Filemon get file data

buridan

// p.s. move this thread https://community.osr.com/discussion/292403/filemon-get-file-data#latest

I have a problem in filemon filter driver, not mini-filter.
I need to calculate hash sum of the file, when he was opened and closed.

In post-callback(CompletionRoutine) for IRP_MJ_CREATE, I check status of operation and if it succseed, try to get data of the file by calling
FsRtlCreateSectionForDataScan, and after that, I see BSOD.

In this article and MSDN, wrote that I cant use FsRtlCreateSectionForDataScan routine for this task.
https://www.osr.com/nt-insider/2019-issue1/fsrtlcreatesectionfordatascan-and-flt-variant-explained/

Help me please, tell me how can I get data of the file and what wrong with this logic.

*
Bugcheck Analysis *
*
KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
it means the disk subsystem has experienced a failure.
If the error status is 0xC000009A, then it means the request failed because
a filesystem failed to make forward progress.
Arguments:
Arg1: 0000000000000004, lock type that was held (value 1,2,3, or PTE address)
Arg2: 0000000000000000, error status (normally i/o status code)
Arg3: ffffd20ab4c05570, current process (virtual address for lock type 3, or PTE)
Arg4: 00000000055e76b0, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)

Scott_Noone_(OSR)

You need to post the entire !analyze -v output.

Also, have you played with the avscan sample? It demonstrates how to use this API.