help with bsod on minifilter driver

Hello i’m new to minifilter programming.
i’m try to program a minifilter that recognize a specific file is opened and do some logic accordinely.
i used as prototype at windows SwapBuffer mini filter example and try to compare betwine the file name and my file name with the function RtlCompareUnicodeString but for some reason i getting a bsod on the use of it (i run on win7 32bit):

this is my code:

` FLT_PREOP_CALLBACK_STATUS SwapPreReadBuffers( Inout PFLT_CALLBACK_DATA Data, In PCFLT_RELATED_OBJECTS FltObjects, Flt_CompletionContext_Outptr PVOID *CompletionContext )
{
PFLT_IO_PARAMETER_BLOCK iopb = Data->Iopb;
FLT_PREOP_CALLBACK_STATUS retValue = FLT_PREOP_SUCCESS_NO_CALLBACK;
PVOID newBuf = NULL;
PMDL newMdl = NULL;
PVOLUME_CONTEXT volCtx = NULL;
NTSTATUS CbStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
PPRE_2_POST_CONTEXT p2pCtx;
NTSTATUS status;
ULONG readLen = iopb->Parameters.Read.Length;
PFLT_FILE_NAME_INFORMATION NameInfo = NULL;
UNICODE_STRING FILE_NAME;

//
// Skip IRP_PAGING_IO, IRP_SYNCHRONOUS_PAGING_IO and
// TopLevelIrp.
//

if ((Data->Iopb->IrpFlags & IRP_PAGING_IO) ||
(Data->Iopb->IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) ||
IoGetTopLevelIrp()) {

DbgPrint(“[-] SwapPreReadBuffers we out , this call not for us\n”);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED
| FLT_FILE_NAME_QUERY_DEFAULT,
&NameInfo );
if (!NT_SUCCESS( status ))
{
DbgPrint(“[-] SwapPreReadBuffers we couldn’t extract info\n”);
goto PreReadCleanup;
}

status = FltParseFileNameInformation( NameInfo );
if (!NT_SUCCESS( status ))
{
DbgPrint(“[-] SwapPreReadBuffers we couldn’t pars info\n”);
goto PreReadCleanup;
}

if (NULL == NameInfo)
{
DbgPrint(“[—] name info is actally 0\n”);
}
else
{
DbgPrint(“[*] address of name is %x:%x and address of extansion is %x:%x -> buffers are: name %x , extension: %x \nsize of info %d size of extension %d\n”,NameInfo->Extension , &NameInfo->Extension, EXTENTION, &EXTENTION, NameInfo->Extension.Buffer , EXTENTION.Buffer ,NameInfo->Extension.Length , EXTENTION.Length);
}

if ((0 == RtlCompareUnicodeString( &EXTENTION, &NameInfo->Extension, TRUE ))) {
DbgPrint(“[***] SwapPreReadBuffers we are at calles thats related to our file %wZ \n”, &Data->Iopb->TargetFileObject->FileName);
DbgPrint(“[+] pass parse\n”);
DbgPrint(“[+] pars gets me Name: %wZ\n extention: %wZ\n perentDir: %wZ\n volume: %wZ\n”, &NameInfo->Name, &NameInfo->Extension, &NameInfo->ParentDir, &NameInfo->Volume);
}
else{

DbgPrint(“[*] we pass compration check\n”);
goto PreReadCleanup;
}
//
// Clean up
//
PreReadCleanup:
if (NameInfo) {

FltReleaseFileNameInformation( NameInfo );
}
return retValue;
}`

and this is is the analized core dump from the bsod:

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 994af2a4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82a72a17, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: GetPointerFromAddress: unable to read from 829a5718
Unable to read MiSystemVaType memory at 829851a0
994af2a4

FAULTING_IP:
nt!RtlCompareUnicodeStrings+3c
82a72a17 0fb706 movzx eax,word ptr [esi]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: cmd.exe

CURRENT_IRQL: 0

TRAP_FRAME: a72b7974 – (.trap 0xffffffffa72b7974)
ErrCode = 00000000
eax=00000003 ebx=994af2aa ecx=8da2064c edx=000000bf esi=994af2a4 edi=137f5b5e
eip=82a72a17 esp=a72b79e8 ebp=a72b79f4 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!RtlCompareUnicodeStrings+0x3c:
82a72a17 0fb706 movzx eax,word ptr [esi] ds:0023:994af2a4=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 8287c3d8 to 828c941b

STACK_TEXT:
a72b795c 8287c3d8 00000000 994af2a4 00000000 nt!MmAccessFault+0x106
a72b795c 82a72a17 00000000 994af2a4 00000000 nt!KiTrap0E+0xdc
a72b79f4 82a72b0f 994af2aa 00000003 acca4e02 nt!RtlCompareUnicodeStrings+0x3c
a72b7a10 994a9105 994ad090 acca4d6c 00000001 nt!RtlCompareUnicodeString+0x25
WARNING: Stack unwind information not available. Following frames may be wrong.
a72b7a6c 8b756aeb 87587068 a72b7a8c a72b7ab8 MyDriver2+0x1105
a72b7ad8 8b7599f0 a72b7b2c 87435e48 00000000 fltmgr!FltpPerformPreCallbacks+0x34d
a72b7af0 8b759f01 a72b7b2c 00000000 862ff240 fltmgr!FltpPassThroughInternal+0x40
a72b7b14 8b75a3ba 032b7b00 862ff240 00000000 fltmgr!FltpPassThrough+0x203
a72b7b44 82872593 862ff240 87435e48 87435e48 fltmgr!FltpDispatch+0xb4
a72b7b5c 82a6699f 87435e48 87435fd8 87590d98 nt!IofCallDriver+0x63
a72b7b7c 82a9f2da 862ff240 87590d98 00000001 nt!IopSynchronousServiceTail+0x1f8
a72b7c08 828791ea 862ff240 87435e48 00000000 nt!NtReadFile+0x644
a72b7c08 773e70b4 862ff240 87435e48 00000000 nt!KiFastCallEntry+0x12a
0013f014 00000000 00000000 00000000 00000000 0x773e70b4

STACK_COMMAND: kb

FOLLOWUP_IP:
MyDriver2+1105
994a9105 ?? ???

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: MyDriver2+1105

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MyDriver2

IMAGE_NAME: MyDriver2.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 597b0358

FAILURE_BUCKET_ID: 0x50_MyDriver2+1105

BUCKET_ID: 0x50_MyDriver2+1105

Followup: MachineOwner

i also try to use the CancelSafe minifilter as is (can be found here: https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter/cancelSafe) , becoase he also used RtlPrefixUnicodeString (and this is assencially the same function) and Microsoft wrote it down so it’s shul’d be Write well , but again i got a bsod with ± the same problem.

Has anyone encountered this problem/ Know how to fix it?
thank you

> a72b7a6c 8b756aeb 87587068 a72b7a8c a72b7ab8 MyDriver2+0x1105

You want to fix that by making sure windbg can see symbols. At that stage
the bug will probably leap out at you.

But I’m guessing that this is the failing line:

if ((0 == RtlCompareUnicodeString( &EXTENTION, &NameInfo->Extension,
TRUE ))) {

Which means that EXTENTION or NameInfo->Extension are mostly likely wrong.
Given that your code tests for NameInfo being null imediately ahead I know
I’d be suspicious (if I didn’t think that you would have failed out by
then).

Also, why all those debug statements? Do yourself a favour and hook up a
debugger. And %wZ is your friend…

i checked the EXTENTION value ( in a different version of this driver - version with more dbgprint) and it’s o.k. (it’s not NULL) and still i get bsod.

I used for a test at Windows CancelSafe minifilter as is (can be found here:
https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilte
r/cancelSafe) , and it’s bsod also in the same spot on the same function , i think that maybe this function shuld be used only on 64bit system?(im run win7 ultimate 32 bit) or there is a bug in win7 32bit ultimate that make the bsod?

*this is the full analize i made for the CancelSafe bsode

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: 98f9154a, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82c78e3a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 7601.17514.x86fre.win7sp1_rtm.101119-1850

DUMP_TYPE: 0

BUGCHECK_P1: ffffffff98f9154a

BUGCHECK_P2: 0

BUGCHECK_P3: ffffffff82c78e3a

BUGCHECK_P4: 0

READ_ADDRESS: 98f9154a

FAULTING_IP:
nt!RtlPrefixUnicodeString+4b
82c78e3a 0fb70a movzx ecx,word ptr [edx]

MM_INTERNAL_CODE: 0

CPU_COUNT: 1

CPU_MHZ: e10

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 1C’00000000 (cache) 1C’00000000 (init)

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 2

ANALYSIS_SESSION_HOST: PIT_BASEMAN

ANALYSIS_SESSION_TIME: 07-29-2017 22:06:20.0229

ANALYSIS_VERSION: 10.0.15063.468 x86fre

TRAP_FRAME: 9a303a00 – (.trap 0xffffffff9a303a00)
ErrCode = 00000000
eax=8dc2064c ebx=85c14a08 ecx=00000012 edx=98f9154a esi=03f79a84 edi=98f9154c
eip=82c78e3a esp=9a303a74 ebp=9a303a80 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!RtlPrefixUnicodeString+0x4b:
82c78e3a 0fb70a movzx ecx,word ptr [edx] ds:0023:98f9154a=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 82aef083 to 82a8b110

STACK_TEXT:
9a30354c 82aef083 00000003 7eb00655 00000065 nt!RtlpBreakWithStatusInstruction
9a30359c 82aefb81 00000003 85bf3a80 00000000 nt!KiBugCheckDebugBreak+0x1c
9a303960 82a9e41b 00000050 98f9154a 00000000 nt!KeBugCheck2+0x68b
9a3039e8 82a513d8 00000000 98f9154a 00000000 nt!MmAccessFault+0x106
9a3039e8 82c78e3a 00000000 98f9154a 00000000 nt!KiTrap0E+0xdc
9a303a80 98f8d101 98f9154c 9cf0af94 03f79a84 nt!RtlPrefixUnicodeString+0x4b
WARNING: Stack unwind information not available. Following frames may be wrong.
9a303aac 8b96caeb 85c14a68 9a303acc 9a303af8 MyDriver2+0x1101
9a303b18 8b96f17b 9a303b54 87d9f038 9a303bac fltmgr!FltpPerformPreCallbacks+0x34d
9a303b30 8b981c37 00303b54 8b981ad4 00000000 fltmgr!FltpPassThroughFastIo+0x3d
9a303b74 82c73f66 87d9f038 9a303bb4 00001000 fltmgr!FltpFastIoRead+0x163
9a303c08 82a4e1ea 86301518 00000000 00000000 nt!NtReadFile+0x2d5
9a303c08 775f70b4 86301518 00000000 00000000 nt!KiFastCallEntry+0x12a
0142bcdc 775f62c4 7589e072 00000654 00000000 ntdll!KiFastSystemCallRet
0142bce0 7589e072 00000654 00000000 00000000 ntdll!ZwReadFile+0xc
0142bd44 76e2974f 00000654 01380848 00001000 KERNELBASE!ReadFile+0x118
0142bd8c 6cac00bf 00000654 01380848 00001000 kernel32!ReadFileImplementation+0xf0
0142bdcc 6cabf651 00030000 00000000 01380848 mpengine!CWin32File::Read+0x8f
0142be18 6c8b2ad2 00030000 00000000 01380848 mpengine!nUFSP_native::Read+0x81
0142be50 6c8b26f5 00030000 00000000 01380848 mpengine!UfsPluginWrapper::Read+0x52
0142bea8 6c8b2377 0142bee8 0142beec 00030000 mpengine!UfsIoCache::ReadBlock+0x203
0142bef4 6c8b1df1 000304fa 00000000 03e396f4 mpengine!UfsIoCache::Read+0x67
0142bf48 6c8ae9f3 000304fa 00000000 03e396f4 mpengine!UfsFile::Read+0xc1
0142bf74 6c8fc856 0c3c3330 000304fa 00000000 mpengine!UfsSeekRead+0x43
0142c0f4 6c8a676f 0c395e20 00213b66 0c395980 mpengine!pefile_scan_mp+0x1494
0142d224 6c8a38d8 0c395e20 0142d2d5 0142d2d6 mpengine!UfsClientRequest::fscan+0xba9
0142d2a8 6c8a36eb 0163e900 0c395e20 0142d2d5 mpengine!UfsNode::ScanLoopHelper+0xe2
0142d2ec 6c8acab6 0142d340 00213a1e 00000000 mpengine!UfsNode::Analyze+0x1df
0142d35c 6c8ac905 10566800 ffffffff ffffffff mpengine!UfsClientRequest::AnalyzeLeaf+0xa2
0142d3d0 6cb48008 10566a00 ffffffff ffffffff mpengine!UfsClientRequest::AnalyzePath+0x230
0142d3ec 6cae67e7 0124fac8 0142d72c 00213d12 mpengine!JsDelegateObject_FFI::addFunction+0x46
0142d450 6cae667a 6c8cbc00 00213fe6 00004023 mpengine!EtwTraceHelper::~EtwTraceHelper+0x12d
0142d6a4 6c8cbc7d 0021357e 6c8cba50 00650040 mpengine!UfsScanFileCmd::Execute+0x4a
0142dc3c 6cb2394e 00004023 0142dca0 00000010 mpengine!ksignal+0x22d
0142dcdc 6cb14682 0142dd44 00000001 002ba37c mpengine!EngineProcessFile+0x173
0142ddd0 6cb13c4a 10566a00 00000000 00000000 mpengine!CResmgrFile::ScanExpanded+0x995
0142df34 6cb15d22 0c5ff1d8 00000000 00000000 mpengine!CResmgrFile::ScanEx+0x31a
0142dfe4 6cb16a2a 00000000 0c51cd88 09f8a1f8 mpengine!CScanUserDataFileScan::ScanCallback+0x3f2
0142e124 6cb164fa 6c6fb5ec 00210b0a 00000000 mpengine!CResmgrProcess::ScanImpl+0x4a4
0142e248 6cb16029 6c6fb5ec 00210bb2 0142e3ac mpengine!CResmgrProcess::Scan+0x1a
0142e2f0 6cb1a52b 00000002 0c51cd88 00000000 mpengine!CScanUserDataFileScan::ScanCallback+0x6f9
0142e5c8 6cb0f066 002ba37c 002104d6 0c4e7690 mpengine!ResScan+0x634
0142ed94 6cb0db76 0021074e 00000000 0000800c mpengine!UberScanOpen+0x164d
0142ee0c 6c8cbe89 00211ae6 6c8cba50 00299e28 mpengine!UberScanOpen+0x15d
0142f3a4 6c8cba13 00004026 00d40d18 00000044 mpengine!ksignal+0x439
0142f3cc 6c8cb8be 00d40d18 00000044 00211f06 mpengine!__rsignal+0x223
0142f644 6c8cb827 00d40d18 00000044 0142f69c mpengine!__rsignal+0xce
0142f654 6fde537a 00d40918 00004026 00d40d18 mpengine!__rsignal+0x37
0142f69c 6fdee3a4 00d408c0 00004026 00d40d18 mpsvc!rsignal_wrapper+0x77
0142f6c4 6fde9b41 00d40cb8 00c20ec8 00000000 mpsvc!OnDemandScanWorker+0x11a
0142f6d4 6fde9c24 00d40ee4 0142f710 6f198b87 mpsvc!MpWorkItemIsComplete+0x81
0142f6e0 6f198b87 00d40ee4 01e59f48 77622ba4 mpsvc!MpWorkItemIsComplete+0x164
0142f710 6f198c03 0142f724 6f19b3b6 00c20ec8 MpClient!CommonUtil::CMpSimpleThreadPool::AsyncDequeue+0x57
0142f718 6f19b3b6 00c20ec8 0142f748 775c2661 MpClient!CommonUtil::CMpSimpleThreadPool::WorkCallback+0xd
0142f724 775c2661 0142f784 00c2e248 002a0328 MpClient!CommonUtil::CMpThreadPoolProviderVista::WorkCallback+0xe
0142f748 775e0842 0142f784 002a0388 7629cd60 ntdll!TppWorkpExecuteCallback+0x10f
0142f8a8 76e33c45 0029f698 0142f8f4 776137f5 ntdll!TppWorkerThread+0x572
0142f8b4 776137f5 0029f698 7629cd3c 00000000 kernel32!BaseThreadInitThunk+0xe
0142f8f4 776137c8 775e03e7 0029f698 00000000 ntdll!__RtlUserThreadStart+0x70
0142f90c 00000000 775e03e7 0029f698 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 73f048771b72a9bbdfa38f5c9426c8ffa10a7a03

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 13c515ffa4cb8511266ce49eec42d563a25d6378

THREAD_SHA1_HASH_MOD: 70fa357f97cdd1ed63e06fc1e5d968e5e53da356

FOLLOWUP_IP:
MyDriver2+1101
98f8d101 0fb6c8 movzx ecx,al

FAULT_INSTR_CODE: 85c8b60f

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: MyDriver2+1101

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MyDriver2

IMAGE_NAME: MyDriver2.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 597ccba0

FAILURE_BUCKET_ID: 0x50_MyDriver2+1101

BUCKET_ID: 0x50_MyDriver2+1101

PRIMARY_PROBLEM_CLASS: 0x50_MyDriver2+1101

TARGET_TIME: 2017-07-29T19:05:19.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 7

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2010-11-20 10:42:49

BUILDDATESTAMP_STR: 101119-1850

BUILDLAB_STR: win7sp1_rtm

BUILDOSVER_STR: 6.1.7601.17514.x86fre.win7sp1_rtm.101119-1850

ANALYSIS_SESSION_ELAPSED_TIME: 18c5

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x50_mydriver2+1101

FAILURE_ID_HASH: {c9f94acf-705a-436e-12f3-2b2d67171594}

Followup: MachineOwner

kd> d 0x98f9154a
98f9154a ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f9155a ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f9156a ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f9157a ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f9158a ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f9159a ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f915aa ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
98f915ba ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???
kd> d 0x85c14a08
85c14a08 04 f1 20 02 04 00 00 10-03 00 05 00 c0 4a c1 85 … …J…
85c14a18 01 00 04 00 00 00 00 00-20 4a c1 85 20 4a c1 85 … J… J…
85c14a28 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
85c14a38 b4 7f db 87 00 00 00 00-00 00 00 00 18 15 30 86 …0.
85c14a48 38 f0 d9 87 00 00 00 00-00 00 00 00 00 00 00 00 8…
85c14a58 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
85c14a68 02 00 00 00 80 3a bf 85-94 4a c1 85 00 00 00 00 …:…J…
85c14a78 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …
kd> ds 0x85c14a08
10000004 “”
kd> du 0x85c14a08
85c14a08 “.?.?..??..”
kd> da 0x85c14a08
85c14a08 “… …”

thank you , pit

> You want to fix that by making sure windbg can see symbols. At that stage

the bug will probably leap out at you.

Do yourself a favour and hook up a debugger.