Hi, all.
I wrote a function to convert the drive letter in a file minifilter. And in the function, I use the ZwQuerySymbolicLinkObject API which caused BSOD.
The error code 0xC4_f6 means “A driver references a user-mode handle as kernel mode”. But I can’t fig out what caused this bug.
Hope you guys can give some advice. Any word will be appreciated.
Here is my function code:
`
NTSTATUS QuerySymbolicLink(
IN PUNICODE_STRING SymbolicLinkName,
OUT PUNICODE_STRING LinkTarget
)
{
OBJECT_ATTRIBUTES objAttr = { 0 };
NTSTATUS status;
HANDLE handle = NULL;
InitializeObjectAttributes(&objAttr, SymbolicLinkName,
OBJ_CASE_INSENSITIVE, 0, 0);
status = ZwOpenSymbolicLinkObject(&handle, GENERIC_READ, &objAttr);
if (!NT_SUCCESS(status))
{
DbgPrint("open the symbolinkobj failed ..\n");
ZwClose(handle);
return status;
}
if (!LinkTarget->Buffer)
{
ZwClose(handle);
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlZeroMemory(LinkTarget->Buffer, LinkTarget->MaximumLength);
status = ZwQuerySymbolicLinkObject(handle, LinkTarget, NULL);
ZwClose(handle);
if (!NT_SUCCESS(status))
{
DbgPrint(" query the symbolinkObject failed ...\n");
}
return status;
}
`