Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


System becomes unstable after install a fs driver

yu_shangyu_shang Member Posts: 41
edited June 2022 in NTFSD

I'm testing a very initial fs driver on a virtual machine , the fs driver is at its very beginning :
1. it just call IoRegisterFileSystem to register the CDO
2. responding the IRP_MN_MOUNT_VOLUME with STATUS_UNRECOGNIZED_VOLUME
3. and other minimal setups
after this , the test system (Windows 10 LTSC) behave strangely :
1. it can boot if I do not connect to it with windbg
2. if I connect with windbg , I always get 0x0000000A(000000000000004c,0000000000000002,0000000000000001,fffff8005f2a81d8) bugcheck, the calling stack is as follow. The bugcheck happened in IopMountInitializeVpb . First argument(rcx) of IopMountInitializeVpb is a _DEVICE_OBJECT , it seems that rcx->Vpb->DeviceObject is null , which is the cause of the bugcheck. How does this happen ? Many thanks!!!

 # Child-SP          RetAddr               Call Site
00 fffff50f`bfd842f8 fffff800`5f4ac572     nt!DbgBreakPointWithStatus
01 fffff50f`bfd84300 fffff800`5f4abcf7     nt!KiBugCheckDebugBreak+0x12
02 fffff50f`bfd84360 fffff800`5f3cc147     nt!KeBugCheck2+0x957
03 fffff50f`bfd84a80 fffff800`5f3dd869     nt!KeBugCheckEx+0x107
04 fffff50f`bfd84ac0 fffff800`5f3d9c8e     nt!KiBugCheckDispatch+0x69
05 fffff50f`bfd84c00 fffff800`5f2a81d8     nt!KiPageFault+0x44e
06 fffff50f`bfd84d90 fffff800`5f780b49     nt!IopMountInitializeVpb+0x68     <=
07 fffff50f`bfd84dc0 fffff800`5f27d013     nt!IopMountVolume+0x45d
08 fffff50f`bfd84ec0 fffff800`5f74ce84     nt!IopCheckVpbMounted+0x1b3
09 fffff50f`bfd84f20 fffff800`5f7c4029     nt!IopParseDevice+0x314
0a fffff50f`bfd85090 fffff800`5f7c262f     nt!ObpLookupObjectName+0x719
0b fffff50f`bfd85260 fffff800`5f728874     nt!ObOpenObjectByNameEx+0x1df
0c fffff50f`bfd853a0 fffff800`5f7283c8     nt!IopCreateFile+0x404
0d fffff50f`bfd85440 fffff800`5f3dd285     nt!NtOpenFile+0x58
0e fffff50f`bfd854d0 fffff800`5f3cfd40     nt!KiSystemServiceCopyEnd+0x25
0f fffff50f`bfd856d8 fffff800`5f825e32     nt!KiServiceLinkage
10 fffff50f`bfd856e0 fffff800`5f333fbd     nt!SiGetDiskPartitionInformation+0x7e
11 fffff50f`bfd85790 fffff800`5f825add     nt!SiValidateSystemPartition+0x35
12 fffff50f`bfd858a0 fffff800`5f8258db     nt!SiGetBootDeviceName+0x129
13 fffff50f`bfd85940 fffff800`5f82587d     nt!SiGetFirmwareSystemPartition+0x4b
14 fffff50f`bfd85980 fffff800`5f832115     nt!SiGetSystemPartition+0x3d
15 fffff50f`bfd859c0 fffff800`5f832099     nt!SiGetSystemDeviceName+0x71
16 fffff50f`bfd85a50 fffff800`5f8310d5     nt!SyspartDirectGetSystemPartition+0x19
17 fffff50f`bfd85a80 fffff800`5f830fdb     nt!IopRetrieveSystemDeviceName+0xbd
18 fffff50f`bfd85ae0 fffff800`5f7c9beb     nt!IoQuerySystemDeviceName+0x27
19 fffff50f`bfd85b20 fffff800`5f7c8ceb     nt!ExpQuerySystemInformation+0xddb
1a fffff50f`bfd85d30 fffff800`5f3dd285     nt!NtQuerySystemInformation+0x2b
1b fffff50f`bfd85d70 fffff800`5f3cfd40     nt!KiSystemServiceCopyEnd+0x25
1c fffff50f`bfd85f08 fffff809`4a4eb41b     nt!KiServiceLinkage
1d fffff50f`bfd85f10 fffff809`4a4eb609     CI!CipGetSupplementalPolicyPathOnExpandedStack+0x3b
1e fffff50f`bfd85f50 fffff800`5f3cf80e     CI!CipGetSupplementalPolicyPathOnExpandedStackCallout+0x19
1f fffff50f`bfd85f80 fffff800`5f3cf7cc     nt!KxSwitchKernelStackCallout+0x2e
20 fffff50f`bfa05a30 fffff800`5f280405     nt!KiSwitchKernelStackContinue
21 fffff50f`bfa05a50 fffff800`5f28025c     nt!KiExpandKernelStackAndCalloutOnStackSegment+0x145
22 fffff50f`bfa05ad0 fffff800`5f2800d3     nt!KiExpandKernelStackAndCalloutSwitchStack+0xdc
23 fffff50f`bfa05b40 fffff800`5f28008d     nt!KeExpandKernelStackAndCalloutInternal+0x33
24 fffff50f`bfa05bb0 fffff809`4a4eb657     nt!KeExpandKernelStackAndCalloutEx+0x1d
25 fffff50f`bfa05bf0 fffff809`4a4ebb9a     CI!CipGetSupplementalPolicyPath+0x3f
26 fffff50f`bfa05c50 fffff809`4a4ebae3     CI!CipIsUnlockTokenPresentAndValid+0x22
27 fffff50f`bfa05c90 fffff809`4a4d2f53     CI!CiGetUnlockInformation+0x8f
28 fffff50f`bfa05d30 fffff800`5f7c7c25     CI!CipQueryPolicyInformation+0x43
29 fffff50f`bfa05d60 fffff800`5f7c96d0     nt!SeCodeIntegrityQueryPolicyInformation+0x15
2a fffff50f`bfa05da0 fffff800`5f7c8ceb     nt!ExpQuerySystemInformation+0x8c0
2b fffff50f`bfa05fb0 fffff800`5f3dd285     nt!NtQuerySystemInformation+0x2b
2c fffff50f`bfa05ff0 fffff800`5f3cfd40     nt!KiSystemServiceCopyEnd+0x25
2d fffff50f`bfa06188 fffff800`5f821004     nt!KiServiceLinkage
2e fffff50f`bfa06190 fffff800`5f8027ae     nt!ExpCloudbookHardwareLockedProvider+0x94
2f fffff50f`bfa06230 fffff800`5f8023a8     nt!ExQueryLicenseValueInternal+0x3de
30 fffff50f`bfa06490 fffff800`5f3dd285     nt!NtQueryLicenseValue+0x2a8
31 fffff50f`bfa06530 fffff800`5f3cfd40     nt!KiSystemServiceCopyEnd+0x25
32 fffff50f`bfa06738 fffff800`60eb50b1     nt!KiServiceLinkage
33 fffff50f`bfa06740 fffff800`60eb54a2     dam!DampCheckDplSupportedSystem+0xa9
34 fffff50f`bfa06800 fffff800`60eb5750     dam!DriverEntry+0x20e
35 fffff50f`bfa06900 fffff800`5f84cbc5     dam!GsDriverEntry+0x20
36 fffff50f`bfa06930 fffff800`5fb69cc8     nt!IopLoadDriver+0x4bd
37 fffff50f`bfa06b10 fffff800`5fb6f0f6     nt!IopInitializeSystemDrivers+0x134
38 fffff50f`bfa06bb0 fffff800`5f8c7a82     nt!IoInitSystem+0x12
39 fffff50f`bfa06be0 fffff800`5f33c6c5     nt!Phase1Initialization+0x42
3a fffff50f`bfa06c10 fffff800`5f3d349c     nt!PspSystemThreadStartup+0x55
3b fffff50f`bfa06c60 00000000`00000000     nt!KiStartSystemThread+0x1c

Comments

  • yu_shangyu_shang Member Posts: 41
    edited June 2022

    Found the reason : I forgot to fill IRP.IoStatus.Status with STATUS_UNRECOGNIZED_VOLUME, just return STATUS_UNRECOGNIZED_VOLUME is not enough.
    IRP.IoStatus.Status is default to STATUS_SUCCESS which will mislead Pnp manager that Parameters.MountVolume.Vpb->DeviceObject has been filled by fs driver.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 9-13 Sept 2024 Live, Online
Developing Minifilters 15-19 July 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online