Hello everyone. I have minifilter driver which get filename in preop(IRP_MJ_CREATE) and send it usermode app. Sometimes I get bsod while calling FltSendMessage. When I debug my code it actually happen FltMgr!memcpy function. But I dont know why? Actually I dont use this code as project its just test case .But I will use code look like it. Thank you for reading.
So piece of code which bsod ocurred.
FLT_PREOP_CALLBACK_STATUS Filter1PreOperation(_Inout_ PFLT_CALLBACK_DATA Data,
_In_ PCFLT_RELATED_OBJECTS FltObjects,
_Flt_CompletionContext_Outptr_ PVOID* CompletionContext
)
{
PFLT_FILE_NAME_INFORMATION FileName = NULL;
NTSTATUS status;
ULONG ret = 0;
WCHAR* name = NULL;
REPLY_MESSAGE repmsg = { 0 };
ret = (ULONG)sizeof(REPLY_BUFFER);
status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileName);
if (!NT_SUCCESS(status))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
status = FltParseFileNameInformation(FileName);
if (!NT_SUCCESS(status))
{
FltReleaseFileNameInformation(FileName);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if (FileName->Name.MaximumLength < 260)
{
/*RtlCopyMemory(name, FileName->Name.Buffer, 288);*/
if (c)
{
name = (WCHAR*)ExAllocatePoolWithTag(NonPagedPool, FileName->Name.Length + 2, 'tvv');
if (name == NULL)
{
FltReleaseFileNameInformation(FileName);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);
status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL); //>> crash ocurred here
if (!NT_SUCCESS(status))
{
ExFreePoolWithTag(name, 'tvv');
DbgPrint("Error send message to user");
}
DbgPrint("%wS\n", name);
ExFreePoolWithTag(name, 'X66');
/*DbgPrint("%d\n", repmsg.Reply.infected);*/
}
}
FltReleaseFileNameInformation(FileName);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffb703b1d03000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801182cf4a5, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
BUGCHECK_STR: AV
PROCESS_NAME: MsMpEng.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffffe89798fad50 – (.trap 0xfffffe89798fad50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffa201eb354a50 rbx=0000000000000000 rcx=ffffa201eb354ac0
rdx=00001501c69ae530 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801182cf4a5 rsp=fffffe89798faee8 rbp=fffffe89798fb0c0
r8=0000000000000000 r9=0000000000000006 r10=ffffc70000000000
r11=ffffa201eb354a60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
FLTMGR!memcpy+0xa5:
fffff801182cf4a5 f30f6f4c1110 movdqu xmm1,xmmword ptr [rcx+rdx+10h] ds:ffffb703
b1d03000=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8011755b522 to fffff8011747b370
STACK_TEXT:
fffffe89798fa308 fffff801
1755b522 : ffffb703b1d03000 00000000
00000003 fffffe89798fa470 fffff801
173cfb90 : nt!DbgBreakPointWithStatus
fffffe89798fa310 fffff801
1755ac12 : fffff80100000003 fffffe89
798fa470 fffff80117487bb0 fffffe89
798fa9b0 : nt!KiBugCheckDebugBreak+0x12
fffffe89798fa370 fffff801
174735e7 : fffff80117718478 fffff801
175850b5 ffffb703b1d03000 ffffb703
b1d03000 : nt!KeBugCheck2+0x952
fffffe89798faa70 fffff801
174955d6 : 0000000000000050 ffffb703
b1d03000 0000000000000000 fffffe89
798fad50 : nt!KeBugCheckEx+0x107
fffffe89798faab0 fffff801
17324eef : 0000000000000003 00000000
00000000 0000000000000000 ffffb703
b1d03000 : nt!MiSystemFault+0x1d6866
fffffe89798fabb0 fffff801
17481520 : ffffb703af76fd58 ffffb703
af76fd20 0000000000000000 00000000
00000000 : nt!MmAccessFault+0x34f
fffffe89798fad50 fffff801
182cf4a5 : fffff801182cad9e 00000000
00000000 fffff80100000000 fffffe89
798fb0c0 : nt!KiPageFault+0x360
fffffe89798faee8 fffff801
182cad9e : 0000000000000000 fffff801
00000000 fffffe89798fb0c0 ffffb703
b0134ea0 : FLTMGR!memcpy+0xa5
fffffe89798faef0 fffff801
16971108 : ffffb703b0be99a0 ffffb703
b1770b20 ffffb703b1d02f90 ffffb703
00000120 : FLTMGR!FltSendMessage+0x31e
fffffe89798fb060 fffff801
1831ff07 : ffffb703b14bda78 ffffb703
acda7200 0000000000000000 00007fff
00000000 : FsFilter2!Filter1PreOperation+0xd8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
fffffe89798fb0d0 fffff801
182c4a5d : ffffb703b14bd990 fffff801
00000000 ffffffff00000000 00000000
00000000 : FLTMGR!FltvPreOperation+0xe7
fffffe89798fb1f0 fffff801
182c45a0 : fffffe89798fb370 fffffe89
798fb300 0000000000000000 00000000
00000000 : FLTMGR!FltpPerformPreCallbacks+0x2fd
fffffe89798fb300 fffff801
182fcd13 : fffff801182e9060 fffff801
17c20a0a 0000000000000000 00000000
00000000 : FLTMGR!FltpPassThroughInternal+0x90
fffffe89798fb330 fffff801
174309ea : 0000000000000000 ffffb703
af8feb80 0000000000000000 ffffb703
00000000 : FLTMGR!FltpCreate+0x2f3
fffffe89798fb3e0 fffff801
17c160a9 : ffffb703af8feb80 ffffb703
ab195ce0 ffffb70300000080 ffffb703
ac375da0 : nt!IopfCallDriver+0x56
fffffe89798fb420 fffff801
174a6783 : fffff80117897b05 fffffe89
798fb760 fffffe89798fb6d0 ffffb703
b09efbb0 : nt!IovCallDriver+0x275
fffffe89798fb460 fffff801
172e3024 : 0000000000000003 00000000
00000000 0000000000000000 fffff801
172e37e3 : nt!IofCallDriver+0x1c2863
fffffe89798fb4a0 fffff801
178981eb : fffffe89798fb760 fffff801
17897b05 fffffe89798fb6d0 ffffb703
b25fa820 : nt!IoCallDriverWithTracing+0x34
fffffe89798fb4f0 fffff801
1789f1bf : ffffb703ab5a88f0 ffffb703
ab5a8805 ffffb703af2da010 00000000
00000001 : nt!IopParseDevice+0x62b
fffffe89798fb660 fffff801
1789d621 : ffffb703af2da000 fffffe89
798fb8a8 0000000000000040 ffffb703
a7fe2d20 : nt!ObpLookupObjectName+0x78f
fffffe89798fb820 fffff801
178e2df0 : ffffb70300000001 00000058
0527f280 0000000000000001 00000000
00000000 : nt!ObOpenObjectByNameEx+0x201
fffffe89798fb960 fffff801
178e2528 : 000000580527f260 00000000
00000080 000000580527f280 00000058
0527f2c0 : nt!IopCreateFile+0x820
fffffe89798fba00 fffff801
17484d15 : ffffb703af7bc088 fffff801
16520180 fffffe89798fbb00 00000000
00000000 : nt!NtOpenFile+0x58
fffffe89798fba90 00007ffd
ed29c724 : 00007ffdde7246f6 00000000
00204040 0000000000000000 00000000
00000001 : nt!KiSystemServiceCopyEnd+0x25
000000580527f218 00007ffd
de7246f6 : 0000000000204040 00000000
00000000 0000000000000001 00000000
00000000 : ntdll!NtOpenFile+0x14
000000580527f220 00007ffd
de6d617e : 0000019e680ac0e0 00007ffd
ddd8e6ff 0000000000000000 00007ffd
ed24083d : mprtp!MpPluginSetPUAFlags+0x70b56
000000580527f540 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : mprtp!MpPluginSetPUAFlags+0x225de
FOLLOWUP_IP:
FsFilter2!Filter1PreOperation+d8 [D:\repos\FsFilter2\FsFilter2\FsFilter2.c @ 119]
fffff801`16971108 85c0 test eax,eax
FAULT_INSTR_CODE: 1d79c085
FAULTING_SOURCE_CODE:
115:
116: RtlCopyMemory(name, FileName->Name.Buffer, FileName->Name.Length);
117:
118: status = FltSendMessage(hFilter, &ClientPort, name, 288, &repmsg.Reply, &ret, NULL);
119: if (!NT_SUCCESS(status))
120: {
121: ExFreePoolWithTag(name, ‘tvv’);
122: DbgPrint(“Error send message to user”);
123: }
124: DbgPrint(“%wS\n”, name);