bad pool header

i have been over the code over and over again and when i get
irp read the system will crash with bad_pool_header.

i thik it has somthing to do with the event, could i please
have help.

(MOdified filespy code)

thank you

NTSTATUS
SpyReadCompletion (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID *Context
)
//COMPLETION ROUTINE FOR IRP_MJ_READ

{
PFILESPY_DEVICE_EXTENSION devExt = NULL;
PDEVICE_OBJECT PtrAssociatedDeviceObject = NULL;

devExt = (PFILESPY_DEVICE_EXTENSION)(Context);
ASSERT( devExt );

PtrAssociatedDeviceObject = DeviceObject;

//
// Propagate the IRP pending flag.
//

if (Irp->PendingReturned) {

IoMarkIrpPending( Irp );
}

if( devExt->IoAccessMode == IO_MODE_DIRECT ) {

PREAD_WORK_ITEM ReadDecryptWorkItem;
KEVENT waitReadDecrypt;

KeInitializeEvent( &waitReadDecrypt,
NotificationEvent, FALSE );

IoMarkIrpPending( Irp );

ReadDecryptWorkItem = ExAllocatePoolWithTag(
NonPagedPool, sizeof(PREAD_WORK_ITEM), READ_POOL_HEADER );

if (ReadDecryptWorkItem == NULL)
return STATUS_INSUFFICIENT_RESOURCES;

ReadDecryptWorkItem->Irp = Irp;
ReadDecryptWorkItem->waitReadDecrypt =
&waitReadDecrypt;

//
// Init the work item embedded in the private
structure
//

ReadDecryptWorkItem->WorkItem =
IoAllocateWorkItem( DeviceObject );

if ( ReadDecryptWorkItem->WorkItem == NULL ) {
ExFreePool(ReadDecryptWorkItem);
return STATUS_INSUFFICIENT_RESOURCES;
}

//
// Queue it for execution
//

IoQueueWorkItem( ReadDecryptWorkItem-

WorkItem, ReadWorkRoutine, DelayedWorkQueue,
ReadDecryptWorkItem );

DbgPrint( “waiting for event” );
KeWaitForSingleObject( &waitReadDecrypt,
Executive, KernelMode, FALSE, NULL );
DbgPrint( “finished waiting for event” );
DbgPrint( "Prof is " );
//DbgPrint( ReadDecryptWorkItem->Param3 );

//BECOUSE STATUS_MORE_PROCESS_NEEDED not
returned we don’t have to
//worrie about passing IRP back to I/O manager
//THIS IS BECOUSE we have a event that waits
for thread to exit
//before continuing, slower method , change
later

}

DbgPrint( "Completed IRP READ for device " );

return STATUS_SUCCESS;
}

VOID ReadWorkRoutine(IN PDEVICE_OBJECT DeviceObject, IN PVOID
Parameter )
{
PREAD_WORK_ITEM ReadDecryptWorkItem =
(PREAD_WORK_ITEM)Parameter;
ULONG tmp = DeviceObject->Flags;

ReadWork( ReadDecryptWorkItem->waitReadDecrypt,
ReadDecryptWorkItem->Param3 );

DbgPrint( “ReadWorkRoutine()” );

IoFreeWorkItem( ReadDecryptWorkItem->WorkItem );
ExFreePoolWithTag( ReadDecryptWorkItem,
READ_POOL_HEADER );
}

VOID ReadWork(PKEVENT waitReadDecrypt, PCHAR parameter3 )
{
DbgPrint( “ReadWork()” );

parameter3 = “1”;

if (waitReadDecrypt != NULL)
KeSetEvent( waitReadDecrypt, IO_NO_INCREMENT,
FALSE );
}

Why do you have the event on the stack?

wrote in message news:xxxxx@ntfsd…
>i have been over the code over and over again and when i get
> irp read the system will crash with bad_pool_header.
>
> i thik it has somthing to do with the event, could i please
> have help.
>
> (MOdified filespy code)
>
> thank you
>
> NTSTATUS
> SpyReadCompletion (
> IN PDEVICE_OBJECT DeviceObject,
> IN PIRP Irp,
> IN PVOID *Context
> )
> //COMPLETION ROUTINE FOR IRP_MJ_READ
>
> {
> PFILESPY_DEVICE_EXTENSION devExt = NULL;
> PDEVICE_OBJECT PtrAssociatedDeviceObject = NULL;
>
> devExt = (PFILESPY_DEVICE_EXTENSION)(Context);
> ASSERT( devExt );
>
> PtrAssociatedDeviceObject = DeviceObject;
>
> //
> // Propagate the IRP pending flag.
> //
>
> if (Irp->PendingReturned) {
>
> IoMarkIrpPending( Irp );
> }
>
> if( devExt->IoAccessMode == IO_MODE_DIRECT ) {
>
> PREAD_WORK_ITEM ReadDecryptWorkItem;
> KEVENT waitReadDecrypt;
>
> KeInitializeEvent( &waitReadDecrypt,
> NotificationEvent, FALSE );
>
> IoMarkIrpPending( Irp );
>
> ReadDecryptWorkItem = ExAllocatePoolWithTag(
> NonPagedPool, sizeof(PREAD_WORK_ITEM), READ_POOL_HEADER );
>
> if (ReadDecryptWorkItem == NULL)
> return STATUS_INSUFFICIENT_RESOURCES;
>
> ReadDecryptWorkItem->Irp = Irp;
> ReadDecryptWorkItem->waitReadDecrypt =
> &waitReadDecrypt;
>
> //
> // Init the work item embedded in the private
> structure
> //
>
> ReadDecryptWorkItem->WorkItem =
> IoAllocateWorkItem( DeviceObject );
>
> if ( ReadDecryptWorkItem->WorkItem == NULL ) {
> ExFreePool(ReadDecryptWorkItem);
> return STATUS_INSUFFICIENT_RESOURCES;
> }
>
>
> //
> // Queue it for execution
> //
>
> IoQueueWorkItem( ReadDecryptWorkItem-
>>WorkItem, ReadWorkRoutine, DelayedWorkQueue,
> ReadDecryptWorkItem );
>
> DbgPrint( “waiting for event” );
> KeWaitForSingleObject( &waitReadDecrypt,
> Executive, KernelMode, FALSE, NULL );
> DbgPrint( “finished waiting for event” );
> DbgPrint( "Prof is " );
> //DbgPrint( ReadDecryptWorkItem->Param3 );
>
> //BECOUSE STATUS_MORE_PROCESS_NEEDED not
> returned we don’t have to
> //worrie about passing IRP back to I/O manager
> //THIS IS BECOUSE we have a event that waits
> for thread to exit
> //before continuing, slower method , change
> later
>
> }
>
> DbgPrint( "Completed IRP READ for device " );
>
> return STATUS_SUCCESS;
> }
>
> VOID ReadWorkRoutine(IN PDEVICE_OBJECT DeviceObject, IN PVOID
> Parameter )
> {
> PREAD_WORK_ITEM ReadDecryptWorkItem =
> (PREAD_WORK_ITEM)Parameter;
> ULONG tmp = DeviceObject->Flags;
>
> ReadWork( ReadDecryptWorkItem->waitReadDecrypt,
> ReadDecryptWorkItem->Param3 );
>
> DbgPrint( “ReadWorkRoutine()” );
>
> IoFreeWorkItem( ReadDecryptWorkItem->WorkItem );
> ExFreePoolWithTag( ReadDecryptWorkItem,
> READ_POOL_HEADER );
> }
>
> VOID ReadWork(PKEVENT waitReadDecrypt, PCHAR parameter3 )
> {
> DbgPrint( “ReadWork()” );
>
> parameter3 = “1”;
>
> if (waitReadDecrypt != NULL)
> KeSetEvent( waitReadDecrypt, IO_NO_INCREMENT,
> FALSE );
> }
>

Even worse why are you waiting on an event from a READ completion routine/

“David J. Craig” wrote:

Why do you have the event on the stack?

wrote in message news:xxxxx@ntfsd…
> >i have been over the code over and over again and when i get
> > irp read the system will crash with bad_pool_header.
> >
> > i thik it has somthing to do with the event, could i please
> > have help.
> >
> > (MOdified filespy code)
> >
> > thank you
> >
> > NTSTATUS
> > SpyReadCompletion (
> > IN PDEVICE_OBJECT DeviceObject,
> > IN PIRP Irp,
> > IN PVOID *Context
> > )
> > //COMPLETION ROUTINE FOR IRP_MJ_READ
> >
> > {
> > PFILESPY_DEVICE_EXTENSION devExt = NULL;
> > PDEVICE_OBJECT PtrAssociatedDeviceObject = NULL;
> >
> > devExt = (PFILESPY_DEVICE_EXTENSION)(Context);
> > ASSERT( devExt );
> >
> > PtrAssociatedDeviceObject = DeviceObject;
> >
> > //
> > // Propagate the IRP pending flag.
> > //
> >
> > if (Irp->PendingReturned) {
> >
> > IoMarkIrpPending( Irp );
> > }
> >
> > if( devExt->IoAccessMode == IO_MODE_DIRECT ) {
> >
> > PREAD_WORK_ITEM ReadDecryptWorkItem;
> > KEVENT waitReadDecrypt;
> >
> > KeInitializeEvent( &waitReadDecrypt,
> > NotificationEvent, FALSE );
> >
> > IoMarkIrpPending( Irp );
> >
> > ReadDecryptWorkItem = ExAllocatePoolWithTag(
> > NonPagedPool, sizeof(PREAD_WORK_ITEM), READ_POOL_HEADER );
> >
> > if (ReadDecryptWorkItem == NULL)
> > return STATUS_INSUFFICIENT_RESOURCES;
> >
> > ReadDecryptWorkItem->Irp = Irp;
> > ReadDecryptWorkItem->waitReadDecrypt =
> > &waitReadDecrypt;
> >
> > //
> > // Init the work item embedded in the private
> > structure
> > //
> >
> > ReadDecryptWorkItem->WorkItem =
> > IoAllocateWorkItem( DeviceObject );
> >
> > if ( ReadDecryptWorkItem->WorkItem == NULL ) {
> > ExFreePool(ReadDecryptWorkItem);
> > return STATUS_INSUFFICIENT_RESOURCES;
> > }
> >
> >
> > //
> > // Queue it for execution
> > //
> >
> > IoQueueWorkItem( ReadDecryptWorkItem-
> >>WorkItem, ReadWorkRoutine, DelayedWorkQueue,
> > ReadDecryptWorkItem );
> >
> > DbgPrint( “waiting for event” );
> > KeWaitForSingleObject( &waitReadDecrypt,
> > Executive, KernelMode, FALSE, NULL );
> > DbgPrint( “finished waiting for event” );
> > DbgPrint( "Prof is " );
> > //DbgPrint( ReadDecryptWorkItem->Param3 );
> >
> > //BECOUSE STATUS_MORE_PROCESS_NEEDED not
> > returned we don’t have to
> > //worrie about passing IRP back to I/O manager
> > //THIS IS BECOUSE we have a event that waits
> > for thread to exit
> > //before continuing, slower method , change
> > later
> >
> > }
> >
> > DbgPrint( "Completed IRP READ for device " );
> >
> > return STATUS_SUCCESS;
> > }
> >
> > VOID ReadWorkRoutine(IN PDEVICE_OBJECT DeviceObject, IN PVOID
> > Parameter )
> > {
> > PREAD_WORK_ITEM ReadDecryptWorkItem =
> > (PREAD_WORK_ITEM)Parameter;
> > ULONG tmp = DeviceObject->Flags;
> >
> > ReadWork( ReadDecryptWorkItem->waitReadDecrypt,
> > ReadDecryptWorkItem->Param3 );
> >
> > DbgPrint( “ReadWorkRoutine()” );
> >
> > IoFreeWorkItem( ReadDecryptWorkItem->WorkItem );
> > ExFreePoolWithTag( ReadDecryptWorkItem,
> > READ_POOL_HEADER );
> > }
> >
> > VOID ReadWork(PKEVENT waitReadDecrypt, PCHAR parameter3 )
> > {
> > DbgPrint( “ReadWork()” );
> >
> > parameter3 = “1”;
> >
> > if (waitReadDecrypt != NULL)
> > KeSetEvent( waitReadDecrypt, IO_NO_INCREMENT,
> > FALSE );
> > }
> >
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

How about debugging the crash dump with WinDbg and checking what item is freed
twice? A stack trace will also reveal where it was freed.

xxxxx@uow.edu.au wrote:

i have been over the code over and over again and when i get
irp read the system will crash with bad_pool_header.

i thik it has somthing to do with the event, could i please
have help.

(MOdified filespy code)

thank you

NTSTATUS
SpyReadCompletion (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID *Context
)
//COMPLETION ROUTINE FOR IRP_MJ_READ

{
PFILESPY_DEVICE_EXTENSION devExt = NULL;
PDEVICE_OBJECT PtrAssociatedDeviceObject = NULL;

devExt = (PFILESPY_DEVICE_EXTENSION)(Context);
ASSERT( devExt );

PtrAssociatedDeviceObject = DeviceObject;

//
// Propagate the IRP pending flag.
//

if (Irp->PendingReturned) {

IoMarkIrpPending( Irp );
}

if( devExt->IoAccessMode == IO_MODE_DIRECT ) {

PREAD_WORK_ITEM ReadDecryptWorkItem;
KEVENT waitReadDecrypt;

KeInitializeEvent( &waitReadDecrypt,
NotificationEvent, FALSE );

IoMarkIrpPending( Irp );

ReadDecryptWorkItem = ExAllocatePoolWithTag(
NonPagedPool, sizeof(PREAD_WORK_ITEM), READ_POOL_HEADER );

if (ReadDecryptWorkItem == NULL)
return STATUS_INSUFFICIENT_RESOURCES;

ReadDecryptWorkItem->Irp = Irp;
ReadDecryptWorkItem->waitReadDecrypt =
&waitReadDecrypt;

//
// Init the work item embedded in the private
structure
//

ReadDecryptWorkItem->WorkItem =
IoAllocateWorkItem( DeviceObject );

if ( ReadDecryptWorkItem->WorkItem == NULL ) {
ExFreePool(ReadDecryptWorkItem);
return STATUS_INSUFFICIENT_RESOURCES;
}

//
// Queue it for execution
//

IoQueueWorkItem( ReadDecryptWorkItem-
>WorkItem, ReadWorkRoutine, DelayedWorkQueue,
ReadDecryptWorkItem );

DbgPrint( “waiting for event” );
KeWaitForSingleObject( &waitReadDecrypt,
Executive, KernelMode, FALSE, NULL );
DbgPrint( “finished waiting for event” );
DbgPrint( "Prof is " );
//DbgPrint( ReadDecryptWorkItem->Param3 );

//BECOUSE STATUS_MORE_PROCESS_NEEDED not
returned we don’t have to
//worrie about passing IRP back to I/O manager
//THIS IS BECOUSE we have a event that waits
for thread to exit
//before continuing, slower method , change
later

}

DbgPrint( "Completed IRP READ for device " );

return STATUS_SUCCESS;
}

VOID ReadWorkRoutine(IN PDEVICE_OBJECT DeviceObject, IN PVOID
Parameter )
{
PREAD_WORK_ITEM ReadDecryptWorkItem =
(PREAD_WORK_ITEM)Parameter;
ULONG tmp = DeviceObject->Flags;

ReadWork( ReadDecryptWorkItem->waitReadDecrypt,
ReadDecryptWorkItem->Param3 );

DbgPrint( “ReadWorkRoutine()” );

IoFreeWorkItem( ReadDecryptWorkItem->WorkItem );
ExFreePoolWithTag( ReadDecryptWorkItem,
READ_POOL_HEADER );
}

VOID ReadWork(PKEVENT waitReadDecrypt, PCHAR parameter3 )
{
DbgPrint( “ReadWork()” );

parameter3 = “1”;

if (waitReadDecrypt != NULL)
KeSetEvent( waitReadDecrypt, IO_NO_INCREMENT,
FALSE );
}


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

is this a bad idea? what is a better way ?, i am trying to
have a read=20
routine that will decrypt data that has been read from file.

The bad idea is that waiting on a non-zero interval on a high IRQL (which is
generally very likely during a read completion) will cause a bug check. This is not
the problem you are observing here, but it is another problem in your code.

xxxxx@uow.edu.au wrote:

is this a bad idea? what is a better way ?, i am trying to
have a read=20
routine that will decrypt data that has been read from file.


Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

what would be a better structure ?