Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Blue screen crash in Minifilter

jay96612jay96612 Member Posts: 57
in NTFSD

I have used minispy as an example to block access to some processes for some files. I am sending the file path and process path to the user-mode application and in user-mode processing is done. Finally, the user-mode application returns TRUE/FALSE, and in kernel mode, if the response is TRUE from the user-mode application then Blocking is done.

This runs successfully for approx 45min and sometimes 1hr. And finally the blue screen system crash with an error as PAGE FAULT IN NONPAGED AREA.

I am unable to figure out why this is happening after some periods of time?

I am lost now. Please help me to identify the cause of this problem.
I will be very thankful to you.

Note: User Mode application takes 1-8 milli sec to respond after processing.

I have also attached a screenshot of BlueScreenView: https://ibb.co/Nmsv3Nc

Minifilter Code:

FLT_PREOP_CALLBACK_STATUS MiniPreRead(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext) {
    UNREFERENCED_PARAMETER(Data);
    UNREFERENCED_PARAMETER(FltObjects);
    UNREFERENCED_PARAMETER(CompletionContext);
    //DbgPrint("MiniPreRead");

    PFLT_FILE_NAME_INFORMATION FileNameInfo = NULL;
    PMINISPY_NOTIFICATION notification = NULL;
    PUNICODE_STRING pni = NULL;

    BOOLEAN isBlock, shouldSkipThisFileName;
    ULONG seconds_to_wait;
    PVOID replyBuffer = NULL;
    ULONG replyLength;
    LARGE_INTEGER timeOut;

    NTSTATUS status;
    WCHAR Name[260] = { 0 };
    WCHAR ProcessPath[260] = { 0 };

    //update from usermode reply
    isBlock = FALSE;

    shouldSkipThisFileName = FALSE;

    //TODO: How much Waiting Time?
    seconds_to_wait = 5;
    timeOut.QuadPart = -((LONGLONG)seconds_to_wait * 10 * 1000 * 1000);


    status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);

    if (!NT_SUCCESS(status)) {
        goto cleanup;
    }

    status = FltParseFileNameInformation(FileNameInfo);

    if (!NT_SUCCESS(status)) {
        goto cleanup;
    }
    if (FileNameInfo->Name.MaximumLength >= 260) {
        goto cleanup;
    }

    RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);

    DbgPrint("\n\nMiniPreRead: FileName = %ws\n", Name);

    //skip systm process as fileName: ntoskrnl svchost, & fileType: .sys, .dll
    shouldSkipThisFileName = (wcsstr(Name, L"ntoskrnl") != NULL || wcsstr(Name, L"svchost") != NULL || wcsstr(Name, L".SYS") != NULL || wcsstr(Name, L".sys") != NULL || wcsstr(Name, L".DLL") != NULL || wcsstr(Name, L".dll") != NULL) ? TRUE : FALSE;

     //skip if path is not the drivePath
    if (wcsstr(Name, L"Device\\HarddiskVolume") == NULL) {
        goto cleanup;
    }

    if (shouldSkipThisFileName) {
        goto cleanup;
    }

    status = STATUS_UNSUCCESSFUL;
    status = GetProcessImageName(IoThreadToProcess(Data->Thread), &pni); //TODO: Improve by https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getprocessimagefilenamea                  
    try {
        if (!NT_SUCCESS(status)) {
            leave;
        }

        if (NULL == pni->Buffer) {
            status = STATUS_INSUFFICIENT_RESOURCES;
            leave;
        }

        RtlCopyMemory(ProcessPath, pni->Buffer, pni->MaximumLength);

        //TODO: skip for system32 process for now
        if (wcsstr(ProcessPath, L"Windows\\System32") != NULL) {
            DbgPrint("\n\nMiniPreRead: kernelToUserMode: Skipping SystemProcess: %ws\n", ProcessPath);
            leave;
        }

        //TODO: skip Just for Testing purpose
        if (wcsstr(ProcessPath, L"explorer.exe") != NULL) {
            DbgPrint("\n\nMiniPreRead: kernelToUserMode: Skipping explorer: %ws\n", ProcessPath);
            leave;
        }

        DbgPrint("\n\nMiniPreRead: kernelToUserMode:|                                            |\n");
        DbgPrint("\n\nMiniPreRead: kernelToUserMode: Final psName: %ws\n", ProcessPath);
        DbgPrint("\n\nMiniPreRead: kernelToUserMode: Final FileName: %ws\n", Name);

#ifndef KERNEL_TO_USER
        notification = ExAllocatePoolWithTag(NonPagedPool, sizeof(MINISPY_NOTIFICATION), SPY_TAG);
        if (NULL == notification) {
            status = STATUS_INSUFFICIENT_RESOURCES;
            leave;
        }

        RtlCopyMemory(&notification->ProcessPath, ProcessPath, 260);
        RtlCopyMemory(&notification->filePath, Name, 260);

        notification->msgCountNumId = ++globalCount % 10000000;

        //replyLength = sizeof(MINISPY_REPLY);
        //TODO For both userMode and kernel mode as recommend on doc: replyLength = sizeof(FILTER_REPLY_HEADER) + sizeof(MINISPY_REPLY);
        replyLength = sizeof(FILTER_REPLY_HEADER) + sizeof(MINISPY_REPLY);

        DbgPrint("\n\nMiniPreRead: kernelToUserMode: Waiting for usermode reply for MsgSendId: %d,ps: %ws...\n", notification->msgCountNumId, pni->Buffer);
        status = FltSendMessage(MiniSpyData.Filter, &MiniSpyData.ClientPort,
            notification,
            sizeof(MINISPY_NOTIFICATION),
            notification,
            &replyLength,
            NULL);  

        if (STATUS_TIMEOUT == status) {
            DbgPrint("\n\nMiniPreRead: kernelToUserMode: timeout occured!\n");
        }
        else if (STATUS_SUCCESS == status) {
            try {
                isBlock = ((PMINISPY_REPLY)notification)->res;
            }
            finally {}

            DbgPrint("\n\nMiniPreRead: kernelToUserMode: Reply isBlock: %d,MsgSendId: %d,ps: %ws\n", isBlock, ((PMINISPY_REPLY)notification)->msgCountId ,ProcessPath);
        }
        else {
            DbgPrint("\n\nMiniPreRead: kernelToUserMode: --- couldn't send processPath %ws to the user-mode, status 0x%X\n", ProcessPath, status);
            // STATUS_INSUFFICIENT_RESOURCES STATUS_PORT_DISCONNECTED STATUS_THREAD_IS_TERMINATING                                             
        }
#endif 

    }
    finally {
        if (notification != NULL) {
            ExFreePoolWithTag(notification, SPY_TAG);
        }
        if (pni != NULL) {
            ExFreePool(pni);
        }
    }

Blocking:
        if (isBlock) {
            KdPrint(("read file: %ws blocked \r\n", Name)); // only in DEBUG
            DbgPrint(("read file: %ws blocked \r\n", Name));
            Data->IoStatus.Status = STATUS_ACCESS_DENIED;
            Data->IoStatus.Information = 0;
            if (FileNameInfo) {
                FltReleaseFileNameInformation(FileNameInfo);
            }
            return FLT_PREOP_COMPLETE;
        }

cleanup:
        if (FileNameInfo) {
            FltReleaseFileNameInformation(FileNameInfo);
        }

    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
· Share on Facebook

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,255

    what does !anaylze -v say Thats usually far more interesting that code

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @rod_widdowson I didn't understand what do you mean.

    · Share on Facebook
  • elDimaselDimas Member Posts: 17
    edited March 2021

    @jay96612 said:
    @rod_widdowson I didn't understand what do you mean.

    Open the dump file in WinDBG and show us what the result was.
    The dump file is in C: \ Windows \ if you i not mistaken.

    Google translator

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @rod_widdowson Output of !analyze -v

    Loading Dump File [C:\Windows\Minidump\030121-48640-01.dmp]
    ...
    For analysis of this file, run !analyze -v
    nt!KeBugCheckEx:
    fffff80758ff5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffe18c05c3d310=0000000000000050

    Loading Dump File [C:\WINDOWS\MEMORY.DMP]
    Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

    Can't set dump file contexts
    MachineInfo::SetContext failed - Thread: 00000285612F4E50 Handle: 1 Id: 1 - Error == 0x8000FFFF

    ***** Path validation summary ******
    Response Time (ms) Location
    Deferred srv*
    Symbol search path is: srv*
    Executable search path is:
    Windows 10 Kernel Version 19041 MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
    Machine Name:
    Kernel base = 0xfffff80444800000 PsLoadedModuleList = 0xfffff8044542a390
    Debug session time: Mon Mar 1 19:21:54.034 2021 (UTC + 5:30)
    System Uptime: 0 days 5:50:54.796
    Loading Kernel Symbols
    ...............................................................
    ................Page 11befc not present in the dump file. Type ".hh dbgerr004" for details
    ................................................
    ................................................................
    ......................................................
    Loading User Symbols
    PEB address is NULL !
    Loading unloaded module list
    ................
    nt!KeBugCheckEx:
    fffff80444bf5a80 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff818554785310=0000000000000050
    ||1:3: kd> !analyze -v

    • *
    • Bugcheck Analysis *
    • *

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except.
    Typically the address is just plain bad or it is pointing at freed memory.
    Arguments:
    Arg1: ffff8b8e6a20eec0, memory referenced.
    Arg2: 0000000000000010, value 0 = read operation, 1 = write operation.
    Arg3: ffff8b8e6a20eec0, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 0000000000000002, (reserved)

    Debugging Details:

    KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
Value: 6452

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-T8VRNB1

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.mSec
Value: 20375

Key  : Analysis.Memory.CommitPeak.Mb
Value: 145

Key  : Analysis.System
Value: CreateObject

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

    ADDITIONAL_XML: 1

    OS_BUILD_LAYERS: 1

    BUGCHECK_CODE: 50

    BUGCHECK_P1: ffff8b8e6a20eec0

    BUGCHECK_P2: 10

    BUGCHECK_P3: ffff8b8e6a20eec0

    BUGCHECK_P4: 2

    READ_ADDRESS: ffff8b8e6a20eec0 Paged session pool

    MM_INTERNAL_CODE: 2

    IMAGE_NAME: win32kbase.sys

    MODULE_NAME: win32kbase

    FAULTING_MODULE: ffff8b8e6a200000 win32kbase

    BLACKBOXBSD: 1 (!blackboxbsd)

    BLACKBOXNTFS: 1 (!blackboxntfs)

    BLACKBOXPNP: 1 (!blackboxpnp)

    BLACKBOXWINLOGON: 1

    PROCESS_NAME: Registry

    TRAP_FRAME: ffff8185547855b0 -- (.trap 0xffff8185547855b0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=ffff8b8e6a20eec0 rbx=0000000000000000 rcx=ffffca0e20ce12c0
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=ffff8b8e6a20eec0 rsp=ffff818554785748 rbp=0000000000000000
    r8=ffff8185547857f0 r9=0000000000000000 r10=000000004f414f41
    r11=0000000000001001 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    win32kbase!UserIsUserCritSecIn:
    ffff8b8e`6a20eec0 ?? ???
    Resetting default scope

    FAILED_INSTRUCTION_ADDRESS:
    win32kbase!UserIsUserCritSecIn+0
    ffff8b8e`6a20eec0 ?? ???

    STACK_TEXT:
    ffff818554785308 fffff80444c1ebbb : 0000000000000050 ffff8b8e6a20eec0 0000000000000010 ffff8185547855b0 : nt!KeBugCheckEx
    ffff818554785310 fffff80444a0c960 : 0000000000000000 0000000000000010 ffff818554785630 0000000000000000 : nt!MiSystemFault+0x1f43ab
    ffff818554785410 fffff80444c03c5e : 0000000000000240 ffffca0e0e968c50 0000000000000240 ffff8185547856c1 : nt!MmAccessFault+0x400
    ffff8185547855b0 ffff8b8e6a20eec0 : fffff8045eeba14f 0000000000000000 ffff818554785a30 0000000000000020 : nt!KiPageFault+0x35e
    ffff818554785748 fffff8045eeba14f : 0000000000000000 ffff818554785a30 0000000000000020 fffff8045eecab6e : win32kbase!UserIsUserCritSecIn
    ffff818554785750 fffff8045eebaa5d : ffff8185547858c8 ffffca0e00000000 0000000000004a61 0000000000000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
    ffff8185547857e0 fffff80444e0fc1c : ffffa40573e28200 ffff8185547858c8 ffff8185547858c8 0000000000000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
    ffff818554785810 fffff80444e0fd8a : 0000000000000000 0000000000000000 0000000000000000 ffffdc4d19a20f67 : nt!ObpCallPreOperationCallbacks+0x10c
    ffff818554785890 fffff80444e2c20d : 0000000000000000 ffff818554785a20 ffffca0e25e0e050 ffffca0e25e0e050 : nt!ObpPreInterceptHandleCreate+0xaa
    ffff818554785900 fffff80444de1029 : ffffa4057343d350 0000000000000000 0038005f00620075 0079006b00000000 : nt!ObpCreateHandle+0xa1d
    ffff818554785af0 fffff8044395104b : ffff818554786339 fffff80444b3c67c 0000000000000208 ffffca0e25c4c8d8 : nt!ObOpenObjectByPointer+0x1b9
    ffff818554785d70 fffff804439512f9 : fffff80443952be0 0000000000000200 0000000000000000 0000000000000000 : minispy+0x104b
    ffff818554785dd0 fffff8044712608c : 0000000000000000 ffffca0e25c4c7f0 ffffca0e25c4c8d8 ffffca0e253efbb0 : minispy+0x12f9
    ffff818554786280 fffff80447125b37 : ffff818554786400 0000000000000003 ffffca0e26747600 0000000000000000 : FLTMGR!FltpPerformPreCallbacksWorker+0x36c
    ffff8185547863a0 fffff80447124b46 : ffff818554788000 ffff818554781000 0000000000000000 ffff8185547864c0 : FLTMGR!FltpPassThroughInternal+0xc7
    ffff8185547863f0 fffff804471248bb : 0000000000000000 0000000000000000 0000000000000000 fffff80444e2b3c1 : FLTMGR!FltpPassThrough+0x1d6
    ffff818554786490 fffff80444a52f55 : ffffca0e1f8d0630 0000000000001000 0000000000000000 ffffffff80004210 : FLTMGR!FltpDispatch+0x8b
    ffff8185547864f0 fffff80444dfd878 : 0000000000000000 ffffca0e267476a0 0000000000000001 ffffca0e0f7ef501 : nt!IofCallDriver+0x55
    ffff818554786530 fffff80444de59b9 : ffffca0e00000000 ffff8185547867a0 ffffca0e1c7d16e0 ffff8185547867a0 : nt!IopSynchronousServiceTail+0x1a8
    ffff8185547865d0 fffff80444c074b5 : ffffca0e20ce1910 ffffffff80004210 0000000000000000 0000000000000000 : nt!NtReadFile+0x599
    ffff8185547866b0 fffff80444bf98e0 : fffff80444b18673 ffffa40586efe000 ffffffff80001b14 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
    ffff8185547868b8 fffff80444b18673 : ffffa40586efe000 ffffffff80001b14 0000000000000000 0000000000000000 : nt!KiServiceLinkage
    ffff8185547868c0 fffff80444ee07ac : ffffa40586efe000 ffff818554786a58 ffffa40500000000 ffffa40586efe000 : nt!CmpDoFileRead+0xb7
    ffff818554786970 fffff80444e873fc : 01d70ea209a2a5e3 ffffa405970df000 0000000000000000 0000000000000000 : nt!CmpFileRead+0x2c
    ffff8185547869c0 fffff80444e858a3 : 01d70ea209a2a5e3 ffffa40584d99e20 ffffa405970df000 ffffa40584d99e20 : nt!HvpGetHiveHeader+0x7c
    ffff818554786a00 fffff80444e8857b : ffffa4057626f400 01d70ea209a2a5e3 0000000000000001 ffffa405970df000 : nt!HvLoadHive+0xa7
    ffff818554786b50 fffff80444e88b73 : 0000000000000000 ffff818554786c90 0000000000000001 ffffa405970df000 : nt!HvHiveStartFileBacked+0x107
    ffff818554786b90 fffff80444e639e1 : 0000000000000000 ffffca0e0000009c ffff818554786ee0 0000000000000000 : nt!CmpCreateHive+0x3d3
    ffff818554786de0 fffff80444dd63dc : 0000000000000000 0000000000000000 ffff8185547871d0 fffff80444e2b3c1 : nt!CmpInitHiveFromFile+0x3a9
    ffff818554787020 fffff80444e94ce3 : ffffa40584d99e20 0000000000000000 ffffa40500000000 ffffa40584d99e20 : nt!CmpCmdHiveOpen+0xdc
    ffff818554787120 fffff80444e8cf82 : 0000000000000000 ffff818500000010 0000000000000000 0000000000000001 : nt!CmLoadAppKey+0x46b
    ffff8185547875a0 fffff80444e8c77d : 00007ff800000000 ffffa4057be70580 ffff818554787a00 fffffbbffc1c5d38 : nt!CmLoadDifferencingKey+0x7f6
    ffff818554787920 fffff80444c074b5 : 0000000000000000 0000000000000001 000000b333ffe148 ffff818554787a80 : nt!NtLoadKeyEx+0x5d
    ffff818554787990 00007ff84510e734 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25
    000000b333ffe1e8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff8`4510e734

    SYMBOL_NAME: win32kbase!UserIsUserCritSecIn+0

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 0

    FAILURE_BUCKET_ID: AV_INVALID_BAD_IP_win32kbase!UserIsUserCritSecIn

    OS_VERSION: 10.0.19041.1

    BUILDLAB_STR: vb_release

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    FAILURE_ID_HASH: {c8670668-72de-2a31-2f67-c17c5864267c}

    Followup: MachineOwner

    ||1:3: kd> lmvm win32kbase
    Browse full module list
    start end module name
    ffff8b8e6a200000 ffff8b8e6a4da000 win32kbase # (pdb symbols) C:\ProgramData\Dbg\sym\win32kbase.pdb\E51C1F9B0FA0D0F8FD417E3DB89E9E911\win32kbase.pdb
    Loaded symbol image file: win32kbase.sys
    Mapped memory image file: C:\ProgramData\Dbg\sym\win32kbase.sys\A6BD5AD22da000\win32kbase.sys
    Image path: \SystemRoot\System32\win32kbase.sys
    Image name: win32kbase.sys
    Browse all global symbols functions data
    Image was built with /Brepro flag.
    Timestamp: A6BD5AD2 (This is a reproducible build file hash, not a timestamp)
    CheckSum: 002CC779
    ImageSize: 002DA000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    please analyze this output and help me to get out of the exception. I am completely lost now & need help from the OSR community.

    · Share on Facebook
  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,255

    I'd turn off "SpyShelter"

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @rod_widdowson I haven't installed SpyShelter.

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,628

    @jay96612 said:
    @rod_widdowson I haven't installed SpyShelter.

    All the more reason to get rid of it.

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) please show some helping hand. I am unable to fix it out

    · Share on Facebook
  • elDimaselDimas Member Posts: 17

    Well, I think maybe, it tends to copy some information into user mode, and it is not available, "the user's address space may not be available" according to the dump file, try the following, before call RtlCopyMemory, make sure the user is connected to the driver.

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,628

    SpyShelter (whatever that is) has a kernel component and it's trying to call an undocumented Win32K function:

    win32kbase!UserIsUserCritSecIn+0
ffff8b8e`6a20eec0 ?? ???

    You're in the Registry process which does not map Win32K, so you get a crash from SpyShelter calling an invalid address.

    Best thing to do is uninstall SpyShelter

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @rod_widdowson @Scott_Noone_(OSR) Thank you so much both for the info you provided. It was SpyShelter who causing the problem. I am very thankful to you :smile:

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) @rod_widdowson Crash is only from this code. When trying to get the process name then a crash occurs if spyShelter also running. so is there any wrong with this code?

    Code: ToGetProcessName

    NTSTATUS GetProcessImageName(
    PEPROCESS eProcess,
    PUNICODE_STRING* ProcessImageName
)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG returnedLength;
    HANDLE hProcess = NULL;

    PAGED_CODE(); // this eliminates the possibility of the IDLE Thread/Process

    if (eProcess == NULL)
    {
        return STATUS_INVALID_PARAMETER_1;
    }

    status = ObOpenObjectByPointer(eProcess,
        0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(status))
    {
        DbgPrint("ObOpenObjectByPointer Failed: %08x\n", status);
        return status;
    }

    if (ZwQueryInformationProcess == NULL)
    {
        UNICODE_STRING routineName = RTL_CONSTANT_STRING(L"ZwQueryInformationProcess");

        ZwQueryInformationProcess = (QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);

        if (ZwQueryInformationProcess == NULL)
        {
            DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
            status = STATUS_UNSUCCESSFUL;
            goto cleanUp;
        }
    }

    /* Query the actual size of the process path */
    status = ZwQueryInformationProcess(hProcess,
        ProcessImageFileName,
        NULL, // buffer
        0,    // buffer size
        &returnedLength);

    if (STATUS_INFO_LENGTH_MISMATCH != status) {
        DbgPrint("ZwQueryInformationProcess status = %x\n", status);
        goto cleanUp;
    }

    *ProcessImageName = ExAllocatePoolWithTag(PagedPool, returnedLength, SPY_TAG);

    if (NULL == ProcessImageName) {
        return STATUS_INSUFFICIENT_RESOURCES;
        goto cleanUp;
    }

    status = ZwQueryInformationProcess(hProcess,
        ProcessImageFileName,
        *ProcessImageName,
        returnedLength,
        &returnedLength);

    if (!NT_SUCCESS(status)) {
        ExFreePool(*ProcessImageName);
        *ProcessImageName = NULL;
    }
cleanUp:

    if (hProcess) {
        ZwClose(hProcess);
    }

    return status;
}
    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,628

    You need to learn to debug your code. Have you set up kernel debugging with WinDbg yet?

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    Yes. I have done setting up the kernel debugging with windbg.

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,628

    What steps have you taken to debug the problem?

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) I have followed this https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode-#:~:text=On%20the%20host%20computer%2C%20open,in%20Debugging%20Tools%20for%20Windows.

    Now the stack shows Line Number 702 and 1009 of file minispy.c

    STACK_TEXT

    FAILED_INSTRUCTION_ADDRESS: 
win32kbase!UserIsUserCritSecIn+0
ffffe54c`f35e0450 ??              ???

STACK_TEXT:  
ffffec87`2d597dd8 fffff805`57ca8d02 : ffffe54c`f35e0450 00000000`00000003 ffffec87`2d597f40 fffff805`57b1afe0 : nt!DbgBreakPointWithStatus
ffffec87`2d597de0 fffff805`57ca83f7 : ffffe54c`00000003 ffffec87`2d597f40 fffff805`57bd81f0 ffffec87`2d598480 : nt!KiBugCheckDebugBreak+0x12
ffffec87`2d597e40 fffff805`57bc3b97 : fffff805`57e641f8 fffff805`57cd2855 ffffe54c`f35e0450 ffffe54c`f35e0450 : nt!KeBugCheck2+0x947
ffffec87`2d598540 fffff805`57c13ae0 : 00000000`00000050 ffffe54c`f35e0450 00000000`00000010 ffffec87`2d598820 : nt!KeBugCheckEx+0x107
ffffec87`2d598580 fffff805`57acdcbf : 00000000`00000000 00000000`00000010 00000000`00000000 ffffe54c`f35e0450 : nt!MiSystemFault+0x18f320
ffffec87`2d598680 fffff805`57bd1b5e : 00000000`00000240 00000000`00000240 00000000`00000000 ffffec87`2d598950 : nt!MmAccessFault+0x34f
ffffec87`2d598820 ffffe54c`f35e0450 : fffff807`cf85af9b ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 : nt!KiPageFault+0x35e
ffffec87`2d5989b8 fffff807`cf85af9b : ffffec87`2d598c30 ffffec87`2d598db0 00000000`00000020 fffff807`cf86c772 : win32kbase!UserIsUserCritSecIn
ffffec87`2d5989c0 fffff807`cf85b8a9 : ffffec87`2d598c98 ffff9804`00000000 00000000`000047bb 00000000`00000000 : SpyShelter!SpS_GetProcessPathW+0x15eb
ffffec87`2d598a50 fffff805`5801b10d : ffffbf80`6bec0d00 ffffec87`2d598c98 ffffec87`2d598c98 ffffec87`00000000 : SpyShelter!SpS_GetProcessPathW+0x1ef9
ffffec87`2d598a80 fffff805`5802afa5 : 00000000`00000000 ffffec87`2d598c20 00000000`00000000 ffff9804`9229de80 : nt!ObpCallPreOperationCallbacks+0x10d
ffffec87`2d598b00 fffff805`5800774c : 00000000`00000000 00000000`00000000 ffff9804`998ed4c0 006e0069`00000000 : nt!ObpCreateHandle+0xab5
ffffec87`2d598d30 fffff805`5631104b : ffff9804`99d1bb50 00000000`10000004 ffffec87`2d599549 fffff805`57b1b02c : nt!ObOpenObjectByPointer+0xec
ffffec87`2d598f90 fffff805`56311321 : fffff805`56312c60 00000000`00000200 00000000`00000000 ffff9804`99d1bdb0 : **minispy!GetProcessImageName+0x4b [C:\Users\jay\Documents\Visual Studio 2015\Projects\minispyNetworkShareBlock\filter\minispy.c @ 702] **
ffffec87`2d598ff0 fffff805`5c584a8d : ffff9804`99e7e8a0 00000000`00000000 ffff9804`99e7e8a0 ffff9804`99d1bdb0 : **minispy!MiniPreRead+0x1a1 [C:\Users\jay\Documents\Visual Studio 2015\Projects\minispyNetworkShareBlock\filter\minispy.c @ 1009] **
ffffec87`2d5994a0 fffff805`5c5845d0 : ffffec87`2d599680 00000000`00000000 ffff9804`96fbbb03 00000000`00060900 : FLTMGR!FltpPerformPreCallbacks+0x2fd
ffffec87`2d5995b0 fffff805`5c584142 : 00000000`00000000 ffffec87`2d599680 ffff9804`96fbbb20 ffffec87`2d599690 : FLTMGR!FltpPassThroughInternal+0x90
ffffec87`2d5995e0 fffff805`5c583f2e : 00000000`00000000 00000000`00000000 00000000`00000000 fffff805`580319a5 : FLTMGR!FltpPassThrough+0x162
ffffec87`2d599660 fffff805`57a467f9 : ffff9804`96fbbb20 00000000`00000200 00000000`00000000 ffffffff`80001ef8 : FLTMGR!FltpDispatch+0x9e
ffffec87`2d5996c0 fffff805`58029d65 : 00000000`00000000 ffff9804`9a12c990 ffff9804`9a12c9e0 ffff9804`9a12c990 : nt!IofCallDriver+0x59
ffffec87`2d599700 fffff805`58026cbf : ffff9804`00000000 ffff9804`9abda8e0 ffffec87`2d599af0 ffffec87`2d599980 : nt!IopSynchronousServiceTail+0x1a5
ffffec87`2d5997a0 fffff805`57bd5355 : 00000000`00000001 ffffffff`80001ef8 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x59f
ffffec87`2d599890 fffff805`57bc78b0 : fffff805`57b28996 ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
ffffec87`2d599a98 fffff805`57b28996 : ffffbf80`744d7000 ffffffff`80002610 00000000`00000000 00000000`00000000 : nt!KiServiceLinkage
ffffec87`2d599aa0 fffff805`580da37c : ffffbf80`744d7000 ffffec87`2d599c30 ffffbf80`00000000 ffffbf80`744d7000 : nt!CmpDoFileRead+0xb6
ffffec87`2d599b50 fffff805`58086ca4 : 00000000`00000030 ffffbf80`782e1000 ffffbf80`782e1000 ffffbf80`71f2cb90 : nt!CmpFileRead+0x2c
ffffec87`2d599ba0 fffff805`58084e5d : 00000000`00000030 ffffec87`2d59a3d0 ffffbf80`782e1000 ffffbf80`782e1000 : nt!HvpGetHiveHeader+0x7c
ffffec87`2d599be0 fffff805`58086e8c : ffffec87`2d599e60 01d714ee`4baa7a6a 00000000`00000001 ffffbf80`782e1000 : nt!HvLoadHive+0xa1
ffffec87`2d599d20 fffff805`580844ae : ffffffff`ffffffff ffffec87`2d599e60 00000000`00000001 00000000`00000000 : nt!HvHiveStartFileBacked+0x100
ffffec87`2d599d60 fffff805`57fe2151 : 00000000`00000000 00000000`0000009c ffffec87`2d59a090 00000000`00000000 : nt!CmpCreateHive+0x62a
ffffec87`2d599f90 fffff805`58099833 : ffff9804`99bd93a0 fffff805`57a4e5b6 ffff9804`99bd9118 fffff805`57e63878 : nt!CmpInitHiveFromFile+0x3f9
ffffec87`2d59a1d0 fffff805`57fe2f10 : fffff805`57e63880 ffffec87`2d59a350 00000000`00000000 ffffec87`2d59a768 : nt!CmpCmdHiveOpen+0xd7
ffffec87`2d59a250 fffff805`57fe4ba5 : 00000000`00000000 ffffec87`00000010 00000000`00000000 00000000`00000001 : nt!CmLoadAppKey+0x364
ffffec87`2d59a6a0 fffff805`57fe4331 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff813d`8d0f6699 : nt!CmLoadDifferencingKey+0x869
ffffec87`2d59aa20 fffff805`57bd5355 : 00000000`00000620 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtLoadKeyEx+0x51
ffffec87`2d59aa90 00007ffe`ecb7ee04 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000a9`b57fe238 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`ecb7ee04

    LINE 702:
    status = ObOpenObjectByPointer(eProcess,
    0, NULL, 0, 0, KernelMode, &hProcess);
    if (!NT_SUCCESS(status))
    {
    DbgPrint("ObOpenObjectByPointer Failed: %08x\n", status);
    return status;
    }

    LINE 1009:
    status = GetProcessImageName(IoThreadToProcess(Data->Thread), &pni);

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,628

    Did you look at the stack? It's the same crash as before:

    nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x18f320
nt!MmAccessFault+0x34f
nt!KiPageFault+0x35e
win32kbase!UserIsUserCritSecIn
SpyShelter!SpS_GetProcessPathW+0x15eb
SpyShelter!SpS_GetProcessPathW+0x1ef9
nt!ObpCallPreOperationCallbacks+0x10d

    Get rid of SpyShelter.

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    @Scott_Noone_(OSR) So why system crashes due to my program. If the only spyShelter runs then no crash happens. Once my program runs along with SpyShelter then a crash happens.

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    Since the crash happens only in getting process path. So should I pass ProcessId to user-mode and then find the process path in user-mode and then do processing accordingly?

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,628

    You're opening a Process Object from the context of a process (Registry) that does not have a valid session space. This is valid but unusual. SpyShelter has a bug in their code and they don't handle this properly.

    So, last time: SpyShelter has a bug. Disable it and move on. If you can't live without SpyShelter then you need to contact them and have them fix their code.

    -scott
    OSR

    · Share on Facebook
  • jay96612jay96612 Member Posts: 57

    Thank you so much @Scott_Noone_(OSR).

    · Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online
Internals & Software Drivers 4-8 Dec 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online

Categories