > ffffce00`4947d740 fffff802`c60636d8 : 00000000`00000000 ffffce00`4947d810
    > ffffdf00`c688bb80 ffffce00`4947d820 : FLTMGR!FltpPassThroughInternal+0x8c
    > ffffce00`4947d770 fffff802`c60634be : ffffdf00`c654d780 ffffdf00`c4318000
    > ffffce00`4947d8a0 fffff802`c606333f : FLTMGR!FltpPassThrough+0x168
    > ffffce00`4947d7f0 fffff802`8cf129af : ffffdf00`c4318080 ffffdf00`c688bb80
    > ffffdf00`c688bfb0 ffffce00`4947db00 : FLTMGR!FltpDispatch+0x9e
    > ffffce00`4947d850 fffff802`8cf11719 : ffffdf00`00000001 ffffdf00`c4318004
    > ffffdf00`c43180d0 ffffce00`4947db00 : nt!IopSynchronousServiceTail+0x1af
    > ffffce00`4947d910 fffff802`8cbf4413 : 00000000`00000b40 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x6a9
    > ffffce00`4947da10 00007ff9`0a145464 : 00007ff9`06bcec66 0000006b`834ff210
    > 00000000`00000001 00000000`0000000e : nt!KiSystemServiceCopyEnd+0x13
    > 0000006b`834ff108 00007ff9`06bcec66 : 0000006b`834ff210 00000000`00000001
    > 00000000`0000000e 00000000`00000028 : ntdll!NtReadFile+0x14
    > 0000006b`834ff110 00007ff8`f4097283 : 00000000`00000000 00000000`00000000
    > ffffffff`ffffffff 0000006b`834ff248 : KERNELBASE!ReadFile+0x76
    > 0000006b`834ff190 00000000`00000000 : 00000000`00000000 ffffffff`ffffffff
    > 0000006b`834ff248 00000000`00000000 : mpengine!GetSigFiles+0x29913
    >
    >
    > THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb
    >
    > THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6ee8a037003fa202c2fe2abfbea6f3
    > cd186c3ada
    >
    > THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740
    >
    > FOLLOWUP_IP:
    > naGuard!calculateEntropy+227 [c:\users\naftaly
    > avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
    > fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]
    >
    > FAULT_INSTR_CODE: 44100ff3
    >
    > FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\
    > naguard\callbacks.c
    >
    > FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\
    > naguard\callbacks.c
    >
    > FAULTING_SOURCE_LINE_NUMBER: 54
    >
    > FAULTING_SOURCE_CODE:
    > 50:
    > 51:
    > 52: FltFreePoolAlignedWithTag(FltObjects->Instance, buffer,
    > 'teaN');
    > 53:
    > > 54: return entropy;
    > 55: }
    > 56:
    > 57:
    > 58: /***********************************************************
    > **************
    > 59: MiniFilter callback routines.
    >
    >
    > SYMBOL_STACK_INDEX: 7
    >
    > SYMBOL_NAME: naGuard!calculateEntropy+227
    >
    > FOLLOWUP_NAME: MachineOwner
    >
    > MODULE_NAME: naGuard
    >
    > IMAGE_NAME: naGuard.sys
    >
    > DEBUG_FLR_IMAGE_TIMESTAMP: 5a2edf82
    >
    > STACK_COMMAND: .thread ; .cxr ; kb
    >
    > BUCKET_ID_FUNC_OFFSET: 227
    >
    > FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy
    >
    > BUCKET_ID: 0xc2_99_naGuard!calculateEntropy
    >
    > PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy
    >
    > TARGET_TIME: 2017-12-11T19:46:43.000Z
    >
    > OSBUILD: 15063
    >
    > OSSERVICEPACK: 0
    >
    > SERVICEPACK_NUMBER: 0
    >
    > OS_REVISION: 0
    >
    > SUITE_MASK: 272
    >
    > PRODUCT_TYPE: 1
    >
    > OSPLATFORM_TYPE: x64
    >
    > OSNAME: Windows 10
    >
    > OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
    >
    > OS_LOCALE:
    >
    > USER_LCID: 0
    >
    > OSBUILD_TIMESTAMP: 2017-11-01 20:21:12
    >
    > BUILDDATESTAMP_STR: 170317-1834
    >
    > BUILDLAB_STR: rs2_release
    >
    > BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834
    >
    > ANALYSIS_SESSION_ELAPSED_TIME: 9bc
    >
    > ANALYSIS_SOURCE: KM
    >
    > FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy
    >
    > FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}
    >
    > Followup: MachineOwner
    > ---------
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    No, I'm not an expert of windows driver development.
    Doing this as part of academic project.
    I will try to use verifier. [Not yet sure how to use it]

    Any other direction I can check?
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Tried to run verifier now.

    Got the following:
    "Driver type is "fs". This driver type is not supported by SDV.
    Please consult documentation for supported driver types.
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 145
    Run this function step by step under debugger and check if buffer changes
    it’s value at some step

    On Mon, 11 Dec 2017 at 23:09, xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > Tried to run verifier now.
    >
    > Got the following:
    > "Driver type is "fs". This driver type is not supported by SDV.
    > Please consult documentation for supported driver types.
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 145
    buffer variable, not data in the buffer itself

    On Mon, 11 Dec 2017 at 23:16, Sergey Pisarev
    wrote:

    > Run this function step by step under debugger and check if buffer changes
    > it’s value at some step
    >
    > On Mon, 11 Dec 2017 at 23:09, xxxxx@gmail.com <
    > xxxxx@lists.osr.com> wrote:
    >
    >> Tried to run verifier now.
    >>
    >> Got the following:
    >> "Driver type is "fs". This driver type is not supported by SDV.
    >> Please consult documentation for supported driver types.
    >>
    >> ---
    >> NTFSD is sponsored by OSR
    >>
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    >> software drivers!
    >> Details at
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at <
    >> http://www.osronline.com/page.cfm?name=ListServer>;
    >>
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Ohh embarrassing mistake.

    Thanks!
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    My mistake the problem is still there:

    For:
    char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, 'teaN');

    When I just try to access the buffer by:
    for (i = 0; i < file_size; i++) {
    tmp = buffer[i];
    hist[tmp]++;
    }

    I'm getting BSOD [PAGE FAULT IN NONPAGED AREA]
  • Phil_BarilaPhil_Barila Member - All Emails Posts: 147
    You don't show how hist is generated, but you are dereferencing hist by the *value* you fetched from buffer[i]. That offset in hist may be a completely invalid address. You don't show how tmp is defined, either.

    If you didn't paste real code here, and it looks like you didn't, I'd suggest that you paste the real thing.

    > -----Original Message-----
    > From: xxxxx@lists.osr.com [mailto:bounce-643075-
    > xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
    > Sent: Monday, December 11, 2017 1:48 PM
    > To: Windows File Systems Devs Interest List <xxxxx@lists.osr.com>
    > Subject: RE:[ntfsd] BAD POOL CALLER [BSOD] within miniFilter callback
    >
    > My mistake the problem is still there:
    >
    > For:
    > char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance,
    > NonPagedPool, file_size, 'teaN');
    >
    > When I just try to access the buffer by:
    > for (i = 0; i < file_size; i++) {
    > tmp = buffer[i];
    > hist[tmp]++;
    > }
    >
    > I'm getting BSOD [PAGE FAULT IN NONPAGED AREA]
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at <http://www.osr.com/seminars>;
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > <http://www.osronline.com/page.cfm?name=ListServer>;
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 145
    What was the first error ?

    post !analyze -v

    On Mon, Dec 11, 2017 at 11:47 PM, xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > My mistake the problem is still there:
    >
    > For:
    > char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance,
    > NonPagedPool, file_size, 'teaN');
    >
    > When I just try to access the buffer by:
    > for (i = 0; i < file_size; i++) {
    > tmp = buffer[i];
    > hist[tmp]++;
    > }
    >
    > I'm getting BSOD [PAGE FAULT IN NONPAGED AREA]
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    The actual code:


    float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
    {
    PAGED_CODE();
    NTSTATUS status;

    LARGE_INTEGER offset;
    ULONG bytesRead = 0;
    offset.QuadPart = bytesRead = 0;

    ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

    char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, 'teaN');
    if (buffer == NULL)
    return 0;

    status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset,
    file_size, buffer,
    FLTFL_IO_OPERATION_NON_CACHED |
    FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
    &bytesRead,
    NULL,
    NULL);


    float entropy = 0;
    ULONG i;
    unsigned int tmp = 0;

    ULONG hist[256] = { 0 };


    for (i = 0; i < file_size; i++) {
    tmp = buffer[i];
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "tmp: %u\n", tmp);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "hist[tmp]: %d\n", hist[tmp]);
    hist[tmp]++;
    }



    FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, 'teaN');

    return entropy;
    }
  • Phil_BarilaPhil_Barila Member - All Emails Posts: 147
    > -----Original Message-----
    > From: xxxxx@lists.osr.com [mailto:bounce-643082-
    > xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
    > Sent: Monday, December 11, 2017 3:26 PM
    > To: Windows File Systems Devs Interest List <xxxxx@lists.osr.com>
    > Subject: RE:[ntfsd] BAD POOL CALLER [BSOD] within miniFilter callback
    >
    > The actual code:
    >
    >
    > float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT
    > SectorSize) {
    > PAGED_CODE();
    > NTSTATUS status;
    >
    > LARGE_INTEGER offset;
    > ULONG bytesRead = 0;
    > offset.QuadPart = bytesRead = 0;
    >
    > ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);
    >
    > char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects-
    > >Instance, NonPagedPool, file_size, 'teaN');
    > if (buffer == NULL)
    > return 0;

    Here you've defined the buffer as signed chars.

    >
    > status = FltReadFile(FltObjects->Instance, FltObjects->FileObject,
    > &offset,
    > file_size, buffer,
    > FLTFL_IO_OPERATION_NON_CACHED |
    > FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
    > &bytesRead,
    > NULL,
    > NULL);
    >
    >
    > float entropy = 0;
    > ULONG i;
    > unsigned int tmp = 0;
    >
    > ULONG hist[256] = { 0 };
    >
    >
    > for (i = 0; i < file_size; i++) {
    > tmp = buffer[i];

    Here you assign an unsigned int the value of a signed char. I'm not sure what the MSVC compiler does (and I don't have time to code up a sample to look, though it would be quick to do at Godbolt.org.) in the case of a negative value, but it might sign extend it, which would result in a very large number in the target location. What does the following line say when it crashes?

    > DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "tmp:
    > %u\n", tmp);
    > DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
    > "hist[tmp]: %d\n", hist[tmp]);
    > hist[tmp]++;
    > }
    >
    >
    >
    > FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, 'teaN');
    >

    Where do you actually modify this return value? Or is that remaining to be done after you fix the crash?

    > return entropy;
    > }
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Thank you all.
    Problem fixed.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,099
    Unrelated to your crash, but FltObjects->FileObject->Size is not the size of
    the file, it's the size of the FILE_OBJECT data structure.

    Also, your problems were just C coding errors. I would highly suggest
    developing your logic in user mode before moving to kernel mode.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    How can I get the size of the file?

    My suspicion is that when I write a big file it just creates multiple IRQ_MJ_WRITE where each of them is the sector/ block size.
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,099
    <QUOTE>
    How can I get the size of the file?
    </QUOTE>

    FltQueryInformationFile

    <QUOTE>
    My suspicion is that when I write a big file it just creates multiple
    IRQ_MJ_WRITE where each of them is the sector/ block size.
    </QUOTE>

    Applications send big writes to the file system. The file system sends the big writes down to the volume (unless the file is fragmented, in which case it breaks it up into the necessary fragments). The disk driver breaks these writes up into the maximum transfer size of the storage controller. The storage controller driver breaks these writes up into sectors.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 482
    Don't get file size from the file object structure via FileObject->Size,
    that just does not make any sense. FILE_OBJECT fields are mostly
    documented, and for the Size member here is what MSFT has to say:
    *Size*

    A read-only member that specifies the size, in bytes, of the file object.
    This size does not include the file object extension, if one is present.
    Nothing to do with the size of the file. Just query the file size via
    FltQueryInformationFile or similar.

    Also use the bytesRead variable as the "file_size" since that is how much
    it has been actually read from the file.
    Also when looping through a PVOID with an index the way you do will go out
    of the allocated memory.

    If you will code like that in the kernel you will have a lot of unpleasant
    surprises.

    Gabriel.
    www.kasardia.com


    On Thu, Dec 14, 2017 at 5:14 AM, xxxxx@osr.com wrote:

    >
    > How can I get the size of the file?
    >
    >
    > FltQueryInformationFile
    >
    >
    > My suspicion is that when I write a big file it just creates multiple
    > IRQ_MJ_WRITE where each of them is the sector/ block size.
    >
    >
    > Applications send big writes to the file system. The file system sends the
    > big writes down to the volume (unless the file is fragmented, in which case
    > it breaks it up into the necessary fragments). The disk driver breaks these
    > writes up into the maximum transfer size of the storage controller. The
    > storage controller driver breaks these writes up into sectors.
    >
    > -scott
    > OSR
    > @OSRDrivers
    >
    >
    > ---
    > NTFSD is sponsored by OSR
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >



    --
    Bercea. G.

    Cheers,
    Gabriel

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space