Legacy driver Crash on 32 bit machines

I have created a legacy filter driver to block the file operation of a particular file by blocking the IRP MJ CREATE of files.
the code works perfectly for 64 bit driver but BSOD on 32 bit machine.

following code block is used for blocking the file.

FileObject1 = IoGetCurrentIrpStackLocation(Irp)->FileObject;

RtlCopyMemory(wszFileName,FileObject1->FileName.Buffer,FileObject1->FileName.Length);
	if(wszFileName != NULL)
	{
	   _wcsupr(wszFileName);
	DbgPrint("   IRP_MJ_CREATE File Name  : %ws ",wszFileName);
	if(wcsstr(wszFileName,L"\\ABCD.DLL") != NULL||  wcsstr(wszFileName,L"\\XYSS.PDF") != NULL)
		{
						
			Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
			Irp->IoStatus.Information = 0;
			IoCompleteRequest(Irp, IO_NO_INCREMENT);
			return STATUS_ACCESS_DENIED;
		 }
	}

Is there any issue in the above code ?

Please help

have created a legacy filter driver

You started with two mistakes: The first is that you posted this in the wrong forum (this is NTDEV, you want the OTHER forum NTFSD). The second is that you’re not writing a minifilter.

Is there any issue in the above code

My immediate concern would be if “wszFileName” is properly null terminated. I’d also be concerned, in terms of logic, at your naive assumptions regarding what’s going to be in FileObject->FileName

But…

but BSOD on 32 bit machine

Post the output of !analyzer -v and save us all for having to guess, please.

Peter

Is there any issue in the above code ?

I can spot one issue immediately. You check for wszFileName being null AFTER you copy memory into it. RtlCopyMemory doesn’t allocate any memory. You have to allocate the memory yourself. If wszFileName started out null, the RtlCopyMemory call will crash. If RtlCopyMemory worked, then it is silly to check for wszFileName to be null.

And, as Peter pointed out, RtlCopyMemory isn’t going to add a zero-terminator.

Thank you @“Peter_Viscarola_(OSR)” @Tim_Roberts

I have declared wszFileName as WCHAR array initialized as null.Then I also memset the memory with 0.

PFILE_OBJECT FileObject1 =NULL;
WCHAR wszFileName[1024] = { 0 };

memset (wszFileName,0,1024);

FileObject1 = IoGetCurrentIrpStackLocation(Irp)->FileObject;

RtlCopyMemory(wszFileName,FileObject1->FileName.Buffer,FileObject1->FileName.Length);
if(wszFileName != NULL)
{
_wcsupr(wszFileName);
DbgPrint(" IRP_MJ_CREATE File Name : %ws “,wszFileName);
if(wcsstr(wszFileName,L”\ABCD.DLL") != NULL|| wcsstr(wszFileName,L"\XYSS.PDF") != NULL)
{
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
}

Sorry currently i am not able send the windbg result .I am facing symbol path issue in my windbg .I will send you the result when the issue fixed.

looking forward for your response.

The test for wszFileName != NULL is unneeded. The strings “\ABCD.DLL” and “\XYSS.PDF” should be “\ABCD.DLL” and “\XYSS.PDF”. Your RtlCopyMemory call needs to limit by the min of FileName.Length or 1023. But really you need to collect analyze -v.

The strings “\ABCD.DLL” and “\XYSS.PDF” should be “\ABCD.DLL” and “\XYSS.PDF”.

Why do I feel something is missing there … probably due to a markup error.

Peter

I’m going to point out some trivial things about your code.
WCHAR wszFileName[1024] = { 0 }; is enough to fill the array with zeros. You don’t need anything more. This line:

memset (wszFileName, 0, 1024);
has several problems. Besides being redundant, there is a macro called RtlZeroMemory that should be used in kernel code. And that array is NOT 1024 bytes long. It has 1024 elements, but each element is two bytes.
ZeroMemory (wszFileName, sizeof(wszFileName) );
If you’re trying to check whether the string is empty, then your if statement needs to check the first character, not the address of the array:
if( wszFileName[0] )
And what Mark was trying to say is that the strings in your calls to wcsstr need to double the backslashes. It’s possible your code already had that, and we just can’t see it. It should read:
i f ( w c s s t r ( w s z F i l e N a m e , L " \ \ A B C D . D L L " ) ...
Finally, you are not adding a zero-terminator to the string. FileName.Length is the length of the contents, and does not include the zero terminator. _wcsupr only stops when it finds a zero terminator. That in itself could cause your crrash. After the RtlCopyMemory, you should do
wszFileName[ FileObject1->FileName.Length / sizeof(WCHAR) ] = 0;

thank you @Mark_Roddy @“Peter_Viscarola_(OSR)” @Tim_Roberts

I have changed the code into the following

FILE_OBJECT FileObject1 =NULL;
WCHAR wszFileName[1024] = { 0 };
FileObject1 = IoGetCurrentIrpStackLocation(Irp)->FileObject;
RtlZeroMemory(wszFileName,sizeof(wszFileName));
if(FileObject1->FileName.Length>2 && FileObject1->FileName.Length<512)
{
RtlCopyMemory(wszFileName,FileObject1->FileName.Buffer,FileObject1->FileName.Length);
wszFileName[(FileObject->FileName.Length/sizeof(WCHAR))]=L'\0';
_wcsupr(wszFileName);
DbgPrint(" IRP_MJ_CREATE File Name : %ws ",wszFileName);
if(wcsstr(wszFileName,L"\\ABCD.DLL") != NULL|| wcsstr(wszFileName,L"\\XYSS.PDF") != NULL)
{
Irp->IoStatus.Status = STATUS_ACCESS_DENIED;//Deny Access
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}

}

still i am getting the BSOD on restart machine.
if i manually load the driver after starting the machine it works correctly.only the system get crashed when the driver start automatically on system start.

Set some breakpoints and debug the code… that’s all you can do, really.

Peter