Hi,
Few senior person might have guessed it yesterday only, while helping me on my last post. So my code to send a rename IRP to NTFS start working and I got my first BSOD too. from call stack it seems that it fails at nt!Kei386EoiHelper (I know, my code is culprit),
In another post, Anton Bassov said that “this is invoked upon returning from interrupt”. So does it mean that I forget to set something which is required by this function while returning from an interrupt? If yes than kindly suggest what it could possibly be?
following is the output from WinDbg
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00190292
Arg2: f81f2704
Arg3: f81f2400
Arg4: 804e8ec8
Debugging Details:
EXCEPTION_RECORD: f81f2704 – (.exr fffffffff81f2704)
ExceptionAddress: 804e8ec8 (nt!IoIsOperationSynchronous+0x0000000e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 656e6f7a
Attempt to read from address 656e6f7a
CONTEXT: f81f2400 – (.cxr fffffffff81f2400)
eax=81c76a00 ebx=81c76a00 ecx=656e6f4e edx=81c76a00 esi=f81f27e8 edi=00000000
eip=804e8ec8 esp=f81f27cc ebp=f81f27cc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!IoIsOperationSynchronous+0xe:
804e8ec8 f6412c02 test byte ptr [ecx+2Ch],2 ds:0023:656e6f7a=??
Resetting default scope
PROCESS_NAME: CallingApp.exe (This process sends a IOCTL to driver)
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 656e6f7a
BUGCHECK_STR: 0x24
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
LAST_CONTROL_TRANSFER: from f83a9a9e to 804e8ec8
STACK_TEXT:
f81f27cc f83a9a9e 81c76a00 f81f2818 81ce6bc8 nt!IoIsOperationSynchronous+0xe
f81f2834 804e3d77 823e4770 81c76a00 822aa7e8 Ntfs!NtfsFsdSetInformation+0x47
f81f2844 f5b22cab 0dac366f 81ce6bc8 822aa7e8 nt!IopfCallDriver+0x31
f81f28fc f5b213b5 00000000 8203bd10 00000000 MyDriver!MyZwRenameFile+0x38b [d:\vss\stealthviewer\stealthdrv\stealth.c @ 1698]
f81f2c24 f5b21d71 821d8638 c00000ef f81f2c58 MyDriver!DeviceDispatcher+0x545 [d:\vss\stealthviewer\stealthdrv\stealth.c @ 704]
f81f2c34 804e3d77 81d34b60 821d8638 806ee2d0 MyDriver!DriverDispatcher+0x21 [d:\vss\stealthviewer\stealthdrv\stealth.c @ 1062]
f81f2c44 8056a9ab 821d86a8 81fa5288 821d8638 nt!IopfCallDriver+0x31
f81f2c58 8057d9f7 81d34b60 821d8638 81fa5288 nt!IopSynchronousServiceTail+0x60
f81f2d00 8057fbfa 000000f0 00000000 00000000 nt!IopXxxControlFile+0x611
f81f2d34 804df06b 000000f0 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f81f2d34 7c90eb94 000000f0 00000000 00000000 nt!KiFastCallEntry+0xf8
00f7fe68 7c90d8ef 7c801671 000000f0 00000000 ntdll!KiFastSystemCallRet
00f7fe6c 7c801671 000000f0 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
00f7fecc 1000f36b 000000f0 0022e090 00f7ff58 kernel32!DeviceIoControl+0xdd
00f7ff90 10033114 00000000 10058b3c 00f7ffec
FOLLOWUP_IP:
Ntfs!NtfsFsdSetInformation+47
f83a9a9e 50 push eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: Ntfs!NtfsFsdSetInformation+47
kd> kb
ChildEBP RetAddr Args to Child
f81f1da8 805328e7 00000003 f81f2104 00000000 nt!RtlpBreakWithStatusInstruction
f81f1df4 805333be 00000003 c0000005 00000000 nt!KiBugCheckDebugBreak+0x19
f81f21d4 805339ae 00000024 00190292 f81f2704 nt!KeBugCheck2+0x574
f81f21f4 f83b4051 00000024 00190292 f81f2704 nt!KeBugCheckEx+0x1b
f81f2224 f83ad2a2 00000000 f81f2250 804e2b52 Ntfs!NtfsExceptionFilter+0x1cd
f81f2230 804e2b52 f81f2258 00000000 f81f2258 Ntfs!NtfsFsdSetInformation+0xc1
f81f2258 804db9fd f81f2704 f81f2824 f81f2400 nt!_except_handler3+0x61
f81f227c 804db9ca f81f2704 f81f2824 f81f2400 nt!ExecuteHandler2+0x26
f81f232c 8050c72e f81f2704 f81f2400 656e6f7a nt!ExecuteHandler+0x24
f81f26e8 804dfada f81f2704 00000000 f81f2758 nt!KiDispatchException+0x13e
f81f2750 804dfa86 f81f27cc 804e8ec8 badb0d00 nt!CommonDispatchException+0x4d
f81f2774 f8a509aa f8a50d20 f81f27af 00000000 nt!Kei386EoiHelper+0x18a
f81f27cc f83a9a9e 81c76a00 f81f2818 81ce6bc8 kdcom!KdCompPollByte+0x10
f81f27cc f83a9a9e 81c76a00 f81f2818 81ce6bc8 Ntfs!NtfsFsdSetInformation+0x47
f81f2834 804e3d77 823e4770 81c76a00 822aa7e8 Ntfs!NtfsFsdSetInformation+0x47
f81f2844 f5b22cab 0dac366f 81ce6bc8 822aa7e8 nt!IopfCallDriver+0x31
f81f28fc f5b213b5 00000000 8203bd10 00000000 MyDriver!MyZwRenameFile+0x38b [d:\vss\stealthviewer\stealthdrv\stealth.c @ 1698]
f81f2c24 f5b21d71 821d8638 c00000ef f81f2c58 MyDriver!DeviceDispatcher+0x545 [d:\vss\stealthviewer\stealthdrv\stealth.c @ 704]
f81f2c34 804e3d77 81d34b60 821d8638 806ee2d0 MyDriver!DriverDispatcher+0x21 [d:\vss\stealthviewer\stealthdrv\stealth.c @ 1062]
f81f2c44 8056a9ab 821d86a8 81fa5288 821d8638 nt!IopfCallDriver+0x31
In case its not that straight, Please provide some pointers to investigate.
Thanks
Aditya