Ok. Then boot with original file, and patch it in memory with “e
fltmgr+0x4F47 49 83 7B 18 00 75 14 CC CC 83 F8 10 0F 85 0F A6 00 00 48 8D
79 58 E9 A7 FE FF FF 49 8B E3 41 5F 41 5E 5F C3 CC” command in windbg.
Replacing of the original time requires time.
> Replacing of the original time requires time.
original file
I used the command the patch fltmgr in memory and started my copy operation.
My driver has not crashed so far, more testing underway.
Please let me know what exactly the patched filter manager does.
Thanks.
> Please let me know what exactly the patched filter manager does.
We suspect a stack corruption is taking place for you. I get know from dump
you gave that crash occurs while FltGetStreamContext routine is being
executed. I reversed it and i think stack gets corrupted while
GetContextFromStreamList routine is being executed which is called by
FltGetStreamContext.
Therefore the command patches GetContextFromStreamList routine. This patch
adds checking for zero return address. And if the address is zero it’ll
break execution. So now you have to wait and see will you get BSOD or
breakpoint i added.
There was a bug check raised, however the breakpoint in the patched fltmgr.sys was not triggered.
STACK_TEXT:
ffffd00022430b30 ffff2801
ab1d5111
ffffd00022430b38 ffffe001
564b8900
ffffd00022430b40 ffffe001
564b8900
ffffd00022430b48 fffff801
895d0691 HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+0x101 [f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c @ 3917]
ffffd00022430b50 ffffe001
5652d760
ffffd00022430b58 ffffe001
56e3a040
ffffd00022430b60 ffffe001
5ba09070
ffffd00022430b68 00000000
00000202
ffffd00022430b70 00000000
22430b01
ffffd00022430b78 ffffe001
5ba3fe20
ffffd00022430b80 ffffe001
56f907c0
ffffd00022430b88 00000000
89000000
ffffd00022430b90 00000000
00000000
ffffd00022430b98 00000000
00000000
ffffd00022430ba0 00000001
00000000
ffffd00022430ba8 ffffe001
56f13d58
FAULTING_SOURCE_LINE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c
FAULTING_SOURCE_FILE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c
FAULTING_SOURCE_LINE_NUMBER: 3917
FAULTING_SOURCE_CODE:
3913: //try
3914: //{
3915:
3916: status = FltGetStreamContext(Instance, Data->Iopb->TargetFileObject,
3917: &pHpArcHsmContext);
3918: //}
3919: //except(BackgroundExceptionFilter1(GetExceptionCode(), GetExceptionInformation()))
3920: //{
3921: // Data->IoStatus.Status = STATUS_DISK_OPERATION_FAILED;//STATUS_ACCESS_DENIED;
3922: // Data->IoStatus.Information = 0;
SYMBOL_NAME: HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+101
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: HPEDpHsmX64
IMAGE_NAME: HPEDpHsmX64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5837c4d1
BUCKET_ID_FUNC_OFFSET: 101
FAILURE_BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion
BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion
PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:access_violation_null_ip_hpedphsmx64!hparchsmdeferredreadwritecompletion
FAILURE_ID_HASH: {e1f42df5-5598-3f4c-2aad-37cd6a1e57b6}
Followup: MachineOwner
Can you send this dump to me?
I will send this dump, but let me try again once.
How can I confirm that the fltmgrdbg.sys was patched correctly?
> How can I confirm that the fltmgrdbg.sys was patched correctly?
Do “u fltmgr+0x4F4E” command after patching one. You should see “int 3”
insruction disassembled. For this reason i asked you to send me dump. I
want to be sure.
I will send this dump, but let me try again once.
Ok.
I have uploaded the dumps at https://drive.google.com/file/d/0B59FSVYGDOVCZUhHcmYwc2lVVVk/view
Ok. How it’s going?
even after patching - still FltGetStreamContext shows access violation. it seems that the patched fltmgr int 3 is not being executed.
STACK_COMMAND: dps ffffd000caeddb50-0x20 ; kb
STACK_TEXT:
ffffd000caeddb30 ffff2801
05d9c22b
ffffd000caeddb38 ffffe000
2c822900
ffffd000caeddb40 ffffe000
2c822900
ffffd000caeddb48 fffff801
cf33b691 HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+0x101 [f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c @ 3917]
ffffd000caeddb50 ffffe000
31cb7470
ffffd000caeddb58 ffffe000
2d38d880
ffffd000caeddb60 ffffe000
2ca14070
ffffd000caeddb68 00000000
00000202
ffffd000caeddb70 00000000
2d38d801
ffffd000caeddb78 ffffe000
2d6a4b00
ffffd000caeddb80 ffffe000
2d3ad7e0
ffffd000caeddb88 00000000
cf000000
ffffd000caeddb90 00000000
00000000
ffffd000caeddb98 00000000
00000000
ffffd000caeddba0 00000001
00000000
ffffd000caeddba8 ffffe000
32115ac8
FAULTING_SOURCE_LINE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c
FAULTING_SOURCE_FILE: f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c
FAULTING_SOURCE_LINE_NUMBER: 3917
FAULTING_SOURCE_CODE:
3913: //try
3914: //{
3915:
3916: status = FltGetStreamContext(Instance, Data->Iopb->TargetFileObject,
3917: &pHpArcHsmContext);
3918: //}
3919: //except(BackgroundExceptionFilter1(GetExceptionCode(), GetExceptionInformation()))
3920: //{
3921: // Data->IoStatus.Status = STATUS_DISK_OPERATION_FAILED;//STATUS_ACCESS_DENIED;
3922: // Data->IoStatus.Information = 0;
SYMBOL_NAME: HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion+101
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: HPEDpHsmX64
IMAGE_NAME: HPEDpHsmX64.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5837c4d1
BUCKET_ID_FUNC_OFFSET: 101
FAILURE_BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion
BUCKET_ID: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion
PRIMARY_PROBLEM_CLASS: ACCESS_VIOLATION_NULL_IP_HPEDpHsmX64!HpArcHsmDeferredReadWriteCompletion
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:access_violation_null_ip_hpedphsmx64!hparchsmdeferredreadwritecompletion
FAILURE_ID_HASH: {e1f42df5-5598-3f4c-2aad-37cd6a1e57b6}
Followup: MachineOwner
It’s ok. When I get my pc I’ll make next patch.
ok thanks. I will check it after I am back online.
Try these commands:
e fltmgr+0x4F47 49 83 7B 18 00 75 14 CC CC 83 F8 10 0F 85 0F A6 00 00 48 8D
79 58 E9 A7 FE FF FF 49 8B E3 41 5F 41 5E 5F C3 CC;
e fltmgr+0x1640 48 83 7C 24 28 00 75 19 CC CC CC CC 48 8D 8B 08 05 00 00 FF
15 EF 6A 01 00 FF 15 31 6B 01 00 EB DB 48 83 C4 40 41 5F 41 5E 5F 5E 5B C3
CC 90 90;
e fltmgr+0x14180 48 83 C4 68 48 83 3C 24 00 75 01 CC C3 CC;
e fltmgr+0x14119 E9 62 00 00 00;
e fltmgr+0x62C0 E9 0C 00 00 00 CC FF 43 20 48 8B CF FF 53 38 EB EA 48 83 C4
20 5F 48 83 3C 24 00 75 01 CC C3 CC;
e fltmgr+0xF4B4 90 90 90 90 90 90;
After patching I am hitting int 3 continously
in xxxxx@FltpGetStreamListCtrl
and it is triggered from my drivers PreClose.
I will post the windbg output
Do you mean breakpoint occurs right away after patching?
yes
5: kd> g
Break instruction exception - code 80000003 (first chance)
fltmgr!FltpGetStreamListCtrl+0x38b:
fffff800`2835c64b cc int 3
5: kd> kb
RetAddr : Args to Child : Call Site
00 fffff800283638e1 : ffffe001
fb270010 ffffe001ff90e010 00000000
00000000 ffffe001ff90e018 : fltmgr!FltpGetStreamListCtrl+0x38b 01 fffff800
286cdb8c : ffffe001ff90e010 ffffe001
ffdc93f0 0000000010000004 00000000
00000000 : fltmgr!FltGetStreamContext+0x21
02 fffff8002835d28a : ffffe001
fff13cd8 ffffd0002275b6f0 ffffd000
2275b6d8 ffffe001ff90e018 : HPEDpHsmX64!HpArcHsmPreClose+0x3c [f:\svn\storage_optimizer\storage_optimizer\trunk\filterdriver\src\hparchsm.c @ 1740] 03 fffff800
2835e7bc : ffffd0002275b880 00000000
00000000 0000000000000000 ffffe001
ffdc9302 : fltmgr!FltpPerformPreCallbacks+0x31a
04 fffff8002835c92e : ffffe001
fff13c00 0000000000680727 ffffd000
2275b6f0 0000000000000002 : fltmgr!FltpPassThroughInternal+0x8c 05 fffff800
2835c09e : ffffe001fb26fd70 ffffe001
ff8989d0 ffffe001ff8989d0 ffffe001
fab32f20 : fltmgr!FltpPassThrough+0x2be
06 fffff801c89f48bc : ffffe001
ffdc93f0 ffffe001faa56030 ffffe001
ff8989d0 0000000000000001 : fltmgr!FltpDispatch+0x9e 07 fffff801
c8a16004 : 0000000000000000 ffffe001
ffdc93f0 ffffe001fab32f20 ffffe001
ffdc93c0 : nt!IopDeleteFile+0x128
08 fffff801c8668b8f : 00000000
00000000 ffffd0002275ba99 ffffe001
ffdc93f0 ffffe001fab32f20 : nt!ObpRemoveObjectRoutine+0x64 09 fffff801
c89f3c24 : ffffe001ffdc93c0 00000000
ffff8001 ffffd0002275ba99 00000000
00007fff : nt!ObfDereferenceObjectWithTag+0x8f
0a fffff801c87617b3 : ffffe001
ffe37880 000000000109f1b0 00000000
011f1d50 0000000000000000 : nt!NtClose+0x204 0b 00007ffb
d832ac7a : 00007ffbd582500b 00000000
c000000f 0000000000000000 00000000
00000001 : nt!KiSystemServiceCopyEnd+0x13
0c 00007ffbd582500b : 00000000
c000000f 0000000000000000 00000000
00000001 0000003200000026 : ntdll!NtClose+0xa 0d 00000000
c000000f : 0000000000000000 00000000
00000001 0000003200000026 00000000
0109ee38 : 0x00007ffbd582500b 0e 00000000
00000000 : 0000000000000001 00000032
00000026 000000000109ee38 00000000
0109ee50 : 0xc000000f
Ok. Try these ones:
e fltmgr+0x4F47 49 83 7B 18 00 75 14 CC CC 83 F8 10 0F 85 0F A6 00 00 48 8D
79 58 E9 A7 FE FF FF 49 8B E3 41 5F 41 5E 5F C3 CC;
e fltmgr+0x1640 48 83 7C 24 68 00 75 19 CC CC CC CC 48 8D 8B 08 05 00 00 FF
15 EF 6A 01 00 FF 15 31 6B 01 00 EB DB 48 83 C4 40 41 5F 41 5E 5F 5E 5B C3
CC 90 90;
e fltmgr+0x14180 48 83 C4 68 48 83 3C 24 00 75 01 CC C3 CC;
e fltmgr+0x14119 E9 62 00 00 00;
e fltmgr+0x62C0 E9 0C 00 00 00 CC FF 43 20 48 8B CF FF 53 38 EB EA 48 83 C4
20 5F 48 83 3C 24 00 75 01 CC C3 CC;
e fltmgr+0xF4B4 90 90 90 90 90 90;
Now a break point was triggered correctly after the operation was started.
Break instruction exception - code 80000003 (first chance)
0: kd> kb
RetAddr : Args to Child : Call Site
00 0000000000000000 : ffffe001
976647f0 ffffe0019ba6e180 00000000
00000000 ffffe001`9ba6e188 : fltmgr!FltpGetStreamListCtrl+0x388
please note that there is nothing on stack except FltpGetStreamListCtrl