Hello everyone. I have a bsod when minifilter send filename to usermode app. So my minifilter driver get filename in preop function(IRP_MJ_CREATE) and with FltSendMessage I send it usermode app and wait . But sometimes I got BSOD. Bsod code is Page fault in non paged area. Firstly I think it happen because of i use stack variable(name[260]) to copy filename then i send this variable to user mode but i also try Nonpaged area to hold filename but it ddint help me. When i saw analyze -v result i see it happen inside FLTMGR memcpy function why? Thank you for reading,
Code which exception triggered
FLT_PREOP_CALLBACK_STATUS Filter1PreOperation(_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID* CompletionContext
)
{
PFLT_FILE_NAME_INFORMATION FileName = NULL;
NTSTATUS status;
ULONG ret = 0;
WCHAR* name = NULL;
REPLY_MESSAGE repmsg = { 0 };
ret = (ULONG)sizeof(REPLY_BUFFER);
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileName);
if (!NT_SUCCESS(status))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
status = FltParseFileNameInformation(FileName);
if (!NT_SUCCESS(status))
{
FltReleaseFileNameInformation(FileName);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if (FileName->Name.MaximumLength < 260)
{
/*RtlCopyMemory(name, FileName->Name.Buffer, 288);*/
if (c)
{
/*RtlCopyMemory(msg, "salam", 5);*/
name = (WCHAR*)ExAllocatePoolWithTag(NonPagedPool, FileName->Name.Length + 2, 'tvv');
if (name == NULL)
{
FltReleaseFileNameInformation(FileName);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);
status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL); >>>>//exception occurred here. and second intresting thing is when i debug my code i cant jump next line.after FltSendMessage my code return back and i cant free allocated memory??
if (!NT_SUCCESS(status))
{
ExFreePoolWithTag(name, 'tvv');
DbgPrint("Error send message to user");
}
DbgPrint("%wS\n", name);
ExFreePoolWithTag(name, 'X66');
/*DbgPrint("%d\n", repmsg.Reply.infected);*/
}
}
FltReleaseFileNameInformation(FileName);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
analyze -v response.
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffff9781d2104070, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8073891f640, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
D
READ_ADDRESS: ffff9781d2104070 Nonpaged pool
FAULTING_IP:
FLTMGR!memcpy+240
fffff807`3891f640 f30f6f4411f0 movdqu xmm0,xmmword ptr [rcx+rdx-10h]
IMAGE_NAME: FsFilter2.sys
TRAP_FRAME: ffffa808eb378ef0 – (.trap 0xffffa808eb378ef0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffbe81b4d435a0 rbx=0000000000000000 rcx=ffffbe81b4d435a0
rdx=ffffd9001d3c0ae0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8073891f640 rsp=ffffa808eb379088 rbp=ffffa808eb379260
r8=0000000000000000 r9=0000000000000009 r10=ffff820000000000
r11=ffffbe81b4d43480 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
FLTMGR!memcpy+0x240:
fffff8073891f640 f30f6f4411f0 movdqu xmm0,xmmword ptr [rcx+rdx-10h] ds:ffff9781
d2104070=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80735ca9522 to fffff80735bc9370
STACK_TEXT:
ffffa808eb3784a8 fffff807
35ca9522 : ffff9781d2104070 00000000
00000003 ffffa808eb378610 fffff807
35b1db90 : nt!DbgBreakPointWithStatus
ffffa808eb3784b0 fffff807
35ca8c12 : fffff80700000003 ffffa808
eb378610 fffff80735bd5bb0 ffffa808
eb378b50 : nt!KiBugCheckDebugBreak+0x12
ffffa808eb378510 fffff807
35bc15e7 : fffff80735e66478 fffff807
35cd30b5 ffff9781d2104070 ffff9781
d2104070 : nt!KeBugCheck2+0x952
ffffa808eb378c10 fffff807
35be35d6 : 0000000000000050 ffff9781
d2104070 0000000000000000 ffffa808
eb378ef0 : nt!KeBugCheckEx+0x107
ffffa808eb378c50 fffff807
35a72eef : ffff824120904000 00000000
00000000 0000000000000000 ffff9781
d2104070 : nt!MiSystemFault+0x1d6866
ffffa808eb378d50 fffff807
35bcf520 : ffff9781fa3ed788 ffff9781
fa3ed750 0000000000000000 00000000
00000000 : nt!MmAccessFault+0x34f
ffffa808eb378ef0 fffff807
3891f640 : fffff8073891ad9e 00000000
00000000 fffff80700000000 ffffa808
eb379260 : nt!KiPageFault+0x360
ffffa808eb379088 fffff807
3891ad9e : 0000000000000000 fffff807
00000000 ffffa808eb379260 ffff9781
d2e37790 : FLTMGR!memcpy+0x240
ffffa808eb379090 fffff807
338f1108 : ffff9782014efc50 ffffa808
eb379260 ffff9781d2103f60 fffff807
00000120 : FLTMGR!FltSendMessage+0x31e
ffffa808eb379200 fffff807
38914a5d : 0000000000000000 ffff9782
075d3bd0 0000000000000000 00000000
00000000 : FsFilter2!Filter1PreOperation+0xd8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
ffffa808eb379270 fffff807
389145a0 : ffffa808eb3793f0 ffffa808
eb379400 ffffa808eb370000 00000000
00000000 : FLTMGR!FltpPerformPreCallbacks+0x2fd
ffffa808eb379380 fffff807
3894cd13 : fffff80738939060 00000000
00000050 0000000000000000 00000000
00000000 : FLTMGR!FltpPassThroughInternal+0x90
ffffa808eb3793b0 fffff807
35a31f79 : 0000000000000000 fffff807
35fe5b05 0000000000000000 00000000
00000000 : FLTMGR!FltpCreate+0x2f3
ffffa808eb379460 fffff807
35a31024 : 0000000000000003 00000000
00000000 0000000000000000 fffff807
35a317e3 : nt!IofCallDriver+0x59
ffffa808eb3794a0 fffff807
35fe61eb : ffffa808eb379760 fffff807
35fe5b05 ffffa808eb3796d0 ffff9782
014f59a0 : nt!IoCallDriverWithTracing+0x34
ffffa808eb3794f0 fffff807
35fed1bf : ffff9781d4453870 ffff9781
d4453805 ffff9782014f09a0 00000000
00000001 : nt!IopParseDevice+0x62b
ffffa808eb379660 fffff807
35feb621 : ffff9782014f0900 ffffa808
eb3798a8 ffff978100000040 ffff9781
d26fa6c0 : nt!ObpLookupObjectName+0x78f
ffffa808eb379820 fffff807
36030df0 : 0000000000000001 000000f6
fdc79008 0000000000000001 00000000
00000000 : nt!ObOpenObjectByNameEx+0x201
ffffa808eb379960 fffff807
36030528 : 000000f6fdc78f90 00000000
00100001 000000f6fdc79008 000000f6
fdc78ff8 : nt!IopCreateFile+0x820
ffffa808eb379a00 fffff807
35bd2d15 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!NtOpenFile+0x58
ffffa808eb379a90 00007ffa
872fc724 : 00007ffa8508b146 000000f6
fdc78f60 0000000000000002 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
000000f6fdc78f38 00007ffa
8508b146 : 000000f6fdc78f60 00000000
00000002 0000000000000000 00000000
00000000 : ntdll!NtOpenFile+0x14
000000f6fdc78f40 00007ffa
8506c7ca : 000002c024460c20 00000000
0000000b 000000f6fdc796d0 000002c0
2445a9e0 : KERNELBASE!FindFirstFileExW+0x1d6
000000f6fdc79300 00007ffa
841b46e2 : 000002c024460c20 000002c0
2445a9e0 0000000000000029 000000f6
fdc796ac : KERNELBASE!GetShortPathNameW+0x21a
000000f6fdc79620 00007ffa
841b33d7 : 000002c024474520 00000000
00000000 0000000000000424 000002c0
24474520 : profapi!_SetEnvFromRegistryKey+0x532
000000f6fdc79930 00007ffa
841b2299 : 0000000000000000 00000000
00000418 000000f6fdc7a780 000002c0
24473ca0 : profapi!_SetUserEnvironment+0x357
000000f6fdc7a720 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : profapi!CreateEnvBlock+0x59
FOLLOWUP_IP:
FsFilter2!Filter1PreOperation+d8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
fffff807`338f1108 85c0 test eax,eax
FAULT_INSTR_CODE: 1d79c085
FAULTING_SOURCE_LINE: D:\repos\FsFilter2\FsFilter2\FsFilter2.c
FAULTING_SOURCE_FILE: D:\repos\FsFilter2\FsFilter2\FsFilter2.c
FAULTING_SOURCE_LINE_NUMBER: 119
FAULTING_SOURCE_CODE:
115:
116: RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);
117:
118: status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL);
119: if (!NT_SUCCESS(status))
120: {
121: ExFreePoolWithTag(name, ‘X66’);
122: DbgPrint(“Error send message to user”);
123: }
124: DbgPrint(“%wS\n”, name);
SYMBOL_STACK_INDEX: 9