BSOD PAGE_FAULT_IN_NONPAGED_AREA

Mamoon_Ahmed · February 26, 2016, 9:48am

please somebody help me. please i need my filter driver to work. I working on it for over a month. I have read every msdn article and seen other samples but i cant understand. My English is weak. The code below is giving me BSOD page fault. Please help me. And also i will be very thankful if you define or provide a simple and easy definitions.

#include “MyDriver.h”
PDEVICE_OBJECT gDeviceObject;
PDRIVER_OBJECT gDriverObject;
FAST_IO_DISPATCH g_fastIoDispatch =
{
sizeof(FAST_IO_DISPATCH),
FsFilterFastIoCheckIfPossible,
FsFilterFastIoRead,
FsFilterFastIoWrite,
FsFilterFastIoQueryBasicInfo,
FsFilterFastIoQueryStandardInfo,
FsFilterFastIoLock,
FsFilterFastIoUnlockSingle,
FsFilterFastIoUnlockAll,
FsFilterFastIoUnlockAllByKey,
FsFilterFastIoDeviceControl,
FsFilterFastIoDetachDevice,
FsFilterFastIoQueryNetworkOpenInfo,
FsFilterFastIoMdlRead,
FsFilterFastIoMdlReadComplete,
FsFilterFastIoPrepareMdlWrite,
FsFilterFastIoMdlWriteComplete,
FsFilterFastIoReadCompressed,
FsFilterFastIoWriteCompressed,
FsFilterFastIoMdlReadCompleteCompressed,
FsFilterFastIoMdlWriteCompleteCompressed,
FsFilterFastIoQueryOpen
};

VOID Change(PDEVICE_OBJECT DeviceObject, BOOLEAN Active)
{
if (Active)
{
PDEVICE_EXTENSION dev;

PDEVICE_OBJECT newDevice;
NTSTATUS status;
status = IoCreateDevice(gDriverObject,
sizeof(DEVICE_EXTENSION),
NULL,
DeviceObject->DeviceType,
0,
FALSE,
&newDevice);
if (!NT_SUCCESS(status))
return status;
dev = ((PDEVICE_EXTENSION)newDevice->DeviceExtension);
if (FlagOn(DeviceObject->Flags, DO_BUFFERED_IO))
SetFlag(newDevice->Flags, DO_BUFFERED_IO);
if (FlagOn(DeviceObject->Flags, DO_DIRECT_IO))
SetFlag(newDevice->Flags, DO_DIRECT_IO);
if (FlagOn(DeviceObject->Flags, FILE_DEVICE_SECURE_OPEN))
SetFlag(DeviceObject->Flags, FILE_DEVICE_SECURE_OPEN);
status = IoAttachDeviceToDeviceStackSafe(newDevice,
DeviceObject,
dev->AttachedToDeviceObject
);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(newDevice);
return status;
}
ClearFlag(newDevice->Flags, DO_DEVICE_INITIALIZING);
}

}
NTSTATUS DriverUnload( PDRIVER_OBJECT DriverObject)
{
IoDeleteDevice(gDeviceObject);
return STATUS_SUCCESS;
}
NTSTATUS MajorFunction( PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
DbgPrint(“Major Function”);
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(DeviceObject, Irp);
}

//NTSTATUS FsPreAcquireForSectionSynchronization(__in PFS_FILTER_CALLBACK_DATA Data, __out PVOID CompletionContext)
//{
// PFSRTL_ADVANCED_FCB_HEADER header = Data->FileObject->FsContext;
// DbgPrint(“AcquireForSectionSynchronization”);
//
// if (Data->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection && Data->FileObject->ReadAccess)
// {
// ExAcquireResourceExclusiveLite()
// }
//}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
/*UNICODE_STRING DeviceName, DosDeviceName;
RtlInitUnicodeString(&DeviceName,L"\Device\Mydriver");
RtlInitUnicodeString(&DosDeviceName, L"\DosDevices\Mydriver");*/
DbgPrint(“Creating device Object”);
//KeDelayExecutionThread(KernelMode, FALSE, -1000000 * 3);
DriverObject->DriverUnload = DriverUnload;
NTSTATUS status;
status = IoCreateDevice(
DriverObject,
0,
NULL,
FILE_DEVICE_DISK_FILE_SYSTEM,
0,
FALSE,
&gDeviceObject
);
if (!NT_SUCCESS(status))
return status;
DbgPrint(“Creating Major Functions %wZ”, status);
// KeDelayExecutionThread(KernelMode, FALSE, -1000000 * 3);
//status = IoCreateSymbolicLink()
ULONG i = 0;
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
DriverObject->MajorFunction[i] = MajorFunction;
DbgPrint(“Registering FastIo”);
//KeDelayExecutionThread(KernelMode, FALSE, -1000000 * 3);

DriverObject->FastIoDispatch = &g_fastIoDispatch;
DbgPrint(“registering callbacks”);
FS_FILTER_CALLBACKS fsFilterCallbacks;
fsFilterCallbacks.SizeOfFsFilterCallbacks = sizeof(FS_FILTER_CALLBACKS);
fsFilterCallbacks.PreAcquireForSectionSynchronization = NULL;
fsFilterCallbacks.PostAcquireForSectionSynchronization = NULL;
fsFilterCallbacks.PreReleaseForSectionSynchronization = NULL;
fsFilterCallbacks.PostReleaseForSectionSynchronization = NULL;
fsFilterCallbacks.PreAcquireForCcFlush = NULL;
fsFilterCallbacks.PostAcquireForCcFlush = NULL;
fsFilterCallbacks.PreReleaseForCcFlush = NULL;
fsFilterCallbacks.PostReleaseForCcFlush = NULL;
fsFilterCallbacks.PreAcquireForModifiedPageWriter = NULL;
fsFilterCallbacks.PostAcquireForModifiedPageWriter = NULL;
fsFilterCallbacks.PreReleaseForModifiedPageWriter = NULL;
fsFilterCallbacks.PostReleaseForModifiedPageWriter = NULL;
status = FsRtlRegisterFileSystemFilterCallbacks(DriverObject, &fsFilterCallbacks);
if (!NT_SUCCESS(status))
return status;
status = IoRegisterFsRegistrationChange(DriverObject, Change);
if (!NT_SUCCESS(status))
return status;
DbgPrint(“Callback routines”);
// KeDelayExecutionThread(KernelMode, FALSE, -1000000 * 3);

gDriverObject = DriverObject;
return STATUS_SUCCESS;

}

Mamoon_Ahmed · February 26, 2016, 10:22am

please guys you are my last hope …

NtDev_Geek · February 26, 2016, 1:45pm

Send !analyze -v with proper symbols.

./Nt

Peter_Viscarola_OSR · February 26, 2016, 3:08pm

Did you *seriously* post that follow-up less than 40 minutes after posting your initial question?

And you didn’t even take the time to provide us a crash dump?

C’mon… I don’t even respond to queries like that from paying customers that fast!

This.

Peter
OSR
@OSRDrivers

Tim_Roberts · February 26, 2016, 4:58pm

xxxxx@gmail.com wrote:

please somebody help me. please i need my filter driver to work. I working on it for over a month. I have read every msdn article and seen other samples but i cant understand. My English is weak. The code below is giving me BSOD page fault. Please help me. And also i will be very thankful if you define or provide a simple and easy definitions.

You didn’t think to tell us WHERE you were getting the page fault?

The documentation for IoRegisterFsRegistrationChange says that your
callback function will be called IMMEDIATELY for any existing file
systems, before the routine returns. Your “Change” function uses
gDriverObject, but you do not set gDriverObject until after
IoRegisterFsRegistrationChange returns.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Scott_Noone_OSR · February 26, 2016, 11:06pm

In addition to the previous repsonses: throw this code away and write a Filter Manager minifilter. There is no point in trying to write a file system filter without Filter Manager.

-scott
OSR
@OSRDrivers

Mamoon_Ahmed · February 27, 2016, 2:21am

I seriously thank you guys for your precious time and comments. I was running this driver on my virtual machine. But (Ahhh my luck) it got corrupted and not starting now. So i took few steps.

As Tim Roberts said, I assigned gDriverObject = DriverObject at the beginning of DriverEntry Routine.
I intalled and run this driver on my computer. now its giving me BSOD 07e Exception not handled.
It is also not generating a crash dump file. I dont know. but in minidump folder there is no creash file.

Mamoon_Ahmed · February 27, 2016, 2:27am

i got crash dump …

Use !analyze -v to get detailed debugging information.

BugCheck 1000007F, {8, 807d5750, 0, 0}

*** WARNING: Unable to verify timestamp for MyDriver3.sys
*** ERROR: Module load completed but symbols could not be loaded for MyDriver3.sys
Probably caused by : ntkrpamp.exe ( nt!IofCallDriver+63 )

Followup: MachineOwner

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it’s a trap of a kind
that the kernel isn’t allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 807d5750
Arg3: 00000000
Arg4: 00000000

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: OptiPlex 760

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A16

BIOS_DATE: 08/06/2013

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0R230R

BASEBOARD_VERSION: A00

DUMP_TYPE: 2

BUGCHECK_P1: 8

BUGCHECK_P2: ffffffff807d5750

BUGCHECK_P3: 0

BUGCHECK_P4: 0

BUGCHECK_STR: 0x7f_8

STACK_OVERFLOW: Stack Limit: bbc6d000. Use (kF) and (!stackusage) to investigate stack usage.

STACKUSAGE_FUNCTION: The function at address 0xFFFFFFFF82838C1E was blamed for the stack overflow. It is using 2596 bytes of stack total in 109 instances (likely recursion).

FOLLOWUP_IP:
nt!IofCallDriver+63
82838c1e 5e pop esi

CPU_COUNT: 4

CPU_MHZ: a64

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B’00000000 (cache) A0B’00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MAMOONAHMED-PC

ANALYSIS_SESSION_TIME: 02-27-2016 12:26:30.0164

ANALYSIS_VERSION: 10.0.10586.567 x86fre

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: d54a5ecd18d3a7ce1dc99a389c4054dd65a1d0c4

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4c129a9453599a254bcdb71c5cee7825a88a4e31

THREAD_SHA1_HASH_MOD: da5f48f83d965a6244d035e3268dd9712a9f3c3c

FAULT_INSTR_CODE: c35d595e

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!IofCallDriver+63

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 521e9cb6

IMAGE_VERSION: 6.1.7601.18247

FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_RECURSION_nt!IofCallDriver+63

BUCKET_ID: 0x7f_8_STACK_USAGE_RECURSION_nt!IofCallDriver+63

PRIMARY_PROBLEM_CLASS: 0x7f_8_STACK_USAGE_RECURSION_nt!IofCallDriver+63

TARGET_TIME: 2016-02-27T07:13:16.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 7

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2013-08-29 05:58:30

BUILDDATESTAMP_STR: 130828-1532

BUILDLAB_STR: win7sp1_gdr

BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532

ANALYSIS_SESSION_ELAPSED_TIME: 971

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x7f_8_stack_usage_recursion_nt!iofcalldriver+63

FAILURE_ID_HASH: {190b6674-6ce6-c699-27ba-b7506aa1d33b}

Followup: MachineOwner

Jan_Bottorff · February 27, 2016, 3:30am

Double faults I believe can be caused by a stack overflow. The line in you dump that says "km:0x7f_8_stack_usage_recursion_nt!iofcalldriver+63” is kind of a smoking gun. Are opening yourself and sending an irp, perhaps indirectly.

Jan

On 2/26/16, 11:27 PM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com” wrote:

>i got crash dump …
>
>Use !analyze -v to get detailed debugging information.
>
>BugCheck 1000007F, {8, 807d5750, 0, 0}
>
> WARNING: Unable to verify timestamp for MyDriver3.sys
> ERROR: Module load completed but symbols could not be loaded for MyDriver3.sys
>Probably caused by : ntkrpamp.exe ( nt!IofCallDriver+63 )
>
>Followup: MachineOwner
>---------
>
>1: kd> !analyze -v
>
>
> Bugcheck Analysis
>
>
>
>UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
>This means a trap occurred in kernel mode, and it’s a trap of a kind
>that the kernel isn’t allowed to have/catch (bound trap) or that
>is always instant death (double fault). The first number in the
>bugcheck params is the number of the trap (8 = double fault, etc)
>Consult an Intel x86 family manual to learn more about what these
>traps are. Here is a portion of those codes:
>If kv shows a taskGate
> use .tss on the part before the colon, then kv.
>Else if kv shows a trapframe
> use .trap on that value
>Else
> .trap on the appropriate frame will show where the trap was taken
> (on x86, this will be the ebp that goes with the procedure KiTrap)
>Endif
>kb will then show the corrected stack.
>Arguments:
>Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
>Arg2: 807d5750
>Arg3: 00000000
>Arg4: 00000000
>
>Debugging Details:
>------------------
>
>
>DUMP_CLASS: 1
>
>DUMP_QUALIFIER: 400
>
>BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532
>
>SYSTEM_MANUFACTURER: Dell Inc.
>
>SYSTEM_PRODUCT_NAME: OptiPlex 760
>
>BIOS_VENDOR: Dell Inc.
>
>BIOS_VERSION: A16
>
>BIOS_DATE: 08/06/2013
>
>BASEBOARD_MANUFACTURER: Dell Inc.
>
>BASEBOARD_PRODUCT: 0R230R
>
>BASEBOARD_VERSION: A00
>
>DUMP_TYPE: 2
>
>BUGCHECK_P1: 8
>
>BUGCHECK_P2: ffffffff807d5750
>
>BUGCHECK_P3: 0
>
>BUGCHECK_P4: 0
>
>BUGCHECK_STR: 0x7f_8
>
>STACK_OVERFLOW: Stack Limit: bbc6d000. Use (kF) and (!stackusage) to investigate stack usage.
>
>STACKUSAGE_FUNCTION: The function at address 0xFFFFFFFF82838C1E was blamed for the stack overflow. It is using 2596 bytes of stack total in 109 instances (likely recursion).
>
>FOLLOWUP_IP:
>nt!IofCallDriver+63
>82838c1e 5e pop esi
>
>CPU_COUNT: 4
>
>CPU_MHZ: a64
>
>CPU_VENDOR: GenuineIntel
>
>CPU_FAMILY: 6
>
>CPU_MODEL: 17
>
>CPU_STEPPING: a
>
>CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B’00000000 (cache) A0B’00000000 (init)
>
>CUSTOMER_CRASH_COUNT: 1
>
>DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
>
>PROCESS_NAME: explorer.exe
>
>CURRENT_IRQL: 0
>
>ANALYSIS_SESSION_HOST: MAMOONAHMED-PC
>
>ANALYSIS_SESSION_TIME: 02-27-2016 12:26:30.0164
>
>ANALYSIS_VERSION: 10.0.10586.567 x86fre
>
>STACK_COMMAND: kb
>
>THREAD_SHA1_HASH_MOD_FUNC: d54a5ecd18d3a7ce1dc99a389c4054dd65a1d0c4
>
>THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4c129a9453599a254bcdb71c5cee7825a88a4e31
>
>THREAD_SHA1_HASH_MOD: da5f48f83d965a6244d035e3268dd9712a9f3c3c
>
>FAULT_INSTR_CODE: c35d595e
>
>SYMBOL_STACK_INDEX: 3
>
>SYMBOL_NAME: nt!IofCallDriver+63
>
>FOLLOWUP_NAME: MachineOwner
>
>MODULE_NAME: nt
>
>IMAGE_NAME: ntkrpamp.exe
>
>DEBUG_FLR_IMAGE_TIMESTAMP: 521e9cb6
>
>IMAGE_VERSION: 6.1.7601.18247
>
>FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_RECURSION_nt!IofCallDriver+63
>
>BUCKET_ID: 0x7f_8_STACK_USAGE_RECURSION_nt!IofCallDriver+63
>
>PRIMARY_PROBLEM_CLASS: 0x7f_8_STACK_USAGE_RECURSION_nt!IofCallDriver+63
>
>TARGET_TIME: 2016-02-27T07:13:16.000Z
>
>OSBUILD: 7601
>
>OSSERVICEPACK: 1000
>
>SERVICEPACK_NUMBER: 0
>
>OS_REVISION: 0
>
>SUITE_MASK: 272
>
>PRODUCT_TYPE: 1
>
>OSPLATFORM_TYPE: x86
>
>OSNAME: Windows 7
>
>OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
>
>OS_LOCALE:
>
>USER_LCID: 0
>
>OSBUILD_TIMESTAMP: 2013-08-29 05:58:30
>
>BUILDDATESTAMP_STR: 130828-1532
>
>BUILDLAB_STR: win7sp1_gdr
>
>BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532
>
>ANALYSIS_SESSION_ELAPSED_TIME: 971
>
>ANALYSIS_SOURCE: KM
>
>FAILURE_ID_HASH_STRING: km:0x7f_8_stack_usage_recursion_nt!iofcalldriver+63
>
>FAILURE_ID_HASH: {190b6674-6ce6-c699-27ba-b7506aa1d33b}
>
>Followup: MachineOwner
>---------
>
>
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list online at: http:
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Mamoon_Ahmed · February 27, 2016, 5:36am

hi Jan Bottorff, As you suggested, i changed in my major function as following
PDEVICE_EXTENSION dev = DeviceObject->DeviceExtension;
IoSkipCurrentStackLocation(Irp);
IoCallDriver(dev->AttachedToDeviceObject,Irp);

The driver loaded fine. printed all the DbgPrint. After some time my PC crashed and i got BSOD IRQL_NOT_LESS_OR_EQUAL. here is the crash dump.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 828df47f, address which referenced memory

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: OptiPlex 760

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A16

BIOS_DATE: 08/06/2013

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0R230R

BASEBOARD_VERSION: A00

DUMP_TYPE: 2

BUGCHECK_P1: 4

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: ffffffff828df47f

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 829b384c
Unable to get MmSystemRangeStart
00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!IopQueueThreadIrp+2d
828df47f 897904 mov dword ptr [ecx+4],edi

CPU_COUNT: 4

CPU_MHZ: a64

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B’00000000 (cache) A0B’00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: svchost.exe

ANALYSIS_SESSION_HOST: MAMOONAHMED-PC

ANALYSIS_SESSION_TIME: 02-27-2016 15:20:03.0930

ANALYSIS_VERSION: 10.0.10586.567 x86fre

TRAP_FRAME: 8fb77a0c – (.trap 0xffffffff8fb77a0c)
ErrCode = 00000002
eax=00000000 ebx=8fb77cf8 ecx=00000000 edx=00000002 esi=8fb77aac edi=856a0660
eip=828df47f esp=8fb77a80 ebp=8fb77b60 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!IopQueueThreadIrp+0x2d:
828df47f 897904 mov dword ptr [ecx+4],edi ds:0023:00000004=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 828df47f to 8288ab7f

STACK_TEXT:
8fb77a0c 828df47f badb0d00 00000002 00000000 nt!KiTrap0E+0x1b3
8fb77a88 82a904fc be50da3f 8fb77c30 00000000 nt!IopQueueThreadIrp+0x2d
8fb77b60 82a6fd1e 86180030 852f4518 85624d20 nt!IopParseDevice+0xedc
8fb77bdc 82a80147 00000000 8fb77c30 00000040 nt!ObpLookupObjectName+0x4fa
8fb77c38 82a76c25 0213f0a0 852f4518 8fb77c01 nt!ObOpenObjectByName+0x165
8fb77cb4 82a9a4a4 0213f3a0 00120089 0213f0a0 nt!IopCreateFile+0x673
8fb77d00 828878c6 0213f3a0 00120089 0213f0a0 nt!NtCreateFile+0x34
8fb77d00 76e270f4 0213f3a0 00120089 0213f0a0 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0213f104 00000000 00000000 00000000 00000000 0x76e270f4

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 67fbc2c3b994a80eb4a7217f3e8bb21d5c168442

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c79e2aaa1e05645f3e8822ebfbe2f9e516885f36

THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8

FOLLOWUP_IP:
nt!IopQueueThreadIrp+2d
828df47f 897904 mov dword ptr [ecx+4],edi

FAULT_INSTR_CODE: 8a047989

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!IopQueueThreadIrp+2d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 521e9cb6

IMAGE_VERSION: 6.1.7601.18247

FAILURE_BUCKET_ID: 0xA_nt!IopQueueThreadIrp+2d

BUCKET_ID: 0xA_nt!IopQueueThreadIrp+2d

PRIMARY_PROBLEM_CLASS: 0xA_nt!IopQueueThreadIrp+2d

TARGET_TIME: 2016-02-27T10:09:38.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 7

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2013-08-29 05:58:30

BUILDDATESTAMP_STR: 130828-1532

BUILDLAB_STR: win7sp1_gdr

BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532

ANALYSIS_SESSION_ELAPSED_TIME: 5c8

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xa_nt!iopqueuethreadirp+2d

FAILURE_ID_HASH: {8e8ccfb2-5a0f-30d2-677f-fa957bec2188}

Followup: MachineOwner

Gabriel_Bercea · February 27, 2016, 8:10am

Wow, this code looks awful.
Check this tutorial
http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial

But really write a mini-filter.
Better yet get a book and read about driver basics and filesystem basics.

Gabriel

On Sat, Feb 27, 2016 at 11:35 AM, wrote:

> hi Jan Bottorff, As you suggested, i changed in my major function as
> following
> PDEVICE_EXTENSION dev = DeviceObject->DeviceExtension;
> IoSkipCurrentStackLocation(Irp);
> IoCallDriver(dev->AttachedToDeviceObject,Irp);
>
> The driver loaded fine. printed all the DbgPrint. After some time my PC
> crashed and i got BSOD IRQL_NOT_LESS_OR_EQUAL. here is the crash dump.
>
>
> *****
>
>
> * Bugcheck Analysis
>
>
>
>
>
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address
> at an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: 00000004, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000001, bitfield :
> bit 0 : value 0 = read operation, 1 = write operation
> bit 3 : value 0 = not an execute operation, 1 = execute operation
> (only on chips which support this level of status)
> Arg4: 828df47f, address which referenced memory
>
> Debugging Details:
> ------------------
>
>
> DUMP_CLASS: 1
>
> DUMP_QUALIFIER: 400
>
> BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532
>
> SYSTEM_MANUFACTURER: Dell Inc.
>
> SYSTEM_PRODUCT_NAME: OptiPlex 760
>
> BIOS_VENDOR: Dell Inc.
>
> BIOS_VERSION: A16
>
> BIOS_DATE: 08/06/2013
>
> BASEBOARD_MANUFACTURER: Dell Inc.
>
> BASEBOARD_PRODUCT: 0R230R
>
> BASEBOARD_VERSION: A00
>
> DUMP_TYPE: 2
>
> BUGCHECK_P1: 4
>
> BUGCHECK_P2: 2
>
> BUGCHECK_P3: 1
>
> BUGCHECK_P4: ffffffff828df47f
>
> WRITE_ADDRESS: GetPointerFromAddress: unable to read from 829b384c
> Unable to get MmSystemRangeStart
> 00000004
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!IopQueueThreadIrp+2d
> 828df47f 897904 mov dword ptr [ecx+4],edi
>
> CPU_COUNT: 4
>
> CPU_MHZ: a64
>
> CPU_VENDOR: GenuineIntel
>
> CPU_FAMILY: 6
>
> CPU_MODEL: 17
>
> CPU_STEPPING: a
>
> CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B’00000000 (cache) A0B’00000000
> (init)
>
> CUSTOMER_CRASH_COUNT: 1
>
> DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> PROCESS_NAME: svchost.exe
>
> ANALYSIS_SESSION_HOST: MAMOONAHMED-PC
>
> ANALYSIS_SESSION_TIME: 02-27-2016 15:20:03.0930
>
> ANALYSIS_VERSION: 10.0.10586.567 x86fre
>
> TRAP_FRAME: 8fb77a0c – (.trap 0xffffffff8fb77a0c)
> ErrCode = 00000002
> eax=00000000 ebx=8fb77cf8 ecx=00000000 edx=00000002 esi=8fb77aac
> edi=856a0660
> eip=828df47f esp=8fb77a80 ebp=8fb77b60 iopl=0 nv up ei pl nz ac po
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010212
> nt!IopQueueThreadIrp+0x2d:
> 828df47f 897904 mov dword ptr [ecx+4],edi
> ds:0023:00000004=???
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 828df47f to 8288ab7f
>
> STACK_TEXT:
> 8fb77a0c 828df47f badb0d00 00000002 00000000 nt!KiTrap0E+0x1b3
> 8fb77a88 82a904fc be50da3f 8fb77c30 00000000 nt!IopQueueThreadIrp+0x2d
> 8fb77b60 82a6fd1e 86180030 852f4518 85624d20 nt!IopParseDevice+0xedc
> 8fb77bdc 82a80147 00000000 8fb77c30 00000040 nt!ObpLookupObjectName+0x4fa
> 8fb77c38 82a76c25 0213f0a0 852f4518 8fb77c01 nt!ObOpenObjectByName+0x165
> 8fb77cb4 82a9a4a4 0213f3a0 00120089 0213f0a0 nt!IopCreateFile+0x673
> 8fb77d00 828878c6 0213f3a0 00120089 0213f0a0 nt!NtCreateFile+0x34
> 8fb77d00 76e270f4 0213f3a0 00120089 0213f0a0 nt!KiSystemServicePostCall
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0213f104 00000000 00000000 00000000 00000000 0x76e270f4
>
>
> STACK_COMMAND: kb
>
> THREAD_SHA1_HASH_MOD_FUNC: 67fbc2c3b994a80eb4a7217f3e8bb21d5c168442
>
> THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c79e2aaa1e05645f3e8822ebfbe2f9e516885f36
>
> THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8
>
> FOLLOWUP_IP:
> nt!IopQueueThreadIrp+2d
> 828df47f 897904 mov dword ptr [ecx+4],edi
>
> FAULT_INSTR_CODE: 8a047989
>
> SYMBOL_STACK_INDEX: 1
>
> SYMBOL_NAME: nt!IopQueueThreadIrp+2d
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrpamp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 521e9cb6
>
> IMAGE_VERSION: 6.1.7601.18247
>
> FAILURE_BUCKET_ID: 0xA_nt!IopQueueThreadIrp+2d
>
> BUCKET_ID: 0xA_nt!IopQueueThreadIrp+2d
>
> PRIMARY_PROBLEM_CLASS: 0xA_nt!IopQueueThreadIrp+2d
>
> TARGET_TIME: 2016-02-27T10:09:38.000Z
>
> OSBUILD: 7601
>
> OSSERVICEPACK: 1000
>
> SERVICEPACK_NUMBER: 0
>
> OS_REVISION: 0
>
> SUITE_MASK: 272
>
> PRODUCT_TYPE: 1
>
> OSPLATFORM_TYPE: x86
>
> OSNAME: Windows 7
>
> OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
>
> OS_LOCALE:
>
> USER_LCID: 0
>
> OSBUILD_TIMESTAMP: 2013-08-29 05:58:30
>
> BUILDDATESTAMP_STR: 130828-1532
>
> BUILDLAB_STR: win7sp1_gdr
>
> BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532
>
> ANALYSIS_SESSION_ELAPSED_TIME: 5c8
>
> ANALYSIS_SOURCE: KM
>
> FAILURE_ID_HASH_STRING: km:0xa_nt!iopqueuethreadirp+2d
>
> FAILURE_ID_HASH: {8e8ccfb2-5a0f-30d2-677f-fa957bec2188}
>
> Followup: MachineOwner
> ---------
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Bercea. G.</http:>

Peter_Viscarola_OSR · February 27, 2016, 10:06am

OP: See what my colleague Scott Noone said above:

You are attempting to use the wrong model to solve your problem. Sort of like trying to drive nails with a screwdriver: You can do it, but you’re going about it all wrong.

Wow! Bad kernel-mode code on Code Project? Surely not…

On the Internet, nobody knows you’re a dog. Or that your code is a dog. For those devs who decline to study and understand the details of what they’re doing before diving in (something I myself do on occasion in disciplines where I’m not an expert and I’m writing something casually), the best advice I can give is “know who authored the example you’re starting from” before you attempt to use it. If you can’t determine their reputation and credentials in the area… don’t trust the example. A bad example is far worse than no example at all.

Peter
OSR
@OSRDrivers

Gabriel_Bercea · February 27, 2016, 10:16am

Yes I agree Peter, but that article is not as bad as you think, but as far
as file system filters go today I would always advice to go for a
minifilter ( as I did ).
and also as I said, better yet start reading about file system drivers and
windows internals in a book or start with MS samples etc…

Gabriel

On Sat, Feb 27, 2016 at 4:05 PM, wrote:

> OP: See what my colleague Scott Noone said above:
>
>

>
> You are attempting to use the wrong model to solve your problem. Sort of
> like trying to drive nails with a screwdriver: You can do it, but you’re
> going about it all wrong.
>
>

>
> Wow! Bad kernel-mode code on Code Project? Surely not…
>
> On the Internet, nobody knows you’re a dog. Or that your code is a dog.
> For those devs who decline to study and understand the details of what
> they’re doing before diving in (something I myself do on occasion in
> disciplines where I’m not an expert and I’m writing something casually),
> the best advice I can give is “know who authored the example you’re
> starting from” before you attempt to use it. If you can’t determine their
> reputation and credentials in the area… don’t trust the example. A bad
> example is far worse than no example at all.
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Bercea. G.</http:>

Mamoon_Ahmed · February 27, 2016, 11:53am

Gabriel, first of all thank you for your precious advice.
I tried the code you have given the link to, (the codeproject.com one) but its not working as well. giving me unexpected kernel mode trap BSOD.

Mamoon_Ahmed · February 27, 2016, 11:55am

Peter, I am working on a project and i dont have time. i have to submit this project on monday.
Secondly, I built minifilter in vs 2013. but minifilter is giving me BSOD too.

Peter_Viscarola_OSR · February 27, 2016, 12:54pm

Unacceptable answer. Really.

It takes MUCH less time to drive nails with a hammer than with a screwdriver. Even if you don’t know precisely how to swing that hammer.

…and…

Three different tries, all result in BSOD. Does this suggest anything to you?

What your insistence on using the wrong model for your problem, your repeated blue screens, and your inability to analyze your crash dump tell ME is that you probably don’t understand as much as you need to about what you’re doing. I don’t mean that as an insult in any way, but merely a statement of fact.

I *do* wish you good luck in whatever you need to do by Monday…

Peter
OSR
@OSRDrivers

Mamoon_Ahmed · February 27, 2016, 1:12pm

Peter, if you talk about statement of fact, its right. Its my fault in understanding. I have read MSDN article and so many other posts. Still m here. so its obviously my fault.
I somehow managed to analyze the crash dump and trace a bug in my code. But still i dont know why this bug is occuring.
The bug is in the Majorfunction.
if i write the code like.
PDEVICE_EXTENSION dev = DeviceObject->DeviceExtension;
IoSkipCurrentIrpStackLocation(Irp);
IoCallDriver(dev->AttachedToDeviceObject,Irp);

It gives BSOD KERNEL_MODE_EXCEPTION_NOT_HANDLED_M

when i convert this code to
if (DeviceObject->DriverObject == gDriverObject)
{
DbgPrint(“Call to me”);
}
else
{
PDEVICE_EXTENSION dev = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
DbgPrint(“Major Function”);
IoSkipCurrentIrpStackLocation(Irp);
return IoCallDriver(dev->AttachedToDeviceObject, Irp);
}
It only prints Call to me and no Prints Major Function. Of course every Irp’s Target Device is not my Device then why ?
here is the piece of crash dump

STACK_TEXT:
8fcdfa64 9dc013a1 859275e0 8fcdfa88 82a43c1e nt!IofCallDriver+0x57
WARNING: Stack unwind information not available. Following frames may be wrong.
8fcdfa70 82a43c1e 85927528 86264008 8549ca94 MyDriver3+0x13a1
8fcdfa88 82c53506 be3d42e7 8fcdfc30 00000000 nt!IofCallDriver+0x63
8fcdfb60 82c32d1e 86180f08 852f4518 87eb2968 nt!IopParseDevice+0xee6
8fcdfbdc 82c43147 00000000 8fcdfc30 00000040 nt!ObpLookupObjectName+0x4fa
8fcdfc38 82c39c25 00bdf504 852f4518 8fcdfc01 nt!ObOpenObjectByName+0x165
8fcdfcb4 82c5d4a4 00bdf804 00120089 00bdf504 nt!IopCreateFile+0x673
8fcdfd00 82a4a8c6 00bdf804 00120089 00bdf504 nt!NtCreateFile+0x34
8fcdfd00 76df70f4 00bdf804 00120089 00bdf504 nt!KiSystemServicePostCall
00bdf568 00000000 00000000 00000000 00000000 0x76df70f4

Peter_Viscarola_OSR · February 27, 2016, 5:05pm

Well, if you’re DeviceOject from a dispatch entry point, it always WILL be your device object… Right? It can’t be anything else.

I’d like to help you, Mr Ahmed, I really would. But I’d need to see the whole of what you’re doing and sit down and study what’s happening and exactly what the crash dump says. That would take a considerable amount of time. Its not the kind of thing I can do in a forum, answering posts on a Saturday afternoon while lying on my couch.

I’m sorry…

Peter
OSR
@OSRDrivers

Sergey_Pisarev · February 27, 2016, 5:17pm

If this is your actual code you call iocreatedevice with extension size
null and dereference device extension(null) in dispatch routine

On Sunday, 28 February 2016, wrote:

> Well, if you’re DeviceOject from a dispatch entry point, it always WILL be
> your device object… Right? It can’t be anything else.
>
> I’d like to help you, Mr Ahmed, I really would. But I’d need to see the
> whole of what you’re doing and sit down and study what’s happening and
> exactly what the crash dump says. That would take a considerable amount of
> time. Its not the kind of thing I can do in a forum, answering posts on a
> Saturday afternoon while lying on my couch.
>
> I’m sorry…
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Sent from Gmail Mobile</http:>

Sergey_Pisarev · February 27, 2016, 5:37pm

disregard my previous message

On Sun, Feb 28, 2016 at 1:16 AM, Sergey Pisarev
wrote:

> If this is your actual code you call iocreatedevice with extension size
> null and dereference device extension(null) in dispatch routine
>
>
> On Sunday, 28 February 2016, wrote:
>
>> Well, if you’re DeviceOject from a dispatch entry point, it always WILL
>> be your device object… Right? It can’t be anything else.
>>
>> I’d like to help you, Mr Ahmed, I really would. But I’d need to see the
>> whole of what you’re doing and sit down and study what’s happening and
>> exactly what the crash dump says. That would take a considerable amount of
>> time. Its not the kind of thing I can do in a forum, answering posts on a
>> Saturday afternoon while lying on my couch.
>>
>> I’m sorry…
>>
>> Peter
>> OSR
>> @OSRDrivers
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: <
>> http://www.osronline.com/showlists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
>
> –
> Sent from Gmail Mobile
></http:>