The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I got the following CI error during very early boot, without our minifilter:
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume2\ALFACW_2019_04_14-13_37_21\Windows\System32\COMDLG32.dll * and does not meet the system policy. * The binary was attempted to be loaded in the process: \Device\HarddiskVolume2\Windows\System32\smss.exe * This is not a failure in CI, but a problem with the failing binary. * Please contact the binary owner for getting the binary correctly signed. Code Integrity violation: 6271
Obviously, the driver corrupted loading of the mentioned DLL. But the stack is not helpful:
890e383c 863a625a 8959ca80 00000000 00000008 CI!CipReportAndReprieveUMCIFailure+0x331 (FPO: [Non-Fpo]) 890e3908 81dbfaa2 8959ca80 8ee00000 000d6000 CI!CiValidateImageHeader+0x79e (FPO: [13,35,4]) 890e3954 81dbf7ba 000d6000 8c55c580 8c783a78 nt!SeValidateImageHeader+0x4a (FPO: [Non-Fpo]) 890e3a3c 81debdc4 ffffffff 8c783a78 00000000 nt!MiValidateSectionCreate+0x1b4 (FPO: [Non-Fpo]) 890e3a68 81dc2b19 8d413200 ffffffff 8c783a78 nt!MiValidateSectionSigningPolicy+0x5e (FPO: [Non-Fpo]) 890e3b50 81dea336 00000000 00000000 00b4f4b8 nt!MiCreateNewSection+0x41d (FPO: [Non-Fpo]) 890e3be0 81de9adf 00000010 01000000 8c783a78 nt!MiCreateImageOrDataSection+0x256 (FPO: [Non-Fpo]) 890e3c84 81de9a3c 00000000 890e3cfc 00000010 nt!MiCreateSection+0x7f (FPO: [Non-Fpo]) 890e3cc4 81de98b7 890e3d4c 000f001f 00b4f4b8 nt!MmCreateSection+0x82 (FPO: [Non-Fpo]) 890e3d30 81bd93ed 00b4f428 000f001f 00b4f4b8 nt!NtCreateSection+0x137 (FPO: [Non-Fpo]) 890e3d30 7788fcd0 00b4f428 000f001f 00b4f4b8 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 890e3d54) 00b4f3d0 7788e8aa 7788aec1 00b4f428 000f001f ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 00b4f3d4 7788aec1 00b4f428 000f001f 00b4f4b8 ntdll!ZwCreateSection+0xa (FPO: [7,0,0]) 00b4f470 00fe830f 0000008d 00b4f4f8 00000000 ntdll!LdrVerifyImageMatchesChecksumEx+0x71 (FPO: [Non-Fpo]) WARNING: Frame IP not in any known module. Following frames may be wrong. 00b4f58c 778b7267 00b700e0 040030cc 0000ff00 0xfe830f 00b4f5c4 778555fc 00b700d8 04002ac8 04000010 ntdll!RtlpHpVsFreeChunkInsert+0x61ac8 00b4f60c 7784e90c 00000000 00000000 00b70000 ntdll!RtlpHpVsContextFree+0x36c (FPO: [3,9,4]) 00b4f668 7785424e 04002b24 00000000 778542e1 ntdll!RtlpHpFreeHeap+0x32c (FPO: [3,7,4]) 00b4f6a8 00000000 f6373652 00000000 04002b28 ntdll!RtlpHpVsContextAllocate+0x19e (FPO: [Non-Fpo])
How do I even get the data loaded for that file in WinDBG, to see if the offending offsets give a clue about the corruption?
Or any other ways to figure this one. Placing debug prints is not helpful.
A similar issue occurred on a different boot, but with MiCreateSection causing a fault in memset, due to an invalid address or size.
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!||Kernel Debugging||30 Mar 2020||OSR Seminar Space|
|Developing Minifilters||15 Jun 2020||LIVE ONLINE|
|Writing WDF Drivers||22 June 2020||LIVE ONLINE|
|Internals & Software Drivers||28 Sept 2020||Dulles, VA|