BSOD when trying to create a DMF module

NTDEV
1

I am working on a driver that emulates a joystick device from mouse input. In order to ensure the emulated joystick has low latency and does not run into compatibility issues I decided to make a mouse filter in order to read incoming mouse input. I then need to convert that input to the format of the joystick. From my research it seems other people have used DMF to make a child device but I have some questions about merging the mouse filter driver and the joystick emulating into 1 single driver. Is it possible for my driver to be filtering mouse input and create a child device that spawns an emulated device that can be viewed from my device manager?

If so during my implementation of this (the mouse filter part already works) I got SYSTEM_THREAD_EXCEPTION_NOT_HANDLED error and wanted to know what caused it. The following is a condensed version of my code.

PDMFDEVICE_INIT dmfDeviceInit = NULL;

 dmfDeviceInit = DMF_DmfDeviceInitAllocate(DeviceInit);

        if (dmfDeviceInit == NULL)  {
            DebugMessage("DMF_DmfDeviceInitAllocate failed \n");
            return STATUS_INSUFFICIENT_RESOURCES;
        }

        // I have more code here

        DMF_EVENT_CALLBACKS dmfEventCallbacks;
        DMF_EVENT_CALLBACKS_INIT(&dmfEventCallbacks);
        dmfEventCallbacks.EvtDmfDeviceModulesAdd = DmfDeviceModulesAdd;
        DMF_DmfDeviceInitSetEventCallbacks(dmfDeviceInit, &dmfEventCallbacks);

        status = DMF_ModulesCreate(device, &dmfDeviceInit); // <--- Error occurred on this line

        if (!NT_SUCCESS(status)) {
            DebugMessage("DMF_ModulesCreate failed with status %x \n", status);
            break;
        }

The following is the stack trace from my network debugger

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff801395531f0, The address that the exception occurred at
Arg3: ffff9d0ece5166b8, Exception Record Address
Arg4: ffff9d0ece515ef0, Context Record Address

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.Sec
    Value: 4

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-SBQN4VR

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 7

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 70

    Key  : Analysis.System
    Value: CreateObject

BUGCHECK_CODE:  7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff801395531f0

BUGCHECK_P3: ffff9d0ece5166b8

BUGCHECK_P4: ffff9d0ece515ef0

EXCEPTION_RECORD:  ffff9d0ece5166b8 -- (.exr 0xffff9d0ece5166b8)
ExceptionAddress: fffff801395531f0 (WppRecorder!imp_WppRecorderIsDefaultLogAvailable+0x0000000000000010)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT:  ffff9d0ece515ef0 -- (.cxr 0xffff9d0ece515ef0)
rax=6f74737543666457 rbx=0000000000000000 rcx=fffff801530071e0
rdx=ffff9d0ece516900 rsi=0000000000000000 rdi=ffffa28fbec88300
rip=fffff801395531f0 rsp=ffff9d0ece5168f0 rbp=ffff9d0ece516990
 r8=00000000000001ee  r9=fffff801394dae08 r10=fffff80134a1e6f0
r11=ffff9d0ece516930 r12=00005d70409ad5c8 r13=00005d70409ad5c8
r14=ffff9d0ece516da0 r15=00005d7041377d78
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
WppRecorder!imp_WppRecorderIsDefaultLogAvailable+0x10:
fffff801`395531f0 488b88c8000000  mov     rcx,qword ptr [rax+0C8h] ds:002b:6f747375`4366651f=????????????????
Resetting default scope

PROCESS_NAME:  System

READ_ADDRESS:  ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

EXCEPTION_STR:  0xc0000005

LOCK_ADDRESS:  fffff80135444ba0 -- (!locks fffff80135444ba0)

Resource @ nt!PiEngineLock (0xfffff80135444ba0)    Exclusively owned
    Contention Count = 5
     Threads: ffffa28fb9a62040-01<*> 
1 total locks

PNP_TRIAGE_DATA: 
	Lock address  : 0xfffff80135444ba0
	Thread Count  : 1
	Thread address: 0xffffa28fb9a62040
	Thread wait   : 0x3c1a

STACK_TEXT:  
ffff9d0e`ce5168f0 fffff801`530170b7 : 00000000`00000040 00000000`00000000 00005d70`41377d78 ffff9d0e`ce516da0 : WppRecorder!imp_WppRecorderIsDefaultLogAvailable+0x10
ffff9d0e`ce516920 fffff801`530179f4 : 00005d70`40dd72d8 00000000`00000000 ffffa28f`bea18800 ffff9d0e`ce516c80 : KMDF!DmfModuleInFlightRecorderInitialize+0xc7 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfCore.c @ 1038] 
ffff9d0e`ce5169a0 fffff801`53014281 : ffff9d0e`ce516da0 ffffa28f`bec88300 00005d70`41377d78 00000000`00000000 : KMDF!DMF_ModuleCreate+0x70c [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfCore.c @ 1429] 
ffff9d0e`ce516ae0 fffff801`5300c95a : ffffa28f`bea187e8 00000000`00000000 ffff9d0e`ce516e60 ffffa28f`c08b2b20 : KMDF!DMF_Bridge_Create+0x291 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\Modules.Core\Dmf_Bridge.c @ 2795] 
ffff9d0e`ce516d60 fffff801`5300e687 : ffffa28f`c099aee0 00005d70`3f665198 00000000`00000040 ffffa28f`be7ec810 : KMDF!DMF_ModuleCollectionCreate+0x4b6 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfModuleCollection.c @ 3517] 
ffff9d0e`ce516eb0 fffff801`5300ada0 : 00000000`00000000 00000000`00000000 ffffa28f`bf53fdd0 00000000`00000000 : KMDF!DMF_ModulesCreate+0x327 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfModuleCollection.c @ 3948] 
ffff9d0e`ce517040 fffff801`39494c07 : 00005d70`4116a198 ffffa28f`bc6f0120 ffffa28f`bc6f0120 fffff801`34a12e29 : KMDF!MouFilter_EvtDeviceAdd+0x410 [C:\Users\me\source\repos\KMDF\Moufiltr.c @ 224] 
ffff9d0e`ce517280 fffff801`39494b2c : ffffa28f`bc6f0120 fffff801`34b3bffc ffffa28f`bc6f0120 00000000`00002710 : Wdf01000!FxDriver::AddDevice+0xc7 [minkernel\wdf\framework\shared\core\km\fxdriverkm.cpp @ 72] 
ffff9d0e`ce5176a0 fffff801`34b6d98b : ffffa28f`becace30 fffff801`34ef4bfd 00000000`00000000 00000000`00000000 : Wdf01000!FxDriver::AddDevice+0x2c [minkernel\wdf\framework\shared\core\km\fxdriverkm.cpp @ 47] 
ffff9d0e`ce5176d0 fffff801`34f39580 : ffffa28f`becace30 ffffa28f`bf7896d0 00000000`00000005 ffffca80`7bdb4bba : nt!PpvUtilCallAddDevice+0x3b
ffff9d0e`ce517710 fffff801`34f369fb : 00000000`00000003 ffff9d0e`ce5178d0 ffffca80`7cdf1270 fffff801`00000002 : nt!PnpCallAddDevice+0x94
ffff9d0e`ce5177d0 fffff801`34f35d83 : ffffa28f`bc3eacb0 ffff9d0e`ce517a11 ffffa28f`bc3eacb0 00000000`00000000 : nt!PipCallDriverAddDevice+0x827
ffff9d0e`ce517990 fffff801`34f2fcc6 : ffffa28f`bc3eac00 ffffa28f`bea57101 ffff9d0e`ce517ab0 fffff801`00000000 : nt!PipProcessDevNodeTree+0x333
ffff9d0e`ce517a60 fffff801`34b6efba : 00000001`00000003 ffffa28f`bc3eacb0 00000000`00000000 ffffa28f`bea571e0 : nt!PiRestartDevice+0xba
ffff9d0e`ce517ab0 fffff801`34a8e5c5 : ffffa28f`b9a62040 ffffa28f`b9092cc0 fffff801`354433c0 ffffa28f`00000000 : nt!PnpDeviceActionWorker+0x46a
ffff9d0e`ce517b70 fffff801`34b265f5 : ffffa28f`b9a62040 00000000`00000080 ffffa28f`b9091040 000fa427`b19bbdff : nt!ExpWorkerThread+0x105
ffff9d0e`ce517c10 fffff801`34c048d8 : fffff801`32a5a180 ffffa28f`b9a62040 fffff801`34b265a0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffff9d0e`ce517c60 00000000`00000000 : ffff9d0e`ce518000 ffff9d0e`ce512000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28

SYMBOL_NAME:  WppRecorder!imp_WppRecorderIsDefaultLogAvailable+10

MODULE_NAME: WppRecorder

IMAGE_NAME:  WppRecorder.sys

STACK_COMMAND:  .cxr 0xffff9d0ece515ef0 ; kb

BUCKET_ID_FUNC_OFFSET:  10

FAILURE_BUCKET_ID:  AV_WppRecorder!imp_WppRecorderIsDefaultLogAvailable

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {1cc4e0d3-a668-e140-3d59-dd12de006ed6}

Followup:     MachineOwner
2

What part of DMF are you trying to use? The kbfiltr example shows how to create a child device (you don’t want it raw), you can easily lift out the relevant code, https://github.com/microsoft/Windows-driver-samples/blob/main/input/kbfiltr/sys/kbfiltr.c. Even less work, use VHF (virtual hid framework) to report the joystick.

3

@Doron_Holan said:
What part of DMF are you trying to use? The kbfiltr example shows how to create a child device (you don’t want it raw), you can easily lift out the relevant code, https://github.com/microsoft/Windows-driver-samples/blob/main/input/kbfiltr/sys/kbfiltr.c. Even less work, use VHF (virtual hid framework) to report the joystick.

What do you mean by which part of DMF? Do you have an idea what could of caused the above error? Also the following is the code that belongs within the // “I have more code here” comment.

        DMF_DmfDeviceInitHookPnpPowerEventCallbacks(dmfDeviceInit, NULL);
        DMF_DmfDeviceInitHookPowerPolicyEventCallbacks(dmfDeviceInit, NULL);
        DebugMessage("DMF Test 3 \n");

#pragma region Prepare child list
        WDF_CHILD_LIST_CONFIG_INIT(&config, sizeof(PDO_IDENTIFICATION_DESCRIPTION), Bus_EvtDeviceListCreatePdo);

        config.EvtChildListIdentificationDescriptionCompare = EvtChildListIdentificationDescriptionCompare;

        WdfFdoInitSetDefaultChildListConfig(DeviceInit, &config, WDF_NO_OBJECT_ATTRIBUTES);
        DebugMessage("DMF Test 4 \n");
#pragma endregion

#pragma region Assign File Object Configuration
        WDF_FILEOBJECT_CONFIG_INIT(&foConfig, Bus_DeviceFileCreate, Bus_FileClose, NULL);

        WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&fileHandleAttributes, FDO_FILE_DATA);

        DMF_DmfDeviceInitHookFileObjectConfig(dmfDeviceInit, &foConfig);

        WdfDeviceInitSetFileObjectConfig(DeviceInit, &foConfig, &fileHandleAttributes);
        DebugMessage("DMF Test 5 \n");
#pragma endregion

#pragma region Create FDO
        WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&fdoAttributes, FDO_DEVICE_DATA);

        // Create a framework device object. This call will in turn create a WDM deviceobject, attach to the lower stack and set the appropriate flags and attributes.
        if (!NT_SUCCESS(status = WdfDeviceCreate(&DeviceInit, &fdoAttributes, &device))) {
            DebugMessage("WdfDeviceCreate failed with status %!STATUS! \n");
            break;
        }

        pFDOData = FdoGetData(device);
        pFDOData->InterfaceReferenceCounter = 0;
        pFDOData->NextSessionId = FDO_FIRST_SESSION_ID;
        DebugMessage("DMF Test 6 \n");
#pragma endregion

#pragma region Expose FDO interfac
        if (!NT_SUCCESS(status = WdfDeviceCreateDeviceInterface(device, &GUID_DEVINTERFACE_JOYSTICK, NULL))) {
            DebugMessage("WdfDeviceCreateDeviceInterface failed with status %x \n", status);
            break;
        }
        DebugMessage("DMF Test 7 \n");
#pragma endregion

#pragma region Set bus information
        busInfo.BusTypeGuid = GUID_BUS_TYPE_USB;
        busInfo.LegacyBusType = PNPBus;
        busInfo.BusNumber = 0;

        WdfDeviceSetBusInformationForChildren(device, &busInfo);
        DebugMessage("DMF Test 8 \n");
#pragma endregion
4

Is it even possible to use DMF_ModulesCreate from inside the add device function of a mouse filter driver? I know Doron_Holan said there was an example for keyboard filter drivers but the link he provided had no evidence of anything DMF related and I cant find any info regarding this BSOD.

5

Based on the fact that there is a Virtual HID driver sample in DMF (https://github.com/microsoft/DMF/tree/master/DmfSamples/VHidMini2Dmf), I assume this is possible. You might look over that code.

6

@Tim_Roberts said:
Based on the fact that there is a Virtual HID driver sample in DMF (https://github.com/microsoft/DMF/tree/master/DmfSamples/VHidMini2Dmf), I assume this is possible. You might look over that code.

I got a 404 not found error when I go to that link. Also I wish DMF was not so obscure since no one I have asked has ever had this issue before.

7

The web site’s markdown editor foolishly included the closing paren in the URL. Just delete that.

https://github.com/microsoft/DMF/tree/master/DmfSamples/VHidMini2Dmf

DMF is still quite new. I’ve never done a project with it.

8

Personally, I would rethink your use of DMF.

It’s a pretty nice little framework for the team that created it, but it’s another layer of unsupported and undocumented complexity and overhead that you just don’t need. WDF by itself, is easy enough for most things. And the risk with using DMF is that when something goes wrong, you’re basically on your own. It’s not widely used outside the MSFT internal team that created it. Why add another layer of random stuff to your code?

1 Like
9

@“Peter_Viscarola_(OSR)” said:
Personally, I would rethink your use of DMF.

It’s a pretty nice little framework for the team that created it, but it’s another layer of unsupported and undocumented complexity and overhead that you just don’t need. WDF by itself, is easy enough for most things. And the risk with using DMF is that when something goes wrong, you’re basically on your own. It’s not widely used outside the MSFT internal team that created it. Why add another layer of random stuff to your code?

When I was looking for examples of emulating devices like xbox controllers and joy sticks devices inside my mouse filter driver I only found ones that were done using DMF. If you know other examples of how to do it I would love to hear it since I am stuck on that.