Bug Check 0x24 : File Filter Driver

Patel_Alpesh · November 15, 2010, 10:10am

Hi Guys

i have a legacy file filter driver. it does simple thing like just log file name pass irp to to lower dirver but i am getting exception.

my target os is running on Vmware : Winxp Prof (SP3)

here is output: TraceOrgFileMonitorDriverPassThrough is my function…

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: f8a8d9a8
Arg3: f8a8d6a4
Arg4: f83a61f3

Debugging Details:

EXCEPTION_RECORD: f8a8d9a8 – (.exr 0xfffffffff8a8d9a8)
ExceptionAddress: f83a61f3 (Ntfs!NtfsFcbTableCompare+0x0000000b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00740073
Attempt to read from address 00740073

CONTEXT: f8a8d6a4 – (.cxr 0xfffffffff8a8d6a4)
eax=00740073 ebx=00000000 ecx=00740073 edx=0000ffff esi=00740063 edi=829803c8
eip=f83a61f3 esp=f8a8da70 ebp=f8a8da80 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
Ntfs!NtfsFcbTableCompare+0xb:
f83a61f3 8b11 mov edx,dword ptr [ecx] ds:0023:00740073=???
Resetting default scope

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00740073

READ_ADDRESS: 00740073

FOLLOWUP_IP:
Ntfs!NtfsFcbTableCompare+b
f83a61f3 8b11 mov edx,dword ptr [ecx]

FAULTING_IP:
Ntfs!NtfsFcbTableCompare+b
f83a61f3 8b11 mov edx,dword ptr [ecx]

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: STRING_DEREFERENCE

LAST_CONTROL_TRANSFER: from 8052dd48 to f83a61f3

STACK_TEXT:
f8a8da80 8052dd48 829803c8 f8a8dae4 00740073 Ntfs!NtfsFcbTableCompare+0xb
f8a8da9c 8052de21 829803c8 f8a8dae4 f8a8db10 nt!FindNodeOrParent+0x22
f8a8dab4 f83a6b70 829803c8 f8a8dae4 f8a8db10 nt!RtlLookupElementGenericTableFullAvl+0x15
f8a8db48 f83b12f2 82cb73c0 82980100 00000f49 Ntfs!NtfsCreateFcb+0x53
f8a8dc2c f83b16f5 82cb73c0 828c4a20 828c4bb0 Ntfs!NtfsOpenFile+0xf3
f8a8de84 f83a1f2d 82cb73c0 828c4a20 f8a8dedc Ntfs!NtfsCommonCreate+0x134a
f8a8df68 804ef18f 82980020 828c4a20 82cb7f90 Ntfs!NtfsFsdCreate+0x1dc
f8a8df78 f8425876 828c4a30 82ca0968 82cb7f90 nt!IopfCallDriver+0x31
f8a8dfc4 804ef18f 82afc598 00000001 82ca0758 sr!SrCreate+0x150
f8a8dfd4 f888043e 00000900 00000002 0000dff0 nt!IopfCallDriver+0x31
f8a8e808 804ef18f 82afc730 828c4a20 828c4a20 TraceOrgFileMonitor!TraceOrgFileMonitorDriverPassThrough+0x22e [d:\work\traceorgfilemonitordriver\traceorgfilemonitordriver\traceorgfilemonitordriverdispatch.c @ 1550]
f8a8e818 805831fa 82afd698 8297f32c f8a8e9b0 nt!IopfCallDriver+0x31
f8a8e8f8 805bf444 82afd6b0 00000000 8297f288 nt!IopParseDevice+0xa12
f8a8e970 805bb9d0 00000000 f8a8e9b0 00000240 nt!ObpLookupObjectName+0x53c
f8a8e9c4 80576033 00000000 00000000 00000000 nt!ObOpenObjectByName+0xea
f8a8ea40 805769aa f8a8ebe4 00100001 f8a8ebbc nt!IopCreateFile+0x407
f8a8ea9c 805790b4 f8a8ebe4 00100001 f8a8ebbc nt!IoCreateFile+0x8e
f8a8eadc 8054161c f8a8ebe4 00100001 f8a8ebbc nt!NtCreateFile+0x30
f8a8eadc 80500021 f8a8ebe4 00100001 f8a8ebbc nt!KiFastCallEntry+0xfc
f8a8eb80 8061df0e f8a8ebe4 00100001 f8a8ebbc nt!ZwCreateFile+0x11
f8a8ebf0 8061fbce e189ac4c 00000044 00000000 nt!CcPfPrefetchDirectoryContents+0x58
f8a8ec18 8061d40a 0000000d 00000000 00000000 nt!CcPfPrefetchMetadata+0x76
f8a8edac 805cff64 82ddc458 00000000 00000000 nt!CcPfBootWorker+0x296
f8a8eddc 805460de 8061d174 82ddc458 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsFcbTableCompare+b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5

STACK_COMMAND: .cxr 0xfffffffff8a8d6a4 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsFcbTableCompare+b

BUCKET_ID: 0x24_Ntfs!NtfsFcbTableCompare+b

Followup: MachineOwner

i do not what to do ? does vmware create this problem?

Gabriel_Bercea · November 15, 2010, 10:59am

Can you provide please so more of the implementation on the way you query the file name ?
There is some sort of a sample in the minispy, it is a lib, that takes care of the name query with calls like NlAllocateNameControl, etc…
Check that out or consider writting a minifilter for that.
Anyway, can you provide some more info on your code ?

Patel_Alpesh · November 16, 2010, 1:39am

i used microsoft code to get the file name as you said. but i do not know why it crashes?

Gabriel_Bercea · November 16, 2010, 3:14am

Obviously there is something else wrong there besides that in your driver, an access violation that is or an attempt to read from invalid memory.
Please provide your code.

Scott_Noone_OSR · November 16, 2010, 10:22am

It looks like a memory corruption, note the faulting address:

Ntfs!NtfsFcbTableCompare+0xb:
f83a61f3 8b11 mov edx,dword ptr [ecx]
ds:0023:00740073=???

“00740073” is L"st", so you possibly have a buffer overflow in your string
handling someplace. Try enabling Driver Verifier’s special pool option and
see if you get a more meaningful crash.

-scott

Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com