Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Dead lock on NtCreateFile in PsCreateProcessNotifyRoutin
Hi,
i have some issue in this scenario
my routine of driver is that:
PsCreateprocessNotifyRoutin
{
KinitializeEvent(kevent......)
IoAllocWorkitem
KeWaitforsingobject(kevent.....)
free work item
}
workitem routin
{
ntcreatefile or zwopenfile
ZwQueryInformationFile
KsetEvent(.../* signaled Kevent*/)
}
but i have deadlock wen ntcreatefile called?
what am i missing?
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 19-23 June 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
Comments
Run:
!process 0 F SystemFind your thread calling NtCreateFile and post it here.
-scott
OSR
sorry for my late
THREAD ffff800dc136c440 Cid 0004.00d8 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (WrResource) KernelMode Non-Alertable
ffffba8680ca7428 SynchronizationEvent
IRP List:
ffff800dc1377270: (0006,0478) Flags: 00000884 Mdl: 00000000
ffff800dc65de010: (0006,0478) Flags: 00000884 Mdl: 00000000
Impersonation token: ffff958caa481060 (Level Anonymous)
Owning Process ffff800dc12a0200 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 40117 Ticks: 250 (0:00:00:03.906)
Context Switch Count 1137 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.281
Win32 Start Address nt!ExpWorkerThread (0xfffff8074b541120)
Stack Init ffffba8680ca7fd0 Current ffffba8680ca6f70
Base ffffba8680ca8000 Limit ffffba8680ca1000 Call 0000000000000000
Priority 15 BasePriority 12 PriorityDecrement 16 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site ffffba86`80ca6fb0 fffff807`4b40c970 nt!KiSwapContext+0x76 ffffba86`80ca70f0 fffff807`4b40be9f nt!KiSwapThread+0x500 ffffba86`80ca71a0 fffff807`4b40b743 nt!KiCommitThreadWait+0x14f ffffba86`80ca7240 fffff807`4b40e61d nt!KeWaitForSingleObject+0x233 ffffba86`80ca7330 fffff807`4b40968a nt!ExpWaitForResource+0x6d ffffba86`80ca73b0 fffff807`4b4090f4 nt!ExpAcquireResourceSharedLite+0x4da ffffba86`80ca7470 fffff807`4b7f3c03 nt!ExAcquireResourceSharedLite+0x44 ffffba86`80ca74b0 fffff807`4f667779 nt!SeLockSubjectContext+0x53 ffffba86`80ca74e0 fffff807`4f66726a Ntfs!NtfsAccessCheck+0x1f9 ffffba86`80ca7710 fffff807`4f666f2d Ntfs!NtfsCheckExistingFile+0xda ffffba86`80ca77c0 fffff807`4f666564 Ntfs!NtfsOpenExistingAttr+0xdd ffffba86`80ca7880 fffff807`4f6655ca Ntfs!NtfsOpenAttributeInExistingFile+0x494 ffffba86`80ca7a70 fffff807`4f5fa44f Ntfs!NtfsOpenExistingPrefixFcb+0x22a ffffba86`80ca7b80 fffff807`4f5fb350 Ntfs!NtfsFindStartingNode+0x3ff ffffba86`80ca7c70 fffff807`4f612592 Ntfs!NtfsCommonCreate+0x580 ffffba86`80ca7f50 fffff807`4b5fa4fe Ntfs!NtfsCommonCreateCallout+0x22 ffffba86`80ca7f80 fffff807`4b5fa4bc nt!KxSwitchKernelStackCallout+0x2e (TrapFrame @ ffffba86`80ca7e40) ffffba86`7f9c0220 fffff807`4b498f2d nt!KiSwitchKernelStackContinue ffffba86`7f9c0240 fffff807`4b498d22 nt!KiExpandKernelStackAndCalloutOnStackSegment+0x19d ffffba86`7f9c02e0 fffff807`4b498b83 nt!KiExpandKernelStackAndCalloutSwitchStack+0xf2 ffffba86`7f9c0350 fffff807`4b498b3d nt!KeExpandKernelStackAndCalloutInternal+0x33 ffffba86`7f9c03c0 fffff807`4f616f73 nt!KeExpandKernelStackAndCalloutEx+0x1d ffffba86`7f9c0400 fffff807`4f5f7924 Ntfs!NtfsCommonCreateOnNewStack+0x5b ffffba86`7f9c0470 fffff807`4b5185b5 Ntfs!NtfsFsdCreate+0x274 ffffba86`7f9c06f0 fffff807`4e7d6ccf nt!IofCallDriver+0x55 ffffba86`7f9c0730 fffff807`4e80bbd4 FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f ffffba86`7f9c07a0 fffff807`4b5185b5 FLTMGR!FltpCreate+0x324 ffffba86`7f9c0850 fffff807`4b519ba4 nt!IofCallDriver+0x55 ffffba86`7f9c0890 fffff807`4b8e3e5d nt!IoCallDriverWithTracing+0x34 ffffba86`7f9c08e0 fffff807`4b7f23ce nt!IopParseDevice+0x117d ffffba86`7f9c0a50 fffff807`4b9014aa nt!ObpLookupObjectName+0x3fe ffffba86`7f9c0c20 fffff807`4b815c8f nt!ObOpenObjectByNameEx+0x1fa ffffba86`7f9c0d50 fffff807`4b81574d nt!IopCreateFile+0x40f ffffba86`7f9c0df0 fffff807`4e80df1f nt!IoCreateFileEx+0x11d ffffba86`7f9c0e90 fffff807`4e80e5ea FLTMGR!FltpExpandFilePathWorker+0x32f ffffba86`7f9c1000 fffff807`4e80a435 FLTMGR!FltpExpandFilePath+0x1e ffffba86`7f9c1050 fffff807`4e80aadb FLTMGR!FltpGetNormalizedFileNameWorker+0x225 ffffba86`7f9c10d0 fffff807`4e7d24c4 FLTMGR!FltpCreateFileNameInformation+0x2eb ffffba86`7f9c1150 fffff807`4e7d3504 FLTMGR!HandleStreamListNotSupported+0x134 ffffba86`7f9c1190 fffff807`4e7d40a1 FLTMGR!FltpGetFileNameInformation+0x5c4thank you a lot
Please guide me that what I should do
Hi again,
I fixed
my problem was the order of the call
my old code is:
SeCaptureSubjectContext
SeLockSubjectContext
ZwCreateFile
It cause dead lock on my system
And I still do not know exactly why this problem happend ?