Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


ZwQueryVirtualMemory does not return, called from PLOAD_IMAGE_NOTIFY_ROUTINE

yogeshrkhedkaryogeshrkhedkar Member Posts: 6

I am calling ZwQueryVirtualMemory from PLOAD_IMAGE_NOTIFY_ROUTINE callback. For some image load callback, this call leads to system hang.
Does anyone help me?

Call stack of blocked call:
nt!KiSwapContext+0x7a
nt!KiCommitThreadWait+0x1d2
nt!KeWaitForSingleObject+0x1a3
nt!ExfAcquirePushLockShared+0x138
nt!NtQueryVirtualMemory+0x67a
nt!KiSystemServiceCopyEnd+0x13
nt!KiServiceLinkage
sensor!CheckMemory+0x184
sensor!ImageLoadCallback+0xb5
nt!PsCallImageNotifyRoutines+0xdc
nt!MiMapViewOfImageSection+0x9b2
nt!MiMapViewOfSection+0x367
nt!NtMapViewOfSection+0x2bd
nt!KiSystemServiceCopyEnd+0x13
nt!KiServiceLinkage
klif+0x8279f
klif+0x6a3cd
klif+0xed1ba
klflt!PstUnregisterFilter+0x207
klflt!PstUnregisterFilter+0x295
klflt!PstUnregisterProcess+0x116d
nt! ?? ::NNGAKEGL::`string'+0x24ddd
nt!NtCreateUserProcess+0x94f
nt!KiSystemServiceCopyEnd+0x13
0x76e2a35a

Comments

  • Martin_DrábMartin_Dráb Member - All Emails Posts: 81

    Hello,

    the documentation for the PLOAD_IMAGE_NOTIFY_ROUTINE states

    In Windows 7, Windows Server 2008 R2, and earlier versions of Windows, the operating system holds an internal system lock during calls to load-image notify routines for images loaded in user process address space (user space). To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.

    Looking at the stack trace, I see that the system waits for a pushlock. I expect that pushlock has been acquired previously somewhere in NtMapViewOfSection. And since pushlocks cannot be acquired recursively (unlike executive resources), you get a deadlock.

    You need to avoid any actions regarding process address space during the load image notification.

    Martin Dráb

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA