Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Minifilter Bsod FltSendMessage

johnhouldingjohnhoulding Member Posts: 28
edited December 2019 in NTFSD

Hello everyone. I have a bsod when minifilter send filename to usermode app. So my minifilter driver get filename in preop function(IRP_MJ_CREATE) and with FltSendMessage I send it usermode app and wait . But sometimes I got BSOD. Bsod code is Page fault in non paged area. Firstly I think it happen because of i use stack variable(name[260]) to copy filename then i send this variable to user mode but i also try Nonpaged area to hold filename but it ddint help me. When i saw analyze -v result i see it happen inside FLTMGR memcpy function why? Thank you for reading,

Code which exception triggered

FLT_PREOP_CALLBACK_STATUS Filter1PreOperation(_Inout_ PFLT_CALLBACK_DATA Data,
    _In_ PCFLT_RELATED_OBJECTS FltObjects,
    _Flt_CompletionContext_Outptr_ PVOID* CompletionContext
)
{

    PFLT_FILE_NAME_INFORMATION FileName = NULL;
    NTSTATUS status;
    ULONG ret = 0;
    WCHAR* name = NULL;
    REPLY_MESSAGE repmsg = { 0 };


    ret = (ULONG)sizeof(REPLY_BUFFER);


    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileName);
    if (!NT_SUCCESS(status))
    {
        return FLT_PREOP_SUCCESS_NO_CALLBACK;
    }

    status = FltParseFileNameInformation(FileName);

    if (!NT_SUCCESS(status))
    {
        FltReleaseFileNameInformation(FileName);
        return FLT_PREOP_SUCCESS_NO_CALLBACK;
    }

    if (FileName->Name.MaximumLength < 260)
    {
        /*RtlCopyMemory(name, FileName->Name.Buffer, 288);*/
        if (c)
        {

            /*RtlCopyMemory(msg, "salam", 5);*/

            name = (WCHAR*)ExAllocatePoolWithTag(NonPagedPool, FileName->Name.Length + 2, 'tvv');
            if (name == NULL)
            {
                FltReleaseFileNameInformation(FileName);
                return FLT_PREOP_SUCCESS_NO_CALLBACK;
            }

            RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);

            status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL);  >>>>//exception occurred here. and second intresting thing is when i debug my code i cant jump next line.after FltSendMessage my code return back and i cant free allocated memory??
            if (!NT_SUCCESS(status))
            {
                ExFreePoolWithTag(name, 'tvv');
                DbgPrint("Error send message to user");
            }
            DbgPrint("%wS\n", name);
            ExFreePoolWithTag(name, 'X66');


            /*DbgPrint("%d\n", repmsg.Reply.infected);*/

        }


    }

    FltReleaseFileNameInformation(FileName);

    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

analyze -v response.

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff9781d2104070, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8073891f640, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

D

READ_ADDRESS: ffff9781d2104070 Nonpaged pool

FAULTING_IP:
FLTMGR!memcpy+240
fffff807`3891f640 f30f6f4411f0 movdqu xmm0,xmmword ptr [rcx+rdx-10h]
IMAGE_NAME: FsFilter2.sys

TRAP_FRAME: ffffa808eb378ef0 -- (.trap 0xffffa808eb378ef0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffbe81b4d435a0 rbx=0000000000000000 rcx=ffffbe81b4d435a0
rdx=ffffd9001d3c0ae0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8073891f640 rsp=ffffa808eb379088 rbp=ffffa808eb379260
r8=0000000000000000 r9=0000000000000009 r10=ffff820000000000
r11=ffffbe81b4d43480 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
FLTMGR!memcpy+0x240:
fffff8073891f640 f30f6f4411f0 movdqu xmm0,xmmword ptr [rcx+rdx-10h] ds:ffff9781d2104070=????????????????????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80735ca9522 to fffff80735bc9370

STACK_TEXT:
ffffa808eb3784a8 fffff80735ca9522 : ffff9781d2104070 0000000000000003 ffffa808eb378610 fffff80735b1db90 : nt!DbgBreakPointWithStatus
ffffa808eb3784b0 fffff80735ca8c12 : fffff80700000003 ffffa808eb378610 fffff80735bd5bb0 ffffa808eb378b50 : nt!KiBugCheckDebugBreak+0x12
ffffa808eb378510 fffff80735bc15e7 : fffff80735e66478 fffff80735cd30b5 ffff9781d2104070 ffff9781d2104070 : nt!KeBugCheck2+0x952
ffffa808eb378c10 fffff80735be35d6 : 0000000000000050 ffff9781d2104070 0000000000000000 ffffa808eb378ef0 : nt!KeBugCheckEx+0x107
ffffa808eb378c50 fffff80735a72eef : ffff824120904000 0000000000000000 0000000000000000 ffff9781d2104070 : nt!MiSystemFault+0x1d6866
ffffa808eb378d50 fffff80735bcf520 : ffff9781fa3ed788 ffff9781fa3ed750 0000000000000000 0000000000000000 : nt!MmAccessFault+0x34f
ffffa808eb378ef0 fffff8073891f640 : fffff8073891ad9e 0000000000000000 fffff80700000000 ffffa808eb379260 : nt!KiPageFault+0x360
ffffa808eb379088 fffff8073891ad9e : 0000000000000000 fffff80700000000 ffffa808eb379260 ffff9781d2e37790 : FLTMGR!memcpy+0x240
ffffa808eb379090 fffff807338f1108 : ffff9782014efc50 ffffa808eb379260 ffff9781d2103f60 fffff80700000120 : FLTMGR!FltSendMessage+0x31e
ffffa808eb379200 fffff80738914a5d : 0000000000000000 ffff9782075d3bd0 0000000000000000 0000000000000000 : FsFilter2!Filter1PreOperation+0xd8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
ffffa808eb379270 fffff807389145a0 : ffffa808eb3793f0 ffffa808eb379400 ffffa808eb370000 0000000000000000 : FLTMGR!FltpPerformPreCallbacks+0x2fd
ffffa808eb379380 fffff8073894cd13 : fffff80738939060 0000000000000050 0000000000000000 0000000000000000 : FLTMGR!FltpPassThroughInternal+0x90
ffffa808eb3793b0 fffff80735a31f79 : 0000000000000000 fffff80735fe5b05 0000000000000000 0000000000000000 : FLTMGR!FltpCreate+0x2f3
ffffa808eb379460 fffff80735a31024 : 0000000000000003 0000000000000000 0000000000000000 fffff80735a317e3 : nt!IofCallDriver+0x59
ffffa808eb3794a0 fffff80735fe61eb : ffffa808eb379760 fffff80735fe5b05 ffffa808eb3796d0 ffff9782014f59a0 : nt!IoCallDriverWithTracing+0x34
ffffa808eb3794f0 fffff80735fed1bf : ffff9781d4453870 ffff9781d4453805 ffff9782014f09a0 0000000000000001 : nt!IopParseDevice+0x62b
ffffa808eb379660 fffff80735feb621 : ffff9782014f0900 ffffa808eb3798a8 ffff978100000040 ffff9781d26fa6c0 : nt!ObpLookupObjectName+0x78f
ffffa808eb379820 fffff80736030df0 : 0000000000000001 000000f6fdc79008 0000000000000001 0000000000000000 : nt!ObOpenObjectByNameEx+0x201
ffffa808eb379960 fffff80736030528 : 000000f6fdc78f90 0000000000100001 000000f6fdc79008 000000f6fdc78ff8 : nt!IopCreateFile+0x820
ffffa808eb379a00 fffff80735bd2d15 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtOpenFile+0x58
ffffa808eb379a90 00007ffa872fc724 : 00007ffa8508b146 000000f6fdc78f60 0000000000000002 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
000000f6fdc78f38 00007ffa8508b146 : 000000f6fdc78f60 0000000000000002 0000000000000000 0000000000000000 : ntdll!NtOpenFile+0x14
000000f6fdc78f40 00007ffa8506c7ca : 000002c024460c20 000000000000000b 000000f6fdc796d0 000002c02445a9e0 : KERNELBASE!FindFirstFileExW+0x1d6
000000f6fdc79300 00007ffa841b46e2 : 000002c024460c20 000002c02445a9e0 0000000000000029 000000f6fdc796ac : KERNELBASE!GetShortPathNameW+0x21a
000000f6fdc79620 00007ffa841b33d7 : 000002c024474520 0000000000000000 0000000000000424 000002c024474520 : profapi!_SetEnvFromRegistryKey+0x532
000000f6fdc79930 00007ffa841b2299 : 0000000000000000 0000000000000418 000000f6fdc7a780 000002c024473ca0 : profapi!_SetUserEnvironment+0x357
000000f6fdc7a720 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : profapi!CreateEnvBlock+0x59

FOLLOWUP_IP:
FsFilter2!Filter1PreOperation+d8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
fffff807`338f1108 85c0 test eax,eax

FAULT_INSTR_CODE: 1d79c085

FAULTING_SOURCE_LINE: D:\repos\FsFilter2\FsFilter2\FsFilter2.c

FAULTING_SOURCE_FILE: D:\repos\FsFilter2\FsFilter2\FsFilter2.c

FAULTING_SOURCE_LINE_NUMBER: 119

FAULTING_SOURCE_CODE:
115:
116: RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);
117:
118: status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL);

119: if (!NT_SUCCESS(status))

120: {
121: ExFreePoolWithTag(name, 'X66');
122: DbgPrint("Error send message to user");
123: }
124: DbgPrint("%wS\n", name);

SYMBOL_STACK_INDEX: 9

SYMBOL_NAME: FsFilter2!Filter1PreOperation+d8

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 LIVE ONLINE
Writing WDF Drivers 11 May 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA