Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Minifilter BSOD EXCEPTION_DOUBLE_FAULT

felfelchefelfelche Member Posts: 2

Hi guys. I've developed a Minifilter driver. It only crashes on one system very rarely. I still don't know when and why !

this Is analyze result

For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff800'707f3ea0 48894c2408 mov qword ptr [rsp+8],rcx ss:fffff800'75089d10=000000000000007f
0: kd> !analyze -v
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
BugCheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a portion of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: fffff80075089e50
Arg3: fffffb07468c0fe0
Arg4: fffff800707448e5

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 63562

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 138148

Key  : Analysis.Init.CPU.mSec
Value: 30296

Key  : Analysis.Init.Elapsed.mSec
Value: 48024

Key  : Analysis.Memory.CommitPeak.Mb
Value: 83

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

BUGCHECK_CODE: 7f

BUGCHECK_P1: 8

BUGCHECK_P2: fffff80075089e50

BUGCHECK_P3: fffffb07468c0fe0

BUGCHECK_P4: fffff800707448e5

TRAP_FRAME: fffff80075089e50 -- (.trap 0xfffff80075089e50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffb07468c1048 rbx=0000000000000000 rcx=0000000000000040
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800707448e5 rsp=fffffb07468c0fe0 rbp=00000000000001c0
r8=fffffb07468c1014 r9=fffffb07468c1010 r10=fffff8007104eb00
r11=fffffb07468c1028 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!MiAllocatePool+0x55:
fffff800'707448e5 e8e6d76600 call nt!ExpPoolFlagsToPoolType (fffff800'70db20d0)
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: MemCompression

STACK_OVERFLOW: Stack Limit: fffffb07468c1000. Use (kF) and (!stackusage) to investigate stack usage.

STACKUSAGE_FUNCTION: The function at address 0xfffff800870ce8c0 was blamed for the stack overflow. It is using 2400 bytes of stack total in 10 instances (likely recursion).

STACK_COMMAND: .trap 0xfffff80075089e50 ; kb

FAULTING_SOURCE_LINE: Main.cpp

FAULTING_SOURCE_FILE: Main.cpp

FAULTING_SOURCE_LINE_NUMBER: 988

SYMBOL_NAME: FileSystemProtectionDriver!mj_pre_read+50

IMAGE_NAME: FileSystemProtectionDriver.sys

IMAGE_VERSION: 1.5.3.381

MODULE_NAME: FileSystemProtectionDriver

FAILURE_BUCKET_ID: TRAP_FRAME_RECURSION

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {6fb26652-9c01-a5d2-4176-0141cc9056d6}

Call Stack

0: kd> k
# Child-SP RetAddr Call Site
00 fffff800'75089d08 fffff800'70805e69 nt!KeBugCheckEx
01 fffff800'75089d10 fffff800'70800c83 nt!KiBugCheckDispatch+0x69
02 fffff800'75089e50 fffff800'707448e5 nt!KiDoubleFaultAbort+0x2c3
03 fffffb07'468c0fe0 fffff800'70668889 nt!MiAllocatePool+0x55
04 fffffb07'468c1030 fffff800'706c12ee nt!MiAllocateInPageSupportBlock+0x2d
05 fffffb07'468c1060 fffff800'706acbd4 nt!MiGetInPageSupportBlock+0x9a
06 fffffb07'468c1090 fffff800'7062b041 nt!MiAllocateInPageSupport+0x54
07 fffffb07'468c10c0 fffff800'706293b8 nt!MiResolvePageFileFault+0x2f9
08 fffffb07'468c11f0 fffff800'706291af nt!MiIssueFlowThroughFault+0x12c
09 fffffb07'468c1220 fffff800'706f8726 nt!MiHandleCollidedFault+0xc3
0a fffffb07'468c1270 fffff800'706f09ee nt!MiResolveTransitionFault+0x3e6
0b fffffb07'468c1330 fffff800'706ee909 nt!MiDispatchFault+0x3fe
0c fffffb07'468c1470 fffff800'7080205e nt!MmAccessFault+0x189
0d fffffb07'468c1610 fffff800'870cb0c6 nt!KiPageFault+0x35e
0e (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
0f (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
10 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
11 fffffb07'468c17a0 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
12 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
13 fffffb07'468c17d0 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
14 fffffb07'468c1830 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
15 fffffb07'468c1920 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
16 fffffb07'468c1a40 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
17 fffffb07'468c1a90 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
18 fffffb07'468c1b30 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
19 fffffb07'468c1b90 fffff800'70739b57 nt!IofCallDriver+0x55
1a fffffb07'468c1bd0 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
1b fffffb07'468c1c40 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
1c fffffb07'468c1c90 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
1d fffffb07'468c1da0 fffff800'7080205e nt!MmAccessFault+0x468
1e fffffb07'468c1f40 fffff800'870cb0c6 nt!KiPageFault+0x35e
1f (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
20 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
21 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
22 fffffb07'468c20d0 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
23 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
24 fffffb07'468c2100 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
25 fffffb07'468c2160 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
26 fffffb07'468c2250 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
27 fffffb07'468c2370 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
28 fffffb07'468c23c0 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
29 fffffb07'468c2460 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
2a fffffb07'468c24c0 fffff800'70739b57 nt!IofCallDriver+0x55
2b fffffb07'468c2500 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
2c fffffb07'468c2570 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
2d fffffb07'468c25c0 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
2e fffffb07'468c26d0 fffff800'7080205e nt!MmAccessFault+0x468
2f fffffb07'468c2870 fffff800'870cb0c6 nt!KiPageFault+0x35e
30 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
31 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
32 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
33 fffffb07'468c2a00 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
34 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
35 fffffb07'468c2a30 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
36 fffffb07'468c2a90 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
37 fffffb07'468c2b80 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
38 fffffb07'468c2ca0 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
39 fffffb07'468c2cf0 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
3a fffffb07'468c2d90 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
3b fffffb07'468c2df0 fffff800'70739b57 nt!IofCallDriver+0x55
3c fffffb07'468c2e30 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
3d fffffb07'468c2ea0 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
3e fffffb07'468c2ef0 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
3f fffffb07'468c3000 fffff800'7080205e nt!MmAccessFault+0x468
40 fffffb07'468c31a0 fffff800'870cb0c6 nt!KiPageFault+0x35e
41 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
42 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
43 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
44 fffffb07'468c3330 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
45 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
46 fffffb07'468c3360 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
47 fffffb07'468c33c0 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
48 fffffb07'468c34b0 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
49 fffffb07'468c35d0 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
4a fffffb07'468c3620 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
4b fffffb07'468c36c0 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
4c fffffb07'468c3720 fffff800'70739b57 nt!IofCallDriver+0x55
4d fffffb07'468c3760 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
4e fffffb07'468c37d0 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
4f fffffb07'468c3820 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
50 fffffb07'468c3930 fffff800'7080205e nt!MmAccessFault+0x468
51 fffffb07'468c3ad0 fffff800'870cb0c6 nt!KiPageFault+0x35e
52 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
53 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
54 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
55 fffffb07'468c3c60 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
56 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
57 fffffb07'468c3c90 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
58 fffffb07'468c3cf0 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
59 fffffb07'468c3de0 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
5a fffffb07'468c3f00 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
5b fffffb07'468c3f50 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
5c fffffb07'468c3ff0 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
5d fffffb07'468c4050 fffff800'70739b57 nt!IofCallDriver+0x55
5e fffffb07'468c4090 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
5f fffffb07'468c4100 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
60 fffffb07'468c4150 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
61 fffffb07'468c4260 fffff800'7080205e nt!MmAccessFault+0x468
62 fffffb07'468c4400 fffff800'870cb0c6 nt!KiPageFault+0x35e
63 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
64 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
65 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
66 fffffb07'468c4590 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
67 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
68 fffffb07'468c45c0 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
69 fffffb07'468c4620 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
6a fffffb07'468c4710 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
6b fffffb07'468c4830 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
6c fffffb07'468c4880 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
6d fffffb07'468c4920 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
6e fffffb07'468c4980 fffff800'70739b57 nt!IofCallDriver+0x55
6f fffffb07'468c49c0 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
70 fffffb07'468c4a30 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
71 fffffb07'468c4a80 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
72 fffffb07'468c4b90 fffff800'7080205e nt!MmAccessFault+0x468
73 fffffb07'468c4d30 fffff800'870cb0c6 nt!KiPageFault+0x35e
74 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
75 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
76 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
77 fffffb07'468c4ec0 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
78 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
79 fffffb07'468c4ef0 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
7a fffffb07'468c4f50 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
7b fffffb07'468c5040 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
7c fffffb07'468c5160 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
7d fffffb07'468c51b0 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
7e fffffb07'468c5250 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
7f fffffb07'468c52b0 fffff800'70739b57 nt!IofCallDriver+0x55
80 fffffb07'468c52f0 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
81 fffffb07'468c5360 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
82 fffffb07'468c53b0 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
83 fffffb07'468c54c0 fffff800'7080205e nt!MmAccessFault+0x468
84 fffffb07'468c5660 fffff800'870cb0c6 nt!KiPageFault+0x35e
85 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
86 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
87 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
88 fffffb07'468c57f0 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
89 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
8a fffffb07'468c5820 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
8b fffffb07'468c5880 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
8c fffffb07'468c5970 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
8d fffffb07'468c5a90 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
8e fffffb07'468c5ae0 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
8f fffffb07'468c5b80 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
90 fffffb07'468c5be0 fffff800'70739b57 nt!IofCallDriver+0x55
91 fffffb07'468c5c20 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
92 fffffb07'468c5c90 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
93 fffffb07'468c5ce0 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
94 fffffb07'468c5df0 fffff800'7080205e nt!MmAccessFault+0x468
95 fffffb07'468c5f90 fffff800'870cb0c6 nt!KiPageFault+0x35e
96 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
97 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
98 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
99 fffffb07'468c6120 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
9a (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
9b fffffb07'468c6150 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
9c fffffb07'468c61b0 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
9d fffffb07'468c62a0 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
9e fffffb07'468c63c0 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
9f fffffb07'468c6410 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
a0 fffffb07'468c64b0 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
a1 fffffb07'468c6510 fffff800'70739b57 nt!IofCallDriver+0x55
a2 fffffb07'468c6550 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
a3 fffffb07'468c65c0 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
a4 fffffb07'468c6610 fffff800'706eebe8 nt!MiIssueHardFault+0x29d
a5 fffffb07'468c6720 fffff800'7080205e nt!MmAccessFault+0x468
a6 fffffb07'468c68c0 fffff800'870cb0c6 nt!KiPageFault+0x35e
a7 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::EqualTo::operator()+0x3
a8 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::FirstEqual >,kernel_commons::EqualTo >::operator()+0x3
a9 (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x33
aa fffffb07'468c6a50 fffff800'870cb401 FileSystemProtectionDriver!kernel_commons::HashSet<kernel_commons::Pair > >,kernel_commons::FirstHash >,kernel_commons::DefaultHash >,kernel_commons::FirstEqual >,kernel_commons::EqualTo >,1>::find+0x5a
ab (Inline Function) --------'-------- FileSystemProtectionDriver!kernel_commons::HashMap >,kernel_commons::DefaultHash,kernel_commons::EqualTo,1>::find+0x35
ac fffffb07'468c6a80 fffff800'870ce8c0 FileSystemProtectionDriver!ProcessMonitor::get+0x69
ad fffffb07'468c6ae0 fffff800'6dca608c FileSystemProtectionDriver!mj_pre_read+0x50
ae fffffb07'468c6bd0 fffff800'6dca5b37 FLTMGR!FltpPerformPreCallbacksWorker+0x36c
af fffffb07'468c6cf0 fffff800'6dca4b46 FLTMGR!FltpPassThroughInternal+0xc7
b0 fffffb07'468c6d40 fffff800'6dca48bb FLTMGR!FltpPassThrough+0x1d6
b1 fffffb07'468c6de0 fffff800'706d1f35 FLTMGR!FltpDispatch+0x8b
b2 fffffb07'468c6e40 fffff800'70739b57 nt!IofCallDriver+0x55
b3 fffffb07'468c6e80 fffff800'7073cbd6 nt!IoPageReadEx+0x1d7
b4 fffffb07'468c6ef0 fffff800'7073c64d nt!MiIssueHardFaultIo+0xb6
b5 fffffb07'468c6f40 00000000'00000000 nt!MiIssueHardFault+0x29d

0: kd> !stackusage

Stack Usage By Function

  Size     Count  Module

0x00000FA0 10 nt!KiPageFault
0x00000EA0 9 nt!MmAccessFault
0x00000B40 10 FLTMGR!FltpPerformPreCallbacksWorker
0x00000990 9 nt!MiIssueHardFault
0x00000960 10 FileSystemProtectionDriver!mj_pre_read
0x00000640 10 FLTMGR!FltpPassThrough
0x00000460 10 nt!IoPageReadEx
0x000003C0 10 FLTMGR!FltpDispatch
0x000003C0 10 FileSystemProtectionDriver!ProcessMonitor::get
0x00000320 10 FLTMGR!FltpPassThroughInternal
0x00000320 10 nt!MiIssueHardFaultIo
0x00000280 10 nt!IofCallDriver
0x000001E0 10 0xFFFFF800870CB0C6
0x000001A0 1 nt!MmAccessFault
0x00000140 1 nt!MiDispatchFault
0x00000130 1 nt!MiResolvePageFileFault
0x000000C0 1 nt!MiResolveTransitionFault
0x00000050 1 nt!MiHandleCollidedFault
0x00000050 2 nt!MiAllocatePool
0x00000030 1 nt!MiIssueFlowThroughFault
0x00000030 1 nt!MiAllocateInPageSupportBlock
0x00000030 1 nt!MiAllocateInPageSupport
0x00000030 1 nt!MiGetInPageSupportBlock

Total Size: 0x00005F60

Stack Usage By Module

  Size     Count  Module

0x00003800 69 nt
0x00001860 40 FLTMGR
0x00000F00 30 FileSystemProtectionDriver

Total Size: 0x00005F60

And I know the stack shows stack overflow but the code has no recursion and EqualTo<unsigned __int64>::operator() has implementation like

template
bool EqualTo::operator()(const Type& first, const Type& second) const
{
return first == second;
}

I will be pleased if help me.
Thanks a lot.

Comments

  • Aleh_KazakevichAleh_Kazakevich Member Posts: 78

    It looks like your minifilter works with pageable memory during handling paging I/O.
    In other words, handling of one page fault causes another page fault and this continues
    again and again until stack exhaustion.

    To avoid this, all parts of your driver that work in paging path must use only non-paged
    memory and reside in non-paged module section. Similar restrictions applied to storage
    drivers, for example:

    Restrictions on Pageable Code in Storage Drivers
    https://docs.microsoft.com/en-us/windows-hardware/drivers/storage/restrictions-on-pageable-code-in-storage-drivers

    To prevent deadlock, no part of a storage driver that is used to service read or write requests should
    have pageable code, nor should it ever attempt to access pageable memory. This is because the driver's
    DispatchRead and DispatchWrite routines can be called at IRQL > PASSIVE_LEVEL, and the in-paging I/O
    that services a page fault takes place atIRQL = APC_LEVEL.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,212

    Not using pageable memory in the page fault path is a very good recommendation.

    In your case, your code is recursive.

    • You get a pagefault
    • So you look up the process in your hash table
    • But it’s paged out
    • So you get a pagefault
    • So you look up the process in your hash table
    • But it’s paged out
    • So you ……

    And so on.

    Make your hash table non paged.

    Also (and fwiw) I’d look to the amount of stack your C++ code is consuming. Win10 is getting quite tight on memory with the OS consuming a fair bit for ‘usual operations’ (I’ve seen several k for an IoFreeIrp) so the wiggle room left over for filters is not great. But that isn’t your problem here, it’s recursion

  • felfelchefelfelche Member Posts: 2

    Thanx a lot guys. I'll make all my Read/Write variables NonPagedPool.
    I didn't know about PageFault during PagingIO and it's still strange for me.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers 24 January 2022 Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online