a BSOD of KERNEL_STACK_INPAGE_ERROR?

OSR_Community_User · January 17, 2007, 1:48am

Hi all,
I have a BSOD problem of KERNEL_STACK_INPAGE_ERROR, which may be trigered by the following codes:

NTSTATUS
NTAPI
HookCreateSection(OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER MaximumSize,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle)
{
…
ntstatus = ObReferenceObjectByHandle(FileHandle, SYNCHRONIZE|FILE_READ_DATA, 0,
KernelMode,
&pFileObject,
NULL);
if(!NT_SUCCESS(ntstatus))
{
goto HOOKEND;
}
ntStatus = ObOpenObjectByPointer(pFileObject,
0,
NULL,
SYNCHRONIZE|FILE_READ_DATA,
NULL,KernelMode,
&hFileHandle);
if(!NT_SUCCESS(ntStatus))
{
goto HOOKEND;
}
ntStatus = ZwQueryInformationFile(hFileHandle,
&IoStatus,
&StandardFileInfo,
sizeof(FILE_STANDARD_INFORMATION),
FileStandardInformation);

if(ntStatus != STATUS_SUCCESS)
{
ZwClose(hFileHandle);
goto HOOKEND;
}
nFileLen=StandardFileInfo.EndOfFile.LowPart;
if ((nFileLen==0)||(nFileLen==0xFFFFFFFF))
{
ZwClose(hFileHandle);
goto HOOKEND;
}
if(nFileLen <= ReadFileLen)
{
pbData=(PCHAR)ExAllocatePool(NonPagedPool, nFileLen+1);
ntemLen=nFileLen+1;
}
else
{
pbData=(PCHAR)ExAllocatePool(NonPagedPool, ReadFileLen+1);
ntemLen=ReadFileLen+1;
}
if (pbData==NULL)
{
//zz KdPrint((“ProcessCheckSum: ExAllocatePool failed!\n”));
ZwClose(hFileHandle);
goto HOOKEND;
}
RtlZeroMemory(pbData,ntemLen);

if(nFileLen <= ReadFileLen)
{
ntStatus=ZwReadFile(hFileHandle,
NULL,
NULL,
NULL,
&IoStatus,
(PVOID)pbData,
nFileLen,
NULL,
NULL);
if(ntStatus != STATUS_SUCCESS)
{
//zz KdPrint((“ProcessCheckSum: ZwReadFile %s Failed\n”, pFile));
ZwClose(hFileHandle);
ExFreePool(pbData);
return FALSE;
}
// calculate the crc valure
CheckSum(CheckSumImage,pbData,nFileLen);
}
else
{
for(i = 0;i {
ntStatus=ZwReadFile(hFileHandle,
NULL,
NULL,
NULL,
&IoStatus,
(PVOID)pbData,
ReadFileLen,
NULL,
NULL);
if(ntStatus != STATUS_SUCCESS)
{
//zz KdPrint((“ProcessCheckSum: ZwReadFile %s Failed\n”, pFile));
ZwClose(hFileHandle);
ExFreePool(pbData);
return FALSE;
}
CheckSum(CheckSumImage,pbData,ReadFileLen);
RtlZeroMemory(pbData,ReadFileLen);
}
ntStatus=ZwReadFile(hFileHandle,
NULL,
NULL,
NULL,
&IoStatus,
(PVOID)pbData,
nFileLen-ReadFileLen*(nFileLen/ReadFileLen),
NULL,
NULL);
if(ntStatus != STATUS_SUCCESS)
{
//zz KdPrint((“ProcessCheckSum: ZwReadFile %s Failed\n”, pFile));
ZwClose(hFileHandle);
ExFreePool(pbData);
goto HOOKEND;
}
CheckSum(CheckSumImage,pbData,nFileLen-ReadFileLen*(nFileLen/ReadFileLen));
}

ZwClose(hFileHandle);
ExFreePool(pbData);
…
}

Can anyone tell me where i am wrong, thank you!

Daniel_Terhell · January 17, 2007, 4:41am

Generally speaking, you can use WinDbg to find the offending line of code so
there is no need to guess. If you are hooking, you need to make sure you
have a legitimate purpose for it and you are not missing a proper solution
for the problem you are trying to solve. Writing hooks is very tricky, you
really need to know what you are doing and you are not giving this
impression.

Although there appear to be some problems with the code you have posted, it
is not clear if you are checking the validity of all parameters passed to
the hooked function by probing before accessing them. Sysinternals used to
offer a utility called NtCrash2 which calls system functions from usermode
with random parameters. Originally intended to find bugs in the operating
system, it was a great tool to test if system call hooks are doing parameter
checking properly. Unfortunately since they got acquired by MS, this tool is
no longer available.

Also note this group is for file system related stuff, your message is
better off in ntdev or any of the public groups.

/Daniel

wrote in message news:xxxxx@ntfsd…
> Hi all,
> I have a BSOD problem of KERNEL_STACK_INPAGE_ERROR, which may be
> trigered by the following codes:
>
> NTSTATUS
> NTAPI
> HookCreateSection(OUT PHANDLE SectionHandle,
> IN ACCESS_MASK DesiredAccess,
> IN POBJECT_ATTRIBUTES ObjectAttributes,
> IN PLARGE_INTEGER MaximumSize,
> IN ULONG SectionPageProtection,
> IN ULONG AllocationAttributes,
> IN HANDLE FileHandle)
> {
> …
> ntstatus = ObReferenceObjectByHandle(FileHandle,
> SYNCHRONIZE|FILE_READ_DATA, 0,
> KernelMode,
> &pFileObject,
> NULL);
> if(!NT_SUCCESS(ntstatus))
> {
> goto HOOKEND;
> }
> ntStatus = ObOpenObjectByPointer(pFileObject,
> 0,
> NULL,
> SYNCHRONIZE|FILE_READ_DATA,
> NULL,KernelMode,
> &hFileHandle);
> if(!NT_SUCCESS(ntStatus))
> {
> goto HOOKEND;
> }
> ntStatus = ZwQueryInformationFile(hFileHandle,
> &IoStatus,
> &StandardFileInfo,
> sizeof(FILE_STANDARD_INFORMATION),
> FileStandardInformation);
>
> if(ntStatus != STATUS_SUCCESS)
> {
> ZwClose(hFileHandle);
> goto HOOKEND;
> }
> nFileLen=StandardFileInfo.EndOfFile.LowPart;
> if ((nFileLen==0)||(nFileLen==0xFFFFFFFF))
> {
> ZwClose(hFileHandle);
> goto HOOKEND;
> }
> if(nFileLen <= ReadFileLen)
> {
> pbData=(PCHAR)ExAllocatePool(NonPagedPool, nFileLen+1);
> ntemLen=nFileLen+1;
> }
> else
> {
> pbData=(PCHAR)ExAllocatePool(NonPagedPool, ReadFileLen+1);
> ntemLen=ReadFileLen+1;
> }
> if (pbData==NULL)
> {
> //zz KdPrint((“ProcessCheckSum: ExAllocatePool failed!\n”));
> ZwClose(hFileHandle);
> goto HOOKEND;
> }
> RtlZeroMemory(pbData,ntemLen);
>
> if(nFileLen <= ReadFileLen)
> {
> ntStatus=ZwReadFile(hFileHandle,
> NULL,
> NULL,
> NULL,
> &IoStatus,
> (PVOID)pbData,
> nFileLen,
> NULL,
> NULL);
> if(ntStatus != STATUS_SUCCESS)
> {
> //zz KdPrint((“ProcessCheckSum: ZwReadFile %s Failed\n”, pFile));
> ZwClose(hFileHandle);
> ExFreePool(pbData);
> return FALSE;
> }
> // calculate the crc valure
> CheckSum(CheckSumImage,pbData,nFileLen);
> }
> else
> {
> for(i = 0;i> {
> ntStatus=ZwReadFile(hFileHandle,
> NULL,
> NULL,
> NULL,
> &IoStatus,
> (PVOID)pbData,
> ReadFileLen,
> NULL,
> NULL);
> if(ntStatus != STATUS_SUCCESS)
> {
> //zz KdPrint((“ProcessCheckSum: ZwReadFile %s Failed\n”, pFile));
> ZwClose(hFileHandle);
> ExFreePool(pbData);
> return FALSE;
> }
> CheckSum(CheckSumImage,pbData,ReadFileLen);
> RtlZeroMemory(pbData,ReadFileLen);
> }
> ntStatus=ZwReadFile(hFileHandle,
> NULL,
> NULL,
> NULL,
> &IoStatus,
> (PVOID)pbData,
> nFileLen-ReadFileLen*(nFileLen/ReadFileLen),
> NULL,
> NULL);
> if(ntStatus != STATUS_SUCCESS)
> {
> //zz KdPrint((“ProcessCheckSum: ZwReadFile %s Failed\n”, pFile));
> ZwClose(hFileHandle);
> ExFreePool(pbData);
> goto HOOKEND;
> }
>
> CheckSum(CheckSumImage,pbData,nFileLen-ReadFileLen*(nFileLen/ReadFileLen));
> }
>
> ZwClose(hFileHandle);
> ExFreePool(pbData);
> …
> }
>
> Can anyone tell me where i am wrong, thank you!
>

OSR_Community_User · January 17, 2007, 7:16am

Thanks for your reply, the dump file is very simple, i can not see any information useful, so i am
here for some advices,in addition, i have been in such trouble for several days, so any help are appreciated.

Daniel_Terhell · January 17, 2007, 8:17am

If you got Windbg set up and have symbols loaded for your module and a bug
check occurs, Windbg will display the offending line of code. What is the
purpose of hooking ZwCreateSection, what are you doing this for and what are
you building with it ?

/Daniel

wrote in message news:xxxxx@ntfsd…
> Thanks for your reply, the dump file is very simple, i can not see any
> information useful, so i am
> here for some advices,in addition, i have been in such trouble for several
> days, so any help are appreciated.
>

OSR_Community_User · January 17, 2007, 8:48am

the main idea of my program is to check whether the executive image of a process is corrupted
before the process is created, if it is, i will faile the creation of the process. so in my program, i get
hte file handle of the executive image of the process from the zwcreation’s parameter, then get it’s
correspointed file object, then open the file with this file object, then read the file, so that i can
verify the crc of the file, i am not sure whether the way reading the file is correct, so please help me.

Daniel_Terhell · January 17, 2007, 8:58am

In this case my advice is to trash this code and refrain from hooking, you
can do these things much easier and safer with the
PsSetLoadImageNotifyRoutine.

/Daniel

wrote in message news:xxxxx@ntfsd…
> the main idea of my program is to check whether the executive image of a
> process is corrupted
> before the process is created, if it is, i will faile the creation of the
> process. so in my program, i get
> hte file handle of the executive image of the process from the
> zwcreation’s parameter, then get it’s
> correspointed file object, then open the file with this file object, then
> read the file, so that i can
> verify the crc of the file, i am not sure whether the way reading the file
> is correct, so please help me.
>

OSR_Community_User · January 17, 2007, 9:29am

if achieve the goal with PsSetLoadImageNotifyRoutine, i think it’s a little difficult to fail the process’s
creation, while if i hook ntcreatesection, i can just return status_unsuccessful, it’s a little easy.

Daniel_Terhell · January 17, 2007, 9:55am

There have been lots of discussions about this, for example check out the
suggestions from this thread:
http://www.tutorials-blog.com/nt/Bypassing-executables/ .

/Daniel

wrote in message news:xxxxx@ntfsd…
> if achieve the goal with PsSetLoadImageNotifyRoutine, i think it’s a
> little difficult to fail the process’s
> creation, while if i hook ntcreatesection, i can just return
> status_unsuccessful, it’s a little easy.
>