BSOD in my filter driver

NTFSD
1

Hello all,
I am a beginner.Recently,I am trying to write a filter driver,but there is a BSOD issue in my dispatch routine that process IRP_MJ_READ irp.I don’t know how to deal with it. The following is my simple sample code.Could you help me?Thanks in advance!Sorry my poor English!!!

NTSTATUS SfRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION pIrpSp;
PFILE_OBJECT pFileObject;
PSFILTER_DEVICE_EXTENSION devExt;

pIrpSp = IoGetCurrentIrpStackLocation(Irp);
pFileObject = pIrpSp->FileObject;
devExt = DeviceObject->DeviceExtension;

////////////////////////////////////////////////////////////////////////
// Is my control device object
if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject))
{
Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_INVALID_DEVICE_REQUEST;
}

////////////////////////////////////////////////////////////////////////
//Is storage stack device object
if (NULL == devExt->StorageStackDeviceObject)
{
return SfPassThrough(DeviceObject,Irp);
}

////////////////////////////////////////////////////////////////////////
//Is my filter device object
{
UNICODE_STRING fullName;
UNICODE_STRING extName;
WCHAR fullNameBuffer[512];
WCHAR extNameBuffer[256];
USHORT i;

//////////////////////////////////////////////////////////////////////
//Get file name from file object
fullUniName.Length = pFileObject->FileName.Length;
fullUniName.MaximumLength = pFileObject->FileName.MaximumLength;
RtlInitEmptyUnicodeString(&fullName, fullNameBuffer, 512*sizeof(WCHAR));
RtlCopyUnicodeString(&fullUniName, &(pFileObject->FileName));

////////////////////////////////////////////////////////////////////////
//Get extension name
RtlInitEmptyUnicodeString(&extName, extNameBuffer, 256*sizeof(WCHAR));
for (i = 0; i < fullName.Length; i++)
{
if (L’.’ == fullName.Buffer[i])
{
USHORT nIndex = 0;
USHORT j;
extName.Length = fullName.Length - i - 1;
for (j = i+1; j < fullName.Length; j++,nIndex++)
{
//extName.Buffer[nIndex] = fullName.Buffer[j]; // If add, BSOD
;//not BSOD
}
break;
}
}
return SfPassThrough(DeviceObject,Irp);
}

}

2

In general if you are going to report a BSOD to this group have the
!analyze -v output for the crash. On any of the driver development groups
you will be asked for it.


Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

wrote in message news:xxxxx@ntfsd…
> Hello all,
> I am a beginner.Recently,I am trying to write a filter driver,but
> there is a BSOD issue in my dispatch routine that process IRP_MJ_READ
> irp.I don’t know how to deal with it. The following is my simple sample
> code.Could you help me?Thanks in advance!Sorry my poor English!!!
>
> NTSTATUS SfRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
> {
> PIO_STACK_LOCATION pIrpSp;
> PFILE_OBJECT pFileObject;
> PSFILTER_DEVICE_EXTENSION devExt;
>
> pIrpSp = IoGetCurrentIrpStackLocation(Irp);
> pFileObject = pIrpSp->FileObject;
> devExt = DeviceObject->DeviceExtension;
>
> ////////////////////////////////////////////////////////////////////////
> // Is my control device object
> if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject))
> {
> Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
> Irp->IoStatus.Information = 0;
> IoCompleteRequest(Irp, IO_NO_INCREMENT);
> return STATUS_INVALID_DEVICE_REQUEST;
> }
>
> ////////////////////////////////////////////////////////////////////////
> //Is storage stack device object
> if (NULL == devExt->StorageStackDeviceObject)
> {
> return SfPassThrough(DeviceObject,Irp);
> }
>
> ////////////////////////////////////////////////////////////////////////
> //Is my filter device object
> {
> UNICODE_STRING fullName;
> UNICODE_STRING extName;
> WCHAR fullNameBuffer[512];
> WCHAR extNameBuffer[256];
> USHORT i;
>
> //////////////////////////////////////////////////////////////////////
> //Get file name from file object
> fullUniName.Length = pFileObject->FileName.Length;
> fullUniName.MaximumLength = pFileObject->FileName.MaximumLength;
> RtlInitEmptyUnicodeString(&fullName, fullNameBuffer,
> 512sizeof(WCHAR));
> RtlCopyUnicodeString(&fullUniName, &(pFileObject->FileName));
>
>
> ////////////////////////////////////////////////////////////////////////
> //Get extension name
> RtlInitEmptyUnicodeString(&extName, extNameBuffer, 256sizeof(WCHAR));
> for (i = 0; i < fullName.Length; i++)
> {
> if (L’.’ == fullName.Buffer[i])
> {
> USHORT nIndex = 0;
> USHORT j;
> extName.Length = fullName.Length - i - 1;
> for (j = i+1; j < fullName.Length; j++,nIndex++)
> {
> //extName.Buffer[nIndex] = fullName.Buffer[j]; // If add, BSOD
> ;//not BSOD
> }
> break;
> }
> }
> return SfPassThrough(DeviceObject,Irp);
> }
>
> }
>

3
  • FileObject->Filename is only valid in IRP_MJ_CREATE, don’t use/get
    filename in IRP_MJ_READ (you probably get BSOD because this buffer is
    already freed)
  • IRP_MJ_READ can be called at DISPATCH_LEVEL => it’s not safe to call some
    Rtl-* functions which work with unicode-strings
  • FileObject->Filename can be bigger than 512 chars
  • you dont find ‘.’ character from the end of the name
  • don’t use filename arrays at the stack (you have only 12Kb or 24Kb, and
    you’re not the only driver at the stack)
  • don’t copy unicode strings to your buffer, search directly in
    FileObject->Filename.Buffer

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
wanmingliangdan@163.com
Sent: 7. listopadu 2008 15:53
To: Windows File Systems Devs Interest List
Subject: [ntfsd] BSOD in my filter driver

Hello all,
I am a beginner.Recently,I am trying to write a filter driver,but
there is a BSOD issue in my dispatch routine that process IRP_MJ_READ irp.I
don’t know how to deal with it. The following is my simple sample code.Could
you help me?Thanks in advance!Sorry my poor English!!!

NTSTATUS SfRead(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION pIrpSp;
PFILE_OBJECT pFileObject;
PSFILTER_DEVICE_EXTENSION devExt;

pIrpSp = IoGetCurrentIrpStackLocation(Irp);
pFileObject = pIrpSp->FileObject;
devExt = DeviceObject->DeviceExtension;

////////////////////////////////////////////////////////////////////////
// Is my control device object
if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject))
{
Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_INVALID_DEVICE_REQUEST;
}

////////////////////////////////////////////////////////////////////////
//Is storage stack device object
if (NULL == devExt->StorageStackDeviceObject)
{
return SfPassThrough(DeviceObject,Irp);
}

////////////////////////////////////////////////////////////////////////
//Is my filter device object
{
UNICODE_STRING fullName;
UNICODE_STRING extName;
WCHAR fullNameBuffer[512];
WCHAR extNameBuffer[256];
USHORT i;

//////////////////////////////////////////////////////////////////////
//Get file name from file object
fullUniName.Length = pFileObject->FileName.Length;
fullUniName.MaximumLength = pFileObject->FileName.MaximumLength;
RtlInitEmptyUnicodeString(&fullName, fullNameBuffer, 512*sizeof(WCHAR));
RtlCopyUnicodeString(&fullUniName, &(pFileObject->FileName));

////////////////////////////////////////////////////////////////////////
//Get extension name
RtlInitEmptyUnicodeString(&extName, extNameBuffer, 256*sizeof(WCHAR));

for (i = 0; i < fullName.Length; i++)
{
if (L’.’ == fullName.Buffer[i])
{
USHORT nIndex = 0;
USHORT j;
extName.Length = fullName.Length - i - 1;
for (j = i+1; j < fullName.Length; j++,nIndex++)
{
//extName.Buffer[nIndex] = fullName.Buffer[j]; // If add, BSOD
;//not BSOD
}
break;
}
}
return SfPassThrough(DeviceObject,Irp);
}

}

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@avast.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

Hello Petr Kurtin,
As you said, FileObject->Filename is only valid in IRP_MJ_CREATE, don’t use/get filename in IRP_MJ_READ (you probably get BSOD because this buffer is already freed).I originally plan to decrypt file in SfRead function and encrypt file in SfWrite function which processes irp IRP_MJ_WRITE accroding to file extension name(i.e. doc).May be i am doing some thing wrong.Could you tell me how to do encrypt and decrypt file in filter driver. Thanks in advance.

5

Encryption minifilters are among the most difficult to write. If you are a
beginner, you are in store for a long ramp up or a trip to a consultant. I’m
not trying to discourage you but rather to let you know up from that this
will not be an easy task.

–Andrew Thomson
–Microsoft

On 11/8/08 9:12 PM, in article xxxxx@ntfsd, “wanmingliangdan@163.com
wrote:

> Hello Petr Kurtin,
> As you said, FileObject->Filename is only valid in IRP_MJ_CREATE, don’t
> use/get filename in IRP_MJ_READ (you probably get BSOD because this buffer is
> already freed).I originally plan to decrypt file in SfRead function and
> encrypt file in SfWrite function which processes irp IRP_MJ_WRITE accroding to
> file extension name(i.e. doc).May be i am doing some thing wrong.Could you
> tell me how to do encrypt and decrypt file in filter driver. Thanks in
> advance.
>