Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Random BSOD on function FsRtlNotifyFullReportChange.

Gova_GimerGova_Gimer Member - All Emails Posts: 43
I have random BSOD on function FsRtlNotifyFullReportChange

I would like an answer,
Already a question how the FsRtlNotifyFullReportChange function can establish a BSOD?
I do not understand, I do not modify in any case the data of variable notifysync and dirnotifylist,
in my driver only the kernel OS windows notifications functions access this data.
I do not understand anything.

The variable pn et pn1 are correct.

WHY ????

The CCB is correct !

if ((irps->MajorFunction == IRP_MJ_DIRECTORY_CONTROL))
{
if ((irps->MinorFunction == IRP_MN_NOTIFY_CHANGE_DIRECTORY))
{
PPARAMVDF vdf;
PPARAMVCB vcb;
PCCB fsc;
ULONG CompletionFilter;
PFILE_OBJECT file;
BOOLEAN WatchTree;



file = irps->FileObject;
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY VCB:%d FILE:%.8x\n", ISVCB, file));
if (ISVCB == FALSE)
{
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY EH !!!!! ISVCB==FALSE\n"));
status = STATUS_INVALID_PARAMETER;
goto ANC;


}
if (file == NULL)
{
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY EH !!!!! file=NULLL\n"));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY r?pertoire %wZ bt\n", &file->FileName));
CompletionFilter = irps->Parameters.NotifyDirectory.CompletionFilter;
WatchTree = (irps->Flags& SL_WATCH_TREE) == SL_WATCH_TREE;
vcb = (PPARAMVCB)DeviceObject->DeviceExtension;
{
BOOLEAN pasbon = FALSE;
if (vcb->identifier != CIdentifier)
{
pasbon = TRUE;
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY vcb->identifier != CIdentifier %x\n", vcb->identifier));
}
if (vcb->sidentifier != CIdentifierVCB)
{
pasbon = TRUE;
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY vcb->sidentifier != CIdentifierVCB %x\n", vcb->sidentifier));
}
if (pasbon)
{
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY PAS BON DONC 1\n", vcb->sidentifier));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
}
vdf = (PPARAMVDF)vcb->Tdisk.DCB->DeviceExtension;
{
BOOLEAN pasbon = FALSE;
if (vdf->identifier != CIdentifier)
{
pasbon = TRUE;
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY dcb->identifier != CIdentifier %x\n", vcb->identifier));
}
if (vdf->sidentifier != CIdentifierDCB)
{
pasbon = TRUE;
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY dcb->sidentifier != CIdentifierDCB %x\n", vcb->sidentifier));
}
if (pasbon)
{
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY PAS BON DONC 2\n", vcb->sidentifier));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}
}
if (vdf == NULL)
{
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY Gros soucis vdf=NULL\n"));
status = STATUS_INVALID_PARAMETER;
goto ANC;
}

KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY Before Context %x\n", file->FsContext2));
LockVDFNotify(vdf);
FsRtlNotifyFullChangeDirectory(vdf->NotifySync,
&vdf->DirNotifyList,
file->FsContext2,
(PSTRING)&file->FileName,
WatchTree,
FALSE,
CompletionFilter,
Irp,
NULL,
NULL);
unLockVDFNotify(vdf);
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY After Context %x\n", file->FsContext2));
fsc = (PCCB)file->FsContext2;
fsc = vfsValidPointer(vdf, fsc);
if (fsc != NULL)
fsc->evchgdirectory = TRUE;
else
KdPrintf(("IRP_MN_NOTIFY_CHANGE_DIRECTORY Not found fsc\n"));
//Irp->IoStatus.Status=STATUS_SUCCESS; ////effet de bord remove 07092017
status = STATUS_PENDING;
CondiFsRtlExitFileSystem();
goto gty;


}



void LockVDFNotify(PPARAMVDF vdf)
{
ExAcquireResourceExclusiveLite(&vdf->ResourceNextFile, TRUE);
}
void unLockVDFNotify(PPARAMVDF vdf)
{
ExReleaseResourceLite(&vdf->ResourceNextFile);
}


case IOCTL_CMD_FILE_NOTIFY:
{
DWORD si;
KdPrintf(("IOCTL_CMD_FILE_NOTIFY\n"));
si = irps->Parameters.DeviceIoControl.InputBufferLength;
if (si >= sizeof(TNOTIFY))
{
PNOTIFY pn = (PNOTIFY)irp->AssociatedIrp.SystemBuffer;
if (pn != NULL)
{
PPARAMVDF vdf = NULL;
vdf = vdf_GetParamFromID(pn->id);
if (vdf != NULL)
{
if (vdf->hProcessID == hpid)
{
KdPrintf(("IOCTL_CMD_FILE_NOTIFY bon id\n"));
if ((vdf->used == TRUE) && (vdf->parameter == TRUE))
{
if (pn->internalcmd == 1)
{
if (si >= sizeof(TNOTIFY1))
{
UNICODE_STRING strfilename;


PNOTIFY1 pn1 = (PNOTIFY1)pn;
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY '%ws' filtermatch:%d action:%d\n", pn1->filename, pn1->filtermatch, pn1->action));
RtlInitUnicodeString(&strfilename, pn1->filename);

LockVDFNotify(vdf);


FsRtlNotifyFullReportChange(
vdf->NotifySync,
&vdf->DirNotifyList,
(PSTRING)&strfilename,
pn1->namaeoffset,
NULL,
NULL,
pn1->filtermatch,
pn1->action,
NULL
);
unLockVDFNotify(vdf);
//RtlFreeUnicodeString(&strfilename);
status = STATUS_SUCCESS;
}
else
{
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY si < sizeof(TNOTIFY1) %d<%d\n",si,sizeof(TNOTIFY1)));
status = STATUS_BUFFER_TOO_SMALL;
}

}
else
{
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY cmd:%d unkown\n",pn->internalcmd));
status = STATUS_NOT_IMPLEMENTED;
}
}
else
{
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY device:%d removed\n", pn->id));
status = STATUS_DEVICE_REMOVED;
}

}
else
{
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY process is not own\n", pn->internalcmd));
status = STATUS_ACCESS_DENIED;
}
}
else
{
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY device:%d invalid\n", pn->id));
status = STATUS_INVALID_HANDLE;
}
}
else
{

status = STATUS_INTERNAL_ERROR;
}
}
else
{
KdPrintfd2(("IOCTL_CMD_FILE_NOTIFY si < sizeof(TNOTIFY) %d<%d\n", si, sizeof(TNOTIFY)));
status = STATUS_BUFFER_TOO_SMALL;
}
}
break;


PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffe0008f814108, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801678ec046, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 10240.17443.amd64fre.th1.170602-2340

SYSTEM_MANUFACTURER: innotek GmbH

VIRTUAL_MACHINE: VirtualBox

SYSTEM_PRODUCT_NAME: VirtualBox

SYSTEM_VERSION: 1.2

BIOS_VENDOR: innotek GmbH

BIOS_VERSION: VirtualBox

BIOS_DATE: 12/01/2006

BASEBOARD_MANUFACTURER: Oracle Corporation

BASEBOARD_PRODUCT: VirtualBox

BASEBOARD_VERSION: 1.2

DUMP_TYPE: 1

BUGCHECK_P1: ffffe0008f814108

BUGCHECK_P2: 0

BUGCHECK_P3: fffff801678ec046

BUGCHECK_P4: 0

READ_ADDRESS: ffffe0008f814108 Nonpaged pool

FAULTING_IP:
nt!FsRtlNotifyFilterReportChange+41e
fffff801`678ec046 663938 cmp word ptr [rax],di

MM_INTERNAL_CODE: 0

CPU_COUNT: 2

CPU_MHZ: fa0

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 2

CPU_STEPPING: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: SampleFileSystem.exe

CURRENT_IRQL: 2

ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N

ANALYSIS_SESSION_TIME: 07-19-2018 19:49:39.0356

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

TRAP_FRAME: ffffd0012a2d16d0 -- (.trap 0xffffd0012a2d16d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe0008f814108 rbx=0000000000000000 rcx=ffffc00071159410
rdx=ffffe0008dbc0d00 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801678ec046 rsp=ffffd0012a2d1860 rbp=ffffd0012a2d3780
r8=0000000000000000 r9=ffffe0008f5fba38 r10=ffffd0012a2d1ff8
r11=ffffd0012a2d1998 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!FsRtlNotifyFilterReportChange+0x41e:
fffff801`678ec046 663938 cmp word ptr [rax],di ds:ffffe000`8f814108=????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff801675a1714 to fffff801675595f0

STACK_TEXT:
ffffd001`2a2d1488 fffff801`675a1714 : 00000000`00000050 ffffe000`8f814108 00000000`00000000 ffffd001`2a2d16d0 : nt!KeBugCheckEx
ffffd001`2a2d1490 fffff801`6743eeb6 : 00000000`00000000 00000000`00000000 ffffd001`2a2d16d0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x39514
ffffd001`2a2d1580 fffff801`675626bd : 00000000`00000000 ffffd001`2a2d1860 ffffe000`8f780840 00000000`00000010 : nt!MmAccessFault+0x696
ffffd001`2a2d16d0 fffff801`678ec046 : fffff801`e8d1bf30 ffffd001`2a2d3780 00000000`0000001d fffff801`00000004 : nt!KiPageFault+0x13d
ffffd001`2a2d1860 fffff801`67a70827 : ffffe000`8c95e890 ffffe000`8dbc0d00 ffffd001`2a2d1ff8 ffffd001`2a2d0002 : nt!FsRtlNotifyFilterReportChange+0x41e
ffffd001`2a2d19a0 fffff801`e8d154c8 : ffffe000`8dbc01c0 ffffcf81`87982fe0 00000000`0000001d fffff801`e8d248f4 : nt!FsRtlNotifyFullReportChange+0x4b
ffffd001`2a2d1a00 fffff801`e8d138ce : ffffe000`8c1c18a0 ffffcf81`86f6aea0 ffffcf81`86f6af70 00000000`00000007 : vfs_x64!vfums_deviceiocontrol+0x1128 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 1294]
ffffd001`2a2d3640 fffff801`e8d137be : ffffe000`8c1c18a0 ffffcf81`86f6aea0 ffffcf81`86f6af70 fffff801`67b481ba : vfs_x64!controldispatch+0x9e [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 3819]
ffffd001`2a2d3680 fffff801`e8d1c007 : ffffe000`8c1c18a0 ffffcf81`86f6aea0 00000000`00000001 00000000`00001bae : vfs_x64!_DrvDispatch+0x19e [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 4986]
ffffd001`2a2d36e0 fffff801`e6c4cd70 : ffffe000`8c1c18a0 ffffcf81`86f6aea0 ffffcf81`86f6afb8 ffffe000`8e0f9230 : vfs_x64!DrvDispatch+0xd7 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\ui.c @ 345]
ffffd001`2a2d3750 fffff801`67b35044 : ffffcf81`86f6aea0 00000000`00000002 00000000`00000000 ffffe000`20206f49 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xe0
ffffd001`2a2d37b0 fffff801`6741cd42 : 00000000`00000001 ffffd001`2a2d3b80 ffffe000`8c5adf20 ffffe000`8e0f9190 : nt!IovCallDriver+0x3d8
ffffd001`2a2d3810 fffff801`67824f9d : 00000000`00000000 ffffd001`2a2d3b80 ffffe000`8c5adf20 ffffe000`000001c8 : nt!IofCallDriver+0x72
ffffd001`2a2d3850 fffff801`67823d66 : fffff801`e6b32d90 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x122d
ffffd001`2a2d3a20 fffff801`67563c63 : fffff6fb`5ffdd880 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd001`2a2d3a90 00007ffc`815a389a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`04d6d328 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`815a389a


STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 13e6c9bc8044d0731fcd499ce3dc691a54a2990e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 421722234584b59c8f1f49e2e3ea5230e98ae2a2

THREAD_SHA1_HASH_MOD: 8c264e8de88b25cb7e9e676820d23d3abe940b7a

FOLLOWUP_IP:
vfs_x64!vfums_deviceiocontrol+1128 [c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c @ 1294]
fffff801`e8d154c8 488b8c2438010000 mov rcx,qword ptr [rsp+138h]

FAULT_INSTR_CODE: 248c8b48

FAULTING_SOURCE_LINE: c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c

FAULTING_SOURCE_FILE: c:\source\kedac2\vfums\4.0\sys\sys\vfums\vfums\uc.c

FAULTING_SOURCE_LINE_NUMBER: 1294

FAULTING_SOURCE_CODE:
1290: pn1->filtermatch,
1291: pn1->action,
1292: NULL
1293: );
> 1294: unLockVDFNotify(vdf);
1295: //RtlFreeUnicodeString(&strfilename);
1296: status = STATUS_SUCCESS;
1297: }
1298: else
1299: {


What is this memory address (0xffffe0008f814108)?
I am unable to debug it.

Help please !!!

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,337
    You need to debug your code...

    nt!FsRtlNotifyFilterReportChange+0x41e:
    fffff801`678ec046 663938 cmp word ptr [rax],di
    ds:ffffe000`8f814108=????

    RAX has a bad value. You need to figure out where RAX came from and work
    that back to your arguments. TH1 is ancient and I don't have it installed,
    but it looks like this is probably the same sequence from RS4:

    nt!FsRtlNotifyFilterReportChange+0x409:
    fffff801`8f9af189 mov rcx,qword ptr [rdi+88h]
    fffff801`8f9af190 cmp word ptr [rcx],si

    In this case RCX comes from RDI+88. So, RDI is probably a data structure and
    there's a field that's bad. Presumably this is all derived from your inputs
    to the function, so keep working backwards like this until you trace it back
    to your arguments.

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

  • Gova_GimerGova_Gimer Member - All Emails Posts: 43
    I don't understand
    How find this data structure allegedly bad ???
  • Gova_GimerGova_Gimer Member - All Emails Posts: 43
    Indebuggable !!
    because I haven't source of this function FsRtlNotifyFullReportChange !!!
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,337
    Welcome to Windows kernel mode development! Debugging crashes in functions
    that you don't have the source code to is your life now.

    If you don't want to try to work backwards, then step into the function and
    watch where your arguments go through the disassembly. You're on the x64, so
    your arguments will be in:

    Arg1 - RCX
    Arg2 - RDX
    Arg3 - R8
    Arg5 - R9
    Arg6 - [RSP+28h]
    Arg7 - [RSP+30h]
    Arg8 - [RSP+38h]
    Arg9 - [RSP+40h]

    Looks like the only pointer arguments that you supply are for Arg1-3, so you
    probably don't need to watch too many.

    If this is the first time you've had to do something like this it will be
    painful, but consider it a learning exercise. Things only get worse from
    here! (Here's my current problem I'm debugging: an encrypted Excel document
    becomes corrupted on the Nth iteration of saving the file, where N changes
    on each run...Oh, and it only happens if you're simultaneously syncing the
    raw view of the file to Dropbox, which also happens to simultaneously cause
    an A/V scan of the file. Suffice it to say I don't have access to any of
    this code and I'm not sure it would even help me if I did...)

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA