Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

What is the purpose of fileobject->lock structure in file system filter driver?

Pooja_BansalPooja_Bansal Posts: 10
Hi,

I am working on minifilter file system encryption driver based on shadow fileobject design.

I can see 2 members in FILE_OBJECT structure.
KEVENT Lock;
KEVENT Event;


When should I initialize these and how?

Thanks in advance,
Pooja

Comments

  • rod_widdowsonrod_widdowson Posts: 941
    > When should I initialize these and how?

    I never have.
  • NtDev_GeekNtDev_Geek Posts: 93
    Why you need this tell us your use case first. why u even think about them...
  • Pooja_BansalPooja_Bansal Posts: 10
    Hi,

    Use case: I am trying to export .pst file on an encrypted network share path.

    Bugcheck is observed as per below call stack:

    00 (Inline Function) --------`-------- nt!InsertTailList+0xf ? the head here is NULL
    01 ffffd000`21ab8a30 fffff804`004949ed nt!KeWaitForSingleObject+0x1ff
    02 (Inline Function) --------`-------- nt!IopWaitForLockAlertable+0x39
    03 ffffd000`21ab8ac0 fffff804`00584687 nt!IopAcquireFileObjectLock+0x85
    04 ffffd000`21ab8b10 fffff804`001627b3 nt!NtUnlockFile+0xeb70b
    05 ffffd000`21ab8bd0 00007ffa`e63ec5ea nt!KiSystemServiceCopyEnd+0x13
    06 0000003c`f538cf68 00007ffa`e37edfad ntdll!ZwUnlockFile+0xa
    07 0000003c`f538cf70 00007ffa`e37edffc KERNELBASE!UnlockFileEx+0x3d
    08 0000003c`f538cfc0 00007ffa`ae808522 KERNELBASE!UnlockFile+0x34
    09 0000003c`f538d020 00007ffa`ae8082e2 mspst32!MSProviderInit+0x6e2a
    0a 0000003c`f538d060 00007ffa`ae8081d8 mspst32!MSProviderInit+0x6bea
    0b 0000003c`f538d0e0 00007ffa`ae8c8950 mspst32!MSProviderInit+0x6ae0
    0c 0000003c`f538d160 00000000`00000000 mspst32!PSTCrashRecovery+0x954


    IopAcquireFileObjectLock is trying to acquire lock on file object and fileobject->Lock is not intialized as observed.

    In IRP_MJ_CREATE , we are initializing FileObject and completing it.

    I tried to modify behavior of IRP_MJ_CREATE by calling KeInitializeEvent( &(FileObject->Lock), SynchronizationEvent , FALSE);

    This helps for this BSOD,but I am not sure if this expected to do it in a shadow FileObject design.

    Can you please suggest about this.

    Thanks
    Pooja
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Posts: 3,004
    The Lock field is automatically initialized by the I/O Manager for
    synchronous file opens. I can see three possible reasons for your crash:

    1. You've opened a file asychronous and then played with the File Object
    flags

    2. You have a reference counting problem and the File Object was freed
    prematurely

    3. The File Object became corrupt somehow

    You need to dig out the File Object and look at it in the debugger. What
    does !pool say? If you dump out the File Object (dt nt!_FILE_OBJECT address)
    does it look OK or like garbage?

    Also, make sure you turn Driver Verifier on for your driver and FltMgr.sys.
    This might point you to the problem much earlier.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • NtDev_GeekNtDev_Geek Posts: 93
    Like you said its a shadow file object based design so I think you can do initialize it at the time of creation of a file object. did you tried without encryption ? if yes what IO mgr is sending at the first place? if IO mgr is sending it as non initialized then there is noting to worry.
    if he sends it initialized the your driver somehow poking it...
    If at all in both cases it is uninitialized then use driver verifire and try to reproduce it with verifier soon you will get to why it is coming.


    ./nT
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!