MiniFilter FltSendMessage bsod(page fault in non paged area)

Hello everyone. I have minifilter driver which get filename in preop(IRP_MJ_CREATE) and send it usermode app. Sometimes I get bsod while calling FltSendMessage. When I debug my code it actually happen FltMgr!memcpy function. But I dont know why? Actually I dont use this code as project its just test case .But I will use code look like it. Thank you for reading.

So piece of code which bsod ocurred.

FLT_PREOP_CALLBACK_STATUS Filter1PreOperation(_Inout_ PFLT_CALLBACK_DATA Data,
	_In_ PCFLT_RELATED_OBJECTS FltObjects,
	_Flt_CompletionContext_Outptr_ PVOID* CompletionContext
)
{

	PFLT_FILE_NAME_INFORMATION FileName = NULL;
	NTSTATUS status;
	ULONG ret = 0;
	WCHAR* name = NULL;
	REPLY_MESSAGE repmsg = { 0 };
	

	ret = (ULONG)sizeof(REPLY_BUFFER);

	status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileName);
	if (!NT_SUCCESS(status))
	{
		return FLT_PREOP_SUCCESS_NO_CALLBACK;
	}

	status = FltParseFileNameInformation(FileName);

	if (!NT_SUCCESS(status))
	{
		FltReleaseFileNameInformation(FileName);
		return FLT_PREOP_SUCCESS_NO_CALLBACK;
	}

	if (FileName->Name.MaximumLength < 260)
	{
		/*RtlCopyMemory(name, FileName->Name.Buffer, 288);*/
		if (c)
		{
			name = (WCHAR*)ExAllocatePoolWithTag(NonPagedPool, FileName->Name.Length + 2, 'tvv');
			if (name == NULL)
			{
				FltReleaseFileNameInformation(FileName);
				return FLT_PREOP_SUCCESS_NO_CALLBACK;
			}

			RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);

			status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL); //>> crash ocurred here
			if (!NT_SUCCESS(status))
			{
				ExFreePoolWithTag(name, 'tvv');
				DbgPrint("Error send message to user");
			}
			DbgPrint("%wS\n", name);
			ExFreePoolWithTag(name, 'X66');
			

			/*DbgPrint("%d\n", repmsg.Reply.infected);*/

		}
	}
	
	FltReleaseFileNameInformation(FileName);

	return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffb703b1d03000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801182cf4a5, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
BUGCHECK_STR: AV

PROCESS_NAME: MsMpEng.exe

CURRENT_IRQL: 0

TRAP_FRAME: fffffe89798fad50 – (.trap 0xfffffe89798fad50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffa201eb354a50 rbx=0000000000000000 rcx=ffffa201eb354ac0
rdx=00001501c69ae530 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801182cf4a5 rsp=fffffe89798faee8 rbp=fffffe89798fb0c0
r8=0000000000000000 r9=0000000000000006 r10=ffffc70000000000
r11=ffffa201eb354a60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
FLTMGR!memcpy+0xa5:
fffff801182cf4a5 f30f6f4c1110 movdqu xmm1,xmmword ptr [rcx+rdx+10h] ds:ffffb703b1d03000=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8011755b522 to fffff8011747b370

STACK_TEXT:
fffffe89798fa308 fffff8011755b522 : ffffb703b1d03000 0000000000000003 fffffe89798fa470 fffff801173cfb90 : nt!DbgBreakPointWithStatus
fffffe89798fa310 fffff8011755ac12 : fffff80100000003 fffffe89798fa470 fffff80117487bb0 fffffe89798fa9b0 : nt!KiBugCheckDebugBreak+0x12
fffffe89798fa370 fffff801174735e7 : fffff80117718478 fffff801175850b5 ffffb703b1d03000 ffffb703b1d03000 : nt!KeBugCheck2+0x952
fffffe89798faa70 fffff801174955d6 : 0000000000000050 ffffb703b1d03000 0000000000000000 fffffe89798fad50 : nt!KeBugCheckEx+0x107
fffffe89798faab0 fffff80117324eef : 0000000000000003 0000000000000000 0000000000000000 ffffb703b1d03000 : nt!MiSystemFault+0x1d6866
fffffe89798fabb0 fffff80117481520 : ffffb703af76fd58 ffffb703af76fd20 0000000000000000 0000000000000000 : nt!MmAccessFault+0x34f
fffffe89798fad50 fffff801182cf4a5 : fffff801182cad9e 0000000000000000 fffff80100000000 fffffe89798fb0c0 : nt!KiPageFault+0x360
fffffe89798faee8 fffff801182cad9e : 0000000000000000 fffff80100000000 fffffe89798fb0c0 ffffb703b0134ea0 : FLTMGR!memcpy+0xa5
fffffe89798faef0 fffff80116971108 : ffffb703b0be99a0 ffffb703b1770b20 ffffb703b1d02f90 ffffb70300000120 : FLTMGR!FltSendMessage+0x31e
fffffe89798fb060 fffff8011831ff07 : ffffb703b14bda78 ffffb703acda7200 0000000000000000 00007fff00000000 : FsFilter2!Filter1PreOperation+0xd8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
fffffe89798fb0d0 fffff801182c4a5d : ffffb703b14bd990 fffff80100000000 ffffffff00000000 0000000000000000 : FLTMGR!FltvPreOperation+0xe7
fffffe89798fb1f0 fffff801182c45a0 : fffffe89798fb370 fffffe89798fb300 0000000000000000 0000000000000000 : FLTMGR!FltpPerformPreCallbacks+0x2fd
fffffe89798fb300 fffff801182fcd13 : fffff801182e9060 fffff80117c20a0a 0000000000000000 0000000000000000 : FLTMGR!FltpPassThroughInternal+0x90
fffffe89798fb330 fffff801174309ea : 0000000000000000 ffffb703af8feb80 0000000000000000 ffffb70300000000 : FLTMGR!FltpCreate+0x2f3
fffffe89798fb3e0 fffff80117c160a9 : ffffb703af8feb80 ffffb703ab195ce0 ffffb70300000080 ffffb703ac375da0 : nt!IopfCallDriver+0x56
fffffe89798fb420 fffff801174a6783 : fffff80117897b05 fffffe89798fb760 fffffe89798fb6d0 ffffb703b09efbb0 : nt!IovCallDriver+0x275
fffffe89798fb460 fffff801172e3024 : 0000000000000003 0000000000000000 0000000000000000 fffff801172e37e3 : nt!IofCallDriver+0x1c2863
fffffe89798fb4a0 fffff801178981eb : fffffe89798fb760 fffff80117897b05 fffffe89798fb6d0 ffffb703b25fa820 : nt!IoCallDriverWithTracing+0x34
fffffe89798fb4f0 fffff8011789f1bf : ffffb703ab5a88f0 ffffb703ab5a8805 ffffb703af2da010 0000000000000001 : nt!IopParseDevice+0x62b
fffffe89798fb660 fffff8011789d621 : ffffb703af2da000 fffffe89798fb8a8 0000000000000040 ffffb703a7fe2d20 : nt!ObpLookupObjectName+0x78f
fffffe89798fb820 fffff801178e2df0 : ffffb70300000001 000000580527f280 0000000000000001 0000000000000000 : nt!ObOpenObjectByNameEx+0x201
fffffe89798fb960 fffff801178e2528 : 000000580527f260 0000000000000080 000000580527f280 000000580527f2c0 : nt!IopCreateFile+0x820
fffffe89798fba00 fffff80117484d15 : ffffb703af7bc088 fffff80116520180 fffffe89798fbb00 0000000000000000 : nt!NtOpenFile+0x58
fffffe89798fba90 00007ffded29c724 : 00007ffdde7246f6 0000000000204040 0000000000000000 0000000000000001 : nt!KiSystemServiceCopyEnd+0x25
000000580527f218 00007ffdde7246f6 : 0000000000204040 0000000000000000 0000000000000001 0000000000000000 : ntdll!NtOpenFile+0x14
000000580527f220 00007ffdde6d617e : 0000019e680ac0e0 00007ffdddd8e6ff 0000000000000000 00007ffded24083d : mprtp!MpPluginSetPUAFlags+0x70b56
000000580527f540 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : mprtp!MpPluginSetPUAFlags+0x225de

FOLLOWUP_IP:
FsFilter2!Filter1PreOperation+d8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
fffff801`16971108 85c0 test eax,eax

FAULT_INSTR_CODE: 1d79c085

FAULTING_SOURCE_CODE:
115:
116: RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);
117:
118: status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL);

119: if (!NT_SUCCESS(status))
120: {
121: ExFreePoolWithTag(name, ‘tvv’);
122: DbgPrint(“Error send message to user”);
123: }
124: DbgPrint(“%wS\n”, name);

A couple of immediate thoughts

  • You are interchangeably using 288 and FileName->Name.Lengthso if the length is too small you will overrun
  • You should be running with verifier which makes finding these things easier.

@rod_widdowson said:

  • You are interchangeably using 288 and FileName->Name.Lengthso if the length is too small you will overrun

OMG i didnt see.Thank you very much I fixed but problem not solved.

1 Like

We’re not psychic, you need post your fixed code and the new !analyze output.

You have another bug in that you’re not NULL terminating the name buffer. I’ll note that these are really just C problems…Like Rod say make sure you’re using Driver Verifier.

1 Like

> @“Scott_Noone_(OSR)” said: > We’re not psychic, you need post your fixed code and the new !analyze output. > > You have another bug in that you’re not NULL terminating the name buffer. I’ll note that these are really just C problems…Like Rod say make sure you’re using Driver Verifier. Thank you Mr Scott and sorry you are right i must paste new code i do it asap. But actually im intreseted in can this code make problem for me when i dont use fltsendmessage and Rtl* functions?Like can bsod happen when I just use DbgPrint(‘wZ’,Filename->Name) ??? And really sorry for my bad English

Like can bsod happen when I just use DbgPrint(‘wZ’,Filename->Name)

Sure. Just like a bug in an application can crash the app a bug in a driver can crash the system.

1 Like

Thank you for reply I tested app today and its only buffer size problem when resize user mode app buffer size(for FilterGetMessage ) it works fine.