The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I have an encryption isolation filter and it's causing a crash (PAGE_FAULT_IN_FREED_SPECIAL_POOL) when I try to browse for a file through the new Edge browser. The crash happens in IoGetTransactionParameterBlock with the stack below.
23117528 fffff8000d5044e3 nt!IoGetTransactionParameterBlock+0x18
23117530 fffff8000d5041dc FLTMGR!FltpPerformPreCallbacks+0x1b3
23117640 fffff8000d503c03 FLTMGR!FltpPassThroughInternal+0x8c
23117670 fffff8000d532d10 FLTMGR!FltpPassThrough+0x173
23117700 fffff802985ab044 FLTMGR!FltpFsControl+0xd0
23117760 fffff80297f0f252 nt!IovCallDriver+0x3d8
231177c0 fffff802982ab17d nt!IofCallDriver+0x72
23117800 fffff802982fc6da nt!IopXxxControlFile+0x71d
23117a20 fffff80297fd4263 nt!NtFsControlFile+0x56
23117a90 00007ffbed7238da nt!KiSystemServiceCopyEnd+0x13
5e718178 00007ffbeab9ed3a ntdll!NtFsControlFile+0xa
5e718180 00007ffbeab91f8b KERNELBASE!DeviceIoControl+0x1aa
5e7181f0 00007ffbeab933e0 KERNELBASE!BasepGetVolumeNameFromReparsePoint+0xa7
5e7182b0 00007ffbeabb4c9b KERNELBASE!GetDriveTypeW+0x1f0
5e7187e0 00007ffbea624cb1 KERNELBASE!GetVolumePathNameInternalW+0x1ab
My filter is not in the stack so I'm stuck on how to really debug it. Doing a little digging in IoGetTransactionParameterBlock (which is a small function), a FILE_OBJECT is passed in and it references the FileObjectExtension. Then if that is not null, it looks for something at an offset but the actual FileObjectExtension is opaque so not exactly sure what. In this case, it doesn't really matter though because the FILE_OBJECT that is being passed is no longer valid. It is one of my filter's FILE_OBJECTS (the upper one) but looking at my debug output, I can see that the FILE_OBJECT referenced by IoGetTransactionParameterBlock is closed right before this crash occurs.
The stack trace is consistent and it's also interesting because the user mode functions in the stack are related to drives whereas the FILE_OBJECT was for a regular directory.
Seeing how the crashing function is related to transactions, I made some changes to see if it would stop the crash. I added a check in PreCreate to deny any transactions operations (FltObjects->Transaction != NULL) and I commented out some code in NormalizeName that deals with transactions. Neither helped because it still crashes.
So, like I said I'm stuck on where else to look or how to solve this. Any thoughts on the root cause or other areas to investigate would be appreciated.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|