BSOD after calling FltReadFile

Hi All,

I am developing mini-filter driver, which will be used to monitor write for path “\Device\Harddisk0\DR0” (which is MBR location),
Till now every thing is fine and i am able to detect required write call, but before denying, I wanted to verify that current write content with existing disk content, for that i am using FltReadFile with same file object. But i am getting BSOD.

I am currently in preWrite. So what is going wrong in this case???

code -
ntStatus = ObReferenceObjectByPointer(FltObjects->FileObject,GENERIC_READ,*IoFileObjectType,KernelMode);
if (STATUS_SUCCESS == ntStatus)
{
pBuff = FltAllocatePoolAlignedWithTag(FltObjects->Instance,NonPagedPool,1024,‘mbrm’);
if (NULL == pBuff)
__leave;

//
// read MBR from DISK
//
lgOffSet.QuadPart = ulBytesRead = 0;
ntStatus = FltReadFile(
FltObjects->Instance,
FltObjects->FileObject,
&lgOffSet,
sizeof(byBuff),
pBuff,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&ulBytesRead,
NULL,
NULL);

if (STATUS_SUCCESS != ntStatus || sizeof(byBuff) != ulBytesRead)
{
FltFreePoolAlignedWithTag(FltObjects->Instance,pBuff,‘mbrm’);
__leave;
}

RtlCopyMemory(byBuff,pBuff,512);
FltFreePoolAlignedWithTag(FltObjects->Instance,pBuff,‘mbrm’);

ObDereferenceObject(FltObjects->FileObject);
}

I make no comments on your requirements.

So what is going wrong in this case???

Some more information would be helpful. Like what does analyze -v say?

You are of course running under verifier, Right?

From blind code review:

I don’t know what you think you need to reference the file object. You are
in an IO and so the device object and file object are pinned for you (unless
you know otherwise). By guessing what leave does I’m also guessing that you
are leaking references.

I’d also be leery of doing non paging IO during a paging write.

And I’m not convinced that you are crash proof in the paging file path,

This may sound silly but are you sure that sizeof(byBuff) <= 1024 ?

Anyway, !analyze -v would be indispensable here.