BAD POOL CALLER [BSOD] within miniFilter callback

Bellow are the relevant code snippets:

FLT_PREOP_CALLBACK_STATUS
naGuardPreOperation(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID *CompletionContext
)
{

PNAGUARD_FMESSAGE msg = ExAllocatePoolWithTag(NonPagedPool, sizeof(NAGUARD_FMESSAGE), ‘tfaN’);

msg->preop_entropy = calculateEntropy(FltObjects, volumeProps.SectorSize);

}

float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
{
NTSTATUS status;

LARGE_INTEGER offset;
ULONG bytesRead = 0;
offset.QuadPart = bytesRead = 0;

ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, ‘teaN’);
if (buffer == NULL)
return 0;

status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset, file_size, buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL);

float entropy = 0;
float p = 0;
ULONG i;
ULONG hist[256] = { 0 };
for (i = 0; i < file_size; i++)
{
hist[((CHAR*)buffer)[i]]++;
}

for (i = 0; i < 256; i++) {
p = (float)(hist[i]) / (float)(file_size);
if (p > 0)
entropy = entropy - p * logf(p);
}

ExFreePoolWithTag(buffer, ‘teaN’);
return entropy / 8;
}

Getting BSOD [BAD POOL CALLER]

Bellow is !analyze -v from WinDbg

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000099, Attempt to free pool with invalid address (or corruption in pool header)
Arg2: ffff988918800ba1, Address being freed
Arg3: 0000000000000000, 0
Arg4: 0000000000000000, 0

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

DUMP_TYPE: 0

BUGCHECK_P1: 99

BUGCHECK_P2: ffff988918800ba1

BUGCHECK_P3: 0

BUGCHECK_P4: 0

FAULTING_IP:
naGuard!calculateEntropy+21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
fffff800`b5f4121b f30f10442460 movss xmm0,dword ptr [rsp+60h]

BUGCHECK_STR: 0xc2_99

CPU_COUNT: 4

CPU_MHZ: a98

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA’00000000 (cache) BA’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: MsMpEng.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: NAFTALY-M5510

ANALYSIS_SESSION_TIME: 12-11-2017 20:36:01.0163

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

LAST_CONTROL_TRANSFER: from fffff800b6a79262 to fffff800b69edff0

STACK_TEXT:
ffffe68092992788 fffff800b6a79262 : 0000000000000099 00000000000000c2 ffffe680929928f0 fffff800b694f6c0 : nt!DbgBreakPointWithStatus
ffffe68092992790 fffff800b6a78b12 : 0000000000000003 ffffe680929928f0 fffff800b6b2a610 00000000000000c2 : nt!KiBugCheckDebugBreak+0x12
ffffe680929927f0 fffff800b69e8687 : ffffe68092993001 ffff9889175c8850 ffff988918800ba1 fffff80f1aa6dea7 : nt!KeBugCheck2+0x922
ffffe68092992f00 fffff800b6fe803f : 00000000000000c2 0000000000000099 ffff988918800ba1 0000000000000000 : nt!KeBugCheckEx+0x107
ffffe68092992f40 fffff800b6a93b5d : ffffe6808e842a05 fffff800b6afb4b0 0000000000000001 fffff80000000200 : nt!VerifierBugCheckIfAppropriate+0x6b
ffffe68092992f80 fffff800b6afd035 : 0000000000000020 ffffe68092993059 ffff988918800b91 00000000000007ff : nt!VerifierFreeTrackedPool+0x41
ffffe68092992fc0 fffff800b5f4121b : ffff9889176a2c00 3fe0000000000000 0000000000000000 ffff988a00000000 : nt!ExFreePoolWithTag+0x1015
ffffe680929930c0 fffff800b5f415d3 : ffffe680929936b0 ffffe68092990200 ffff9889176a2b80 ffff98891707aa70 : naGuard!calculateEntropy+0x21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
ffffe68092993560 fffff80f1aa64b4c : ffff9889176a2c60 ffffe680929936b0 ffffe68092993690 ffff9889176a2b80 : naGuard!naGuardPreOperation+0x223 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 111]
ffffe68092993620 fffff80f1aa646ec : ffffe68092993810 ffff9889148f3900 0000000000000000 ffff988917792003 : FLTMGR!FltpPerformPreCallbacks+0x2ec
ffffe68092993740 fffff80f1aa636d8 : 0000000000000000 ffffe68092993810 ffff988917792010 ffffe68092993820 : FLTMGR!FltpPassThroughInternal+0x8c
ffffe68092993770 fffff80f1aa634be : ffff9889176a2b80 ffff988915e27c00 ffffe680929938a0 fffff80f1aa6333f : FLTMGR!FltpPassThrough+0x168
ffffe680929937f0 fffff800b6d119af : ffff988915e27c30 ffff988917792010 ffff988917792440 ffffe68092993b00 : FLTMGR!FltpDispatch+0x9e
ffffe68092993850 fffff800b6d10719 : ffff988900000001 ffff988915e27c04 ffff988915e27c80 ffffe68092993b00 : nt!IopSynchronousServiceTail+0x1af
ffffe68092993910 fffff800b69f3413 : 0000000000000b68 0000000000000000 0000000000000000 0000000000000000 : nt!NtReadFile+0x6a9
ffffe68092993a10 00007ffb471f5464 : 00007ffb437dec66 000000c3078ff1b0 0000000000000001 000000000000000e : nt!KiSystemServiceCopyEnd+0x13
000000c3078ff0a8 00007ffb437dec66 : 000000c3078ff1b0 0000000000000001 000000000000000e 0000000000000028 : ntdll!NtReadFile+0x14
000000c3078ff0b0 00007ffb33307283 : 0000000000000000 0000000000000000 ffffffffffffffff 000000c3078ff1e8 : KERNELBASE!ReadFile+0x76
000000c3078ff130 0000000000000000 : 0000000000000000 ffffffffffffffff 000000c3078ff1e8 0000000000000000 : mpengine!GetSigFiles+0x29913

THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 26d74e95b55e3167b7aa9ed920d02c28405c093a

THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740

FOLLOWUP_IP:
naGuard!calculateEntropy+21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
fffff800`b5f4121b f30f10442460 movss xmm0,dword ptr [rsp+60h]

FAULT_INSTR_CODE: 44100ff3

FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

FAULTING_SOURCE_LINE_NUMBER: 51

FAULTING_SOURCE_CODE:
47: entropy = entropy - p * logf(p);
48: }
49:
50: ExFreePoolWithTag(buffer, ‘teaN’);

51: return entropy / 8;
52: }
53:
54:
55: /*************************************************************************
56: MiniFilter callback routines.

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: naGuard!calculateEntropy+21b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: naGuard

IMAGE_NAME: naGuard.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5a2ecddd

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 21b

FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy

TARGET_TIME: 2017-12-11T18:33:56.000Z

OSBUILD: 15063

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-11-01 20:21:12

BUILDDATESTAMP_STR: 170317-1834

BUILDLAB_STR: rs2_release

BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

ANALYSIS_SESSION_ELAPSED_TIME: e59

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy

FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}

Followup: MachineOwner

Freeing routine doesn’t match allocating routine. You have to call FltFreePoolAlignedWithTag (https://msdn.microsoft.com/en-us/library/windows/hardware/ff542979(v=vs.85).aspx) instead of ExFreePoolWithTag.

Code modified to:

Still getting BSOD.
float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
{
NTSTATUS status;

LARGE_INTEGER offset;
ULONG bytesRead = 0;
offset.QuadPart = bytesRead = 0;

ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, ‘teaN’);
if (buffer == NULL)
return 0;

status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset,
file_size, buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL);

float entropy = 0;
float p = 0;
ULONG i;
ULONG hist[256] = { 0 };
for (i = 0; i < file_size; i++)
{
hist[(int)((CHAR*)buffer)[i] ]++;
}

for (i = 0; i < 256; i++) {
p = (float)(hist[i]) / (float)(file_size);
if (p > 0)
entropy = entropy - p * logf(p);
}

FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, ‘teaN’);

return entropy;
}

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000099, Attempt to free pool with invalid address (or corruption in pool header)
Arg2: ffffdf00c1e68e01, Address being freed
Arg3: 0000000000000000, 0
Arg4: 0000000000000000, 0

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

DUMP_TYPE: 0

BUGCHECK_P1: 99

BUGCHECK_P2: ffffdf00c1e68e01

BUGCHECK_P3: 0

BUGCHECK_P4: 0

FAULTING_IP:
naGuard!calculateEntropy+227 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]

BUGCHECK_STR: 0xc2_99

CPU_COUNT: 4

CPU_MHZ: a98

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA’00000000 (cache) BA’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: MsMpEng.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: NAFTALY-M5510

ANALYSIS_SESSION_TIME: 12-11-2017 21:48:58.0252

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

LAST_CONTROL_TRANSFER: from fffff8028cc7a262 to fffff8028cbeeff0

STACK_TEXT:
ffffce004947c788 fffff8028cc7a262 : 0000000000000099 00000000000000c2 ffffce004947c8f0 fffff8028cb506c0 : nt!DbgBreakPointWithStatus
ffffce004947c790 fffff8028cc79b12 : 0000000000000003 ffffce004947c8f0 fffff8028cd2b610 00000000000000c2 : nt!KiBugCheckDebugBreak+0x12
ffffce004947c7f0 fffff8028cbe9687 : 0000000000000000 0000000000000000 ffffdf00c1e68e01 0000000000000000 : nt!KeBugCheck2+0x922
ffffce004947cf00 fffff8028d1e903f : 00000000000000c2 0000000000000099 ffffdf00c1e68e01 0000000000000000 : nt!KeBugCheckEx+0x107
ffffce004947cf40 fffff8028cc94b5d : 0000000000000001 ffffdf00c3491900 ffffdf00c57a5ae0 fffff80200000200 : nt!VerifierBugCheckIfAppropriate+0x6b
ffffce004947cf80 fffff8028ccfe035 : 0000000000000020 ffffce004947d059 ffffdf00c1e68df1 0000000000000000 : nt!VerifierFreeTrackedPool+0x41
ffffce004947cfc0 fffff802c9681227 : ffffdf00c654d800 3fe0000000000000 0000000000000000 ffffdf0100000000 : nt!ExFreePoolWithTag+0x1015
ffffce004947d0c0 fffff802c96815d3 : ffffce004947d6b0 ffffce0049470200 ffffdf00c654d780 ffffdf00c661ab60 : naGuard!calculateEntropy+0x227 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
ffffce004947d560 fffff802c6064b4c : ffffdf00c654d860 ffffce004947d6b0 ffffce004947d690 ffffdf00c654d780 : naGuard!naGuardPreOperation+0x223 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 114]
ffffce004947d620 fffff802c60646ec : ffffce004947d810 ffffdf00c37c7d00 0000000000000000 ffffdf00c688bb03 : FLTMGR!FltpPerformPreCallbacks+0x2ec
ffffce004947d740 fffff802c60636d8 : 0000000000000000 ffffce004947d810 ffffdf00c688bb80 ffffce004947d820 : FLTMGR!FltpPassThroughInternal+0x8c
ffffce004947d770 fffff802c60634be : ffffdf00c654d780 ffffdf00c4318000 ffffce004947d8a0 fffff802c606333f : FLTMGR!FltpPassThrough+0x168
ffffce004947d7f0 fffff8028cf129af : ffffdf00c4318080 ffffdf00c688bb80 ffffdf00c688bfb0 ffffce004947db00 : FLTMGR!FltpDispatch+0x9e
ffffce004947d850 fffff8028cf11719 : ffffdf0000000001 ffffdf00c4318004 ffffdf00c43180d0 ffffce004947db00 : nt!IopSynchronousServiceTail+0x1af
ffffce004947d910 fffff8028cbf4413 : 0000000000000b40 0000000000000000 0000000000000000 0000000000000000 : nt!NtReadFile+0x6a9
ffffce004947da10 00007ff90a145464 : 00007ff906bcec66 0000006b834ff210 0000000000000001 000000000000000e : nt!KiSystemServiceCopyEnd+0x13
0000006b834ff108 00007ff906bcec66 : 0000006b834ff210 0000000000000001 000000000000000e 0000000000000028 : ntdll!NtReadFile+0x14
0000006b834ff110 00007ff8f4097283 : 0000000000000000 0000000000000000 ffffffffffffffff 0000006b834ff248 : KERNELBASE!ReadFile+0x76
0000006b834ff190 0000000000000000 : 0000000000000000 ffffffffffffffff 0000006b834ff248 0000000000000000 : mpengine!GetSigFiles+0x29913

THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6ee8a037003fa202c2fe2abfbea6f3cd186c3ada

THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740

FOLLOWUP_IP:
naGuard!calculateEntropy+227 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]

FAULT_INSTR_CODE: 44100ff3

FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c

FAULTING_SOURCE_LINE_NUMBER: 54

FAULTING_SOURCE_CODE:
50:
51:
52: FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, ‘teaN’);
53:

54: return entropy;
55: }
56:
57:
58: /*************************************************************************
59: MiniFilter callback routines.

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: naGuard!calculateEntropy+227

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: naGuard

IMAGE_NAME: naGuard.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5a2edf82

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 227

FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy

TARGET_TIME: 2017-12-11T19:46:43.000Z

OSBUILD: 15063

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-11-01 20:21:12

BUILDDATESTAMP_STR: 170317-1834

BUILDLAB_STR: rs2_release

BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

ANALYSIS_SESSION_ELAPSED_TIME: 9bc

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy

FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}

Followup: MachineOwner

Have you tried to run your driver under verifier ?

On Mon, Dec 11, 2017 at 10:51 PM, xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

Code modified to:

Still getting BSOD.
float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT
SectorSize)
{
NTSTATUS status;

LARGE_INTEGER offset;
ULONG bytesRead = 0;
offset.QuadPart = bytesRead = 0;

ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance,
NonPagedPool, file_size, ‘teaN’);
if (buffer == NULL)
return 0;

status = FltReadFile(FltObjects->Instance,
FltObjects->FileObject, &offset,
file_size, buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL);

float entropy = 0;
float p = 0;
ULONG i;
ULONG hist[256] = { 0 };
for (i = 0; i < file_size; i++)
{
hist[(int)((CHAR*)buffer)[i] ]++;
}

for (i = 0; i < 256; i++) {
p = (float)(hist[i]) / (float)(file_size);
if (p > 0)
entropy = entropy - p * logf(p);
}

FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, ‘teaN’);

return entropy;
}

0: kd> !analyze -v
************************************************************
*******************
*
*
* Bugcheck Analysis
*
*
*
************************************************************
*******************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a
bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000099, Attempt to free pool with invalid address (or
corruption in pool header)
Arg2: ffffdf00c1e68e01, Address being freed
Arg3: 0000000000000000, 0
Arg4: 0000000000000000, 0

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

DUMP_TYPE: 0

BUGCHECK_P1: 99

BUGCHECK_P2: ffffdf00c1e68e01

BUGCHECK_P3: 0

BUGCHECK_P4: 0

FAULTING_IP:
naGuard!calculateEntropy+227 [c:\users\naftaly
avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]

BUGCHECK_STR: 0xc2_99

CPU_COUNT: 4

CPU_MHZ: a98

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA’00000000 (cache) BA’00000000
(init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: MsMpEng.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: NAFTALY-M5510

ANALYSIS_SESSION_TIME: 12-11-2017 21:48:58.0252

ANALYSIS_VERSION: 10.0.16299.15 amd64fre

LAST_CONTROL_TRANSFER: from fffff8028cc7a262 to fffff8028cbeeff0

STACK_TEXT:
ffffce004947c788 fffff8028cc7a262 : 0000000000000099 00000000000000c2
ffffce004947c8f0 fffff8028cb506c0 : nt!DbgBreakPointWithStatus
ffffce004947c790 fffff8028cc79b12 : 0000000000000003 ffffce004947c8f0
fffff8028cd2b610 00000000000000c2 : nt!KiBugCheckDebugBreak+0x12
ffffce004947c7f0 fffff8028cbe9687 : 0000000000000000 0000000000000000
ffffdf00c1e68e01 0000000000000000 : nt!KeBugCheck2+0x922
ffffce004947cf00 fffff8028d1e903f : 00000000000000c2 0000000000000099
ffffdf00c1e68e01 0000000000000000 : nt!KeBugCheckEx+0x107
ffffce004947cf40 fffff8028cc94b5d : 0000000000000001 ffffdf00c3491900
ffffdf00c57a5ae0 fffff80200000200 : nt!VerifierBugCheckIfAppropriate+
0x6b
ffffce004947cf80 fffff8028ccfe035 : 0000000000000020 ffffce004947d059
ffffdf00c1e68df1 0000000000000000 : nt!VerifierFreeTrackedPool+0x41
ffffce004947cfc0 fffff802c9681227 : ffffdf00c654d800 3fe0000000000000
0000000000000000 ffffdf0100000000 : nt!ExFreePoolWithTag+0x1015
ffffce004947d0c0 fffff802c96815d3 : ffffce004947d6b0 ffffce0049470200
ffffdf00c654d780 ffffdf00c661ab60 : naGuard!calculateEntropy+0x227
[c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
ffffce004947d560 fffff802c6064b4c : ffffdf00c654d860 ffffce004947d6b0
ffffce004947d690 ffffdf00c654d780 : naGuard!naGuardPreOperation+0x223
[c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 114]
ffffce004947d620 fffff802c60646ec : ffffce004947d810 ffffdf00c37c7d00
0000000000000000 ffffdf00c688bb03 : FLTMGR!FltpPerformPreCallbacks+0x2ec
ffffce004947d740 fffff802c60636d8 : 0000000000000000 ffffce004947d810
ffffdf00c688bb80 ffffce004947d820 : FLTMGR!FltpPassThroughInternal+0x8c
ffffce004947d770 fffff802c60634be : ffffdf00c654d780 ffffdf00c4318000
ffffce004947d8a0 fffff802c606333f : FLTMGR!FltpPassThrough+0x168
ffffce004947d7f0 fffff8028cf129af : ffffdf00c4318080 ffffdf00c688bb80
ffffdf00c688bfb0 ffffce004947db00 : FLTMGR!FltpDispatch+0x9e
ffffce004947d850 fffff8028cf11719 : ffffdf0000000001 ffffdf00c4318004
ffffdf00c43180d0 ffffce004947db00 : nt!IopSynchronousServiceTail+0x1af
ffffce004947d910 fffff8028cbf4413 : 0000000000000b40 0000000000000000
0000000000000000 0000000000000000 : nt!NtReadFile+0x6a9
ffffce004947da10 00007ff90a145464 : 00007ff906bcec66 0000006b834ff210
0000000000000001 000000000000000e : nt!KiSystemServiceCopyEnd+0x13
0000006b834ff108 00007ff906bcec66 : 0000006b834ff210 0000000000000001
000000000000000e 0000000000000028 : ntdll!NtReadFile+0x14
0000006b834ff110 00007ff8f4097283 : 0000000000000000 0000000000000000
ffffffffffffffff 0000006b834ff248 : KERNELBASE!ReadFile+0x76
0000006b834ff190 0000000000000000 : 0000000000000000 ffffffffffffffff
0000006b834ff248 0000000000000000 : mpengine!GetSigFiles+0x29913

THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6ee8a037003fa202c2fe2abfbea6f3
cd186c3ada

THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740

FOLLOWUP_IP:
naGuard!calculateEntropy+227 [c:\users\naftaly
avadiaev\source\repos\naguard\naguard\callbacks.c @ 54]
fffff802`c9681227 f30f10442460 movss xmm0,dword ptr [rsp+60h]

FAULT_INSTR_CODE: 44100ff3

FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\
naguard\callbacks.c

FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\
naguard\callbacks.c

FAULTING_SOURCE_LINE_NUMBER: 54

FAULTING_SOURCE_CODE:
50:
51:
52: FltFreePoolAlignedWithTag(FltObjects->Instance, buffer,
‘teaN’);
53:
> 54: return entropy;
55: }
56:
57:
58: /***********************************************************
**************
59: MiniFilter callback routines.

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: naGuard!calculateEntropy+227

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: naGuard

IMAGE_NAME: naGuard.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5a2edf82

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 227

FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

BUCKET_ID: 0xc2_99_naGuard!calculateEntropy

PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy

TARGET_TIME: 2017-12-11T19:46:43.000Z

OSBUILD: 15063

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-11-01 20:21:12

BUILDDATESTAMP_STR: 170317-1834

BUILDLAB_STR: rs2_release

BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

ANALYSIS_SESSION_ELAPSED_TIME: 9bc

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy

FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}

Followup: MachineOwner


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

No, I’m not an expert of windows driver development.
Doing this as part of academic project.
I will try to use verifier. [Not yet sure how to use it]

Any other direction I can check?

Tried to run verifier now.

Got the following:
"Driver type is “fs”. This driver type is not supported by SDV.
Please consult documentation for supported driver types.

Run this function step by step under debugger and check if buffer changes
it’s value at some step

On Mon, 11 Dec 2017 at 23:09, xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

Tried to run verifier now.

Got the following:
"Driver type is “fs”. This driver type is not supported by SDV.
Please consult documentation for supported driver types.


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

buffer variable, not data in the buffer itself

On Mon, 11 Dec 2017 at 23:16, Sergey Pisarev
wrote:

> Run this function step by step under debugger and check if buffer changes
> it’s value at some step
>
> On Mon, 11 Dec 2017 at 23:09, xxxxx@gmail.com <
> xxxxx@lists.osr.com> wrote:
>
>> Tried to run verifier now.
>>
>> Got the following:
>> "Driver type is “fs”. This driver type is not supported by SDV.
>> Please consult documentation for supported driver types.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
></http:>

Ohh embarrassing mistake.

Thanks!

My mistake the problem is still there:

For:
char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, ‘teaN’);

When I just try to access the buffer by:
for (i = 0; i < file_size; i++) {
tmp = buffer[i];
hist[tmp]++;
}

I’m getting BSOD [PAGE FAULT IN NONPAGED AREA]

You don’t show how hist is generated, but you are dereferencing hist by the *value* you fetched from buffer[i]. That offset in hist may be a completely invalid address. You don’t show how tmp is defined, either.

If you didn’t paste real code here, and it looks like you didn’t, I’d suggest that you paste the real thing.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-643075-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, December 11, 2017 1:48 PM
To: Windows File Systems Devs Interest List
> Subject: RE:[ntfsd] BAD POOL CALLER [BSOD] within miniFilter callback
>
> My mistake the problem is still there:
>
> For:
> char buffer = (char)FltAllocatePoolAlignedWithTag(FltObjects->Instance,
> NonPagedPool, file_size, ‘teaN’);
>
> When I just try to access the buffer by:
> for (i = 0; i < file_size; i++) {
> tmp = buffer[i];
> hist[tmp]++;
> }
>
> I’m getting BSOD [PAGE FAULT IN NONPAGED AREA]
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:</http:></http:>

What was the first error ?

post !analyze -v

On Mon, Dec 11, 2017 at 11:47 PM, xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

My mistake the problem is still there:

For:
char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance,
NonPagedPool, file_size, ‘teaN’);

When I just try to access the buffer by:
for (i = 0; i < file_size; i++) {
tmp = buffer[i];
hist[tmp]++;
}

I’m getting BSOD [PAGE FAULT IN NONPAGED AREA]


NTFSD is sponsored by OSR

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

The actual code:

float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
{
PAGED_CODE();
NTSTATUS status;

LARGE_INTEGER offset;
ULONG bytesRead = 0;
offset.QuadPart = bytesRead = 0;

ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);

char *buffer = (char*)FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, ‘teaN’);
if (buffer == NULL)
return 0;

status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset,
file_size, buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL);

float entropy = 0;
ULONG i;
unsigned int tmp = 0;

ULONG hist[256] = { 0 };

for (i = 0; i < file_size; i++) {
tmp = buffer[i];
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “tmp: %u\n”, tmp);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “hist[tmp]: %d\n”, hist[tmp]);
hist[tmp]++;
}

FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, ‘teaN’);

return entropy;
}

> -----Original Message-----

From: xxxxx@lists.osr.com [mailto:bounce-643082-
xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, December 11, 2017 3:26 PM
To: Windows File Systems Devs Interest List
> Subject: RE:[ntfsd] BAD POOL CALLER [BSOD] within miniFilter callback
>
> The actual code:
>
>
> float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT
> SectorSize) {
> PAGED_CODE();
> NTSTATUS status;
>
> LARGE_INTEGER offset;
> ULONG bytesRead = 0;
> offset.QuadPart = bytesRead = 0;
>
> ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);
>
> char buffer = (char)FltAllocatePoolAlignedWithTag(FltObjects-
> >Instance, NonPagedPool, file_size, ‘teaN’);
> if (buffer == NULL)
> return 0;

Here you’ve defined the buffer as signed chars.

>
> status = FltReadFile(FltObjects->Instance, FltObjects->FileObject,
> &offset,
> file_size, buffer,
> FLTFL_IO_OPERATION_NON_CACHED |
> FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
> &bytesRead,
> NULL,
> NULL);
>
>
> float entropy = 0;
> ULONG i;
> unsigned int tmp = 0;
>
> ULONG hist[256] = { 0 };
>
>
> for (i = 0; i < file_size; i++) {
> tmp = buffer[i];

Here you assign an unsigned int the value of a signed char. I’m not sure what the MSVC compiler does (and I don’t have time to code up a sample to look, though it would be quick to do at Godbolt.org.) in the case of a negative value, but it might sign extend it, which would result in a very large number in the target location. What does the following line say when it crashes?

> DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “tmp:
> %u\n”, tmp);
> DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
> “hist[tmp]: %d\n”, hist[tmp]);
> hist[tmp]++;
> }
>
>
>
> FltFreePoolAlignedWithTag(FltObjects->Instance, buffer, ‘teaN’);
>

Where do you actually modify this return value? Or is that remaining to be done after you fix the crash?

> return entropy;
> }

Thank you all.
Problem fixed.

Unrelated to your crash, but FltObjects->FileObject->Size is not the size of
the file, it’s the size of the FILE_OBJECT data structure.

Also, your problems were just C coding errors. I would highly suggest
developing your logic in user mode before moving to kernel mode.

-scott
OSR
@OSRDrivers

How can I get the size of the file?

My suspicion is that when I write a big file it just creates multiple IRQ_MJ_WRITE where each of them is the sector/ block size.

FltQueryInformationFile

Applications send big writes to the file system. The file system sends the big writes down to the volume (unless the file is fragmented, in which case it breaks it up into the necessary fragments). The disk driver breaks these writes up into the maximum transfer size of the storage controller. The storage controller driver breaks these writes up into sectors.

-scott
OSR
@OSRDrivers

Don’t get file size from the file object structure via FileObject->Size,
that just does not make any sense. FILE_OBJECT fields are mostly
documented, and for the Size member here is what MSFT has to say:
*Size*

A read-only member that specifies the size, in bytes, of the file object.
This size does not include the file object extension, if one is present.
Nothing to do with the size of the file. Just query the file size via
FltQueryInformationFile or similar.

Also use the bytesRead variable as the “file_size” since that is how much
it has been actually read from the file.
Also when looping through a PVOID with an index the way you do will go out
of the allocated memory.

If you will code like that in the kernel you will have a lot of unpleasant
surprises.

Gabriel.
www.kasardia.com

On Thu, Dec 14, 2017 at 5:14 AM, xxxxx@osr.com wrote:

>


>
> FltQueryInformationFile
>
>


>
> Applications send big writes to the file system. The file system sends the
> big writes down to the volume (unless the file is fragmented, in which case
> it breaks it up into the necessary fragments). The disk driver breaks these
> writes up into the maximum transfer size of the storage controller. The
> storage controller driver breaks these writes up into sectors.
>
> -scott
> OSR
> @OSRDrivers
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:>