Crash with Nortan antivirus 2003,memory dump included

NTFSD
1

hello all,

I am developing a filesystem filter driver. I am doing directory buffer
traversing. Handling irp_mj_directory_control. My pc gets crash at the
time of nortan 2003 antivirus setup. I got the following memory dump from
WinDbg.
I am not getting what is problem and how to solve. Pls help me.My driver
name is fileock.sys.I used a filespy of IFS.It crashing only on Win 2000.
It works properly on win XP.

*** Fatal System Error: 0x0000007f
(0x00000008,0x00000000,0x00000000,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Loading symbols for 80400000 ntoskrnl.exe -> ntoskrnl.exe
ModLoad: 80400000 805a2140 ntoskrnl.exe
Loading Kernel Symbols
.ModLoad: 80062000 80072520 halacpi.dll
.ModLoad: f0810000 f0812a20 \WINNT\System32\BOOTVID.DLL
.ModLoad: fc992000 fc9b9c40 ACPI.sys
.ModLoad: f09c8000 f09c8f80 \WINNT\System32\DRIVERS\WMILIB.SYS
.ModLoad: f0400000 f040e640 pci.sys
.ModLoad: f0410000 f041b680 isapnp.sys
.ModLoad: f0900000 f0901040 intelide.sys
.ModLoad: f0680000 f0685500 \WINNT\System32\DRIVERS\PCIIDEX.SYS
.ModLoad: f0688000 f068f180 MountMgr.sys
.ModLoad: fc975000 fc9911a0 ftdisk.sys
.ModLoad: f0902000 f0903d20 Diskperf.sys
.ModLoad: f0904000 f0905b80 dmload.sys
.ModLoad: fc953000 fc9749c0 dmio.sys
.ModLoad: f0814000 f0816d00 PartMgr.sys
.ModLoad: fc93d000 fc9521a0 atapi.sys
.ModLoad: f0690000 f06973c0 disk.sys
.ModLoad: f0420000 f0428560 \WINNT\System32\DRIVERS\CLASSPNP.SYS
.ModLoad: fc92b000 fc93c500 FiLeOCK.sys
.ModLoad: fc908000 fc92a3c0 Fastfat.sys
.ModLoad: fc8f6000 fc907460 KSecDD.sys
.ModLoad: fc8cd000 fc8f5ca0 NDIS.sys
.ModLoad: fc8b7000 fc8cc2e0 Mup.sys
.ModLoad: f0450000 f045c4c0 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
.ModLoad: fc886000 fc8969e0 \SystemRoot\System32\DRIVERS\i81xnt5.sys
.ModLoad: f06b0000 f06b4800 \SystemRoot\System32\DRIVERS\RTL8029.SYS
WARNING: Process directory table base 060B2000 doesn't match CR3 00030000
WARNING: Process directory table base 060B2000 doesn't match CR3 00030000
.ModLoad: f06c0000 f06c6540 \SystemRoot\System32\DRIVERS\fdc.sys
.ModLoad: f0460000 f046f320 \SystemRoot\System32\DRIVERS\serial.sys
.ModLoad: f0878000 f087b560 \SystemRoot\System32\DRIVERS\serenum.sys
.ModLoad: f06d8000 f06de100 \SystemRoot\System32\DRIVERS\parport.sys
.ModLoad: f0470000 f047b6a0 \SystemRoot\System32\DRIVERS\i8042prt.sys
.ModLoad: f06e8000 f06ed380 \SystemRoot\System32\DRIVERS\mouclass.sys
.ModLoad: f06f8000 f06fde40 \SystemRoot\System32\DRIVERS\kbdclass.sys
.ModLoad: f0884000 f0886440 \SystemRoot\System32\DRIVERS\gameenum.sys
.ModLoad: f0718000 f071cf80 \SystemRoot\System32\DRIVERS\USBD.SYS
.ModLoad: f0708000 f070fe20 \SystemRoot\System32\DRIVERS\uhcd.sys
.ModLoad: fc845000 fc860b00 \SystemRoot\system32\drivers\KS.SYS
.ModLoad: fc861000 fc885200 \SystemRoot\system32\drivers\portcls.sys
.ModLoad: f0728000 f072fe40 \SystemRoot\system32\drivers\ichaud.sys
.ModLoad: f0a33000 f0a33a40 \SystemRoot\System32\DRIVERS\audstub.sys
.ModLoad: f0480000 f048ca80 \SystemRoot\System32\DRIVERS\rasl2tp.sys
.ModLoad: f0894000 f08962c0 \SystemRoot\System32\DRIVERS\ndistapi.sys
.ModLoad: fc82e000 fc844aa0 \SystemRoot\System32\DRIVERS\ndiswan.sys
.ModLoad: f08a4000 f08a7e60 \SystemRoot\System32\DRIVERS\TDI.SYS
.ModLoad: f0490000 f049ba00 \SystemRoot\System32\DRIVERS\raspptp.sys
.ModLoad: f0750000 f0754400 \SystemRoot\System32\DRIVERS\ptilink.sys
.ModLoad: f0760000 f07640e0 \SystemRoot\System32\DRIVERS\raspti.sys
.ModLoad: f04a0000 f04aea20 \SystemRoot\System32\DRIVERS\parallel.sys
.ModLoad: f0a36000 f0a36d80 \SystemRoot\System32\DRIVERS\swenum.sys
.ModLoad: fc7e3000 fc8052a0 \SystemRoot\System32\DRIVERS\update.sys
.ModLoad: f0778000 f077ca60 \SystemRoot\System32\DRIVERS\flpydisk.sys
.ModLoad: f04d0000 f04d9ba0 \SystemRoot\System32\DRIVERS\usbhub.sys
.ModLoad: f04e0000 f04e9ce0 \SystemRoot\System32\Drivers\NDProxy.SYS
.ModLoad: f090c000 f090dca0 \SystemRoot\System32\Drivers\Fs_Rec.SYS
.ModLoad: f0a3f000 f0a3f9e0 \SystemRoot\System32\Drivers\Null.SYS
.ModLoad: f0a42000 f0a42ee0 \SystemRoot\System32\Drivers\Beep.SYS
.ModLoad: f08c4000 f08c7580 \SystemRoot\System32\drivers\vga.sys
.ModLoad: f0a43000 f0a43f80 \SystemRoot\System32\Drivers\mnmdd.SYS
.ModLoad: f07a8000 f07ad240 \SystemRoot\System32\Drivers\Msfs.SYS
.ModLoad: f04f0000 f04f8fa0 \SystemRoot\System32\Drivers\Npfs.SYS
.ModLoad: f0914000 f0915e40 \SystemRoot\System32\DRIVERS\rasacd.sys
.ModLoad: f86f2000 f87425e0 \SystemRoot\System32\DRIVERS\tcpip.sys
.ModLoad: f0500000 f05086c0 \SystemRoot\System32\DRIVERS\msgpc.sys
.ModLoad: f07c0000 f07c7d00 \SystemRoot\System32\DRIVERS\wanarp.sys
.ModLoad: f86cd000 f86f1500 \SystemRoot\System32\DRIVERS\netbt.sys
.ModLoad: f0510000 f05181a0 \SystemRoot\System32\DRIVERS\netbios.sys
.ModLoad: f86ab000 f86cc920 \SystemRoot\System32\DRIVERS\rdbss.sys
.ModLoad: f863b000 f86988a0 \SystemRoot\System32\DRIVERS\mrxsmb.sys
.ModLoad: f0a6f000 f0a6ff80 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
.ModLoad: f85fd000 f86121a0 \SystemRoot\System32\Drivers\dump_atapi.sys
.ModLoad: a0000000 a01a6580 ??\C:\WINNT\system32\win32k.sys
.ModLoad: f8585000 f85fc7a0 \SystemRoot\System32\i81xdnt5.dll
.ModLoad: f8442000 f846cdc0 ??\C:\WINNT\System32\Drivers\SYMTDI.SYS
.ModLoad: f8424000 f8441d40 \SystemRoot\System32\drivers\afd.sys
.ModLoad: f0934000 f0935860 \SystemRoot\System32\Drivers\ParVdm.SYS
.ModLoad: f8259000 f826b060 \SystemRoot\system32\drivers\wdmaud.sys
.ModLoad: f0620000 f062ba80 \SystemRoot\system32\drivers\sysaudio.sys
.ModLoad: f839c000 f83a4240 \SystemRoot\System32\Drivers\Fips.SYS
.ModLoad: f8108000 f8143560 \SystemRoot\System32\DRIVERS\srv.sys
.ModLoad: f80f7000 f8108000 ??\C:\WINNT\System32\Drivers\SAVRTPEL.SYS
.ModLoad: f7fa6000 f7fb6780 ??\C:\Program Files\Symantec\SYMEVENT.SYS
.ModLoad: f81c1000 f81d09c0 \SystemRoot\System32\DRIVERS\ipsec.sys
.ModLoad: f7ec4000 f7f04000 ??\C:\WINNT\System32\Drivers\SAVRT.SYS
.ModLoad: f8348000 f834a640 ??\C:\WINNT\System32\Drivers\SYMREDRV.SYS
.ModLoad: f7b2f000 f7b53220 \SystemRoot\system32\drivers\kmixer.sys
.ModLoad: f7a46000 f7ad6460
??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20020819.002\NAVEX15.SYS
.ModLoad: f7a35000 f7a45500
??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20020819.002\NAVENG.SYS

Loading unloaded module list
...........
Loading User Symbols
.ModLoad: 00400000 0041b000 Unknown_Module_00400000
.ModLoad: 77f80000 77ffb000 C:\WINNT\System32\ntdll.dll
.ModLoad: 780c0000 78121000 C:\WINNT\system32\MSVCP60.dll
.ModLoad: 78000000 78046000 C:\WINNT\system32\MSVCRT.dll
.ModLoad: 77e80000 77f36000 C:\WINNT\system32\KERNEL32.dll
.ModLoad: 77e10000 77e75000 C:\WINNT\system32\USER32.dll
.ModLoad: 77f40000 77f7c000 C:\WINNT\system32\GDI32.DLL
.ModLoad: 77db0000 77e0d000 C:\WINNT\system32\ADVAPI32.dll
.ModLoad: 77d30000 77da1000 C:\WINNT\system32\RPCRT4.DLL
.ModLoad: 77a50000 77b45000 C:\WINNT\system32\ole32.dll
.ModLoad: 779b0000 77a4b000 C:\WINNT\system32\OLEAUT32.dll
.ModLoad: 10000000 10030000 C:\Program Files\Norton AntiVirus\SavRT32.dll
.ModLoad: 775a0000 77625000 C:\WINNT\system32\CLBCATQ.DLL
.ModLoad: 770f0000 772ed000 C:\WINNT\system32\msi.dll

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 0, 0, 0}

Loading symbols for 77f80000 ntdll.dll -> ntdll.dll
Loading symbols for fc92b000 FiLeOCK.sys -> FiLeOCK.sys
Loading symbols for fc908000 Fastfat.sys -> Fastfat.sys
Loading symbols for f7fa6000 SYMEVENT.SYS -> SYMEVENT.SYS
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for SYMEVENT.SYS -
Loading symbols for f7ec4000 SAVRT.SYS -> SAVRT.SYS
*** ERROR: Module load completed but symbols could not be loaded for
SAVRT.SYS
Loading symbols for f7a35000 NAVENG.SYS -> NAVENG.SYS
*** ERROR: Module load completed but symbols could not be loaded for
NAVENG.SYS
Loading symbols for f7a46000 NAVEX15.SYS -> NAVEX15.SYS
*** ERROR: Module load completed but symbols could not be loaded for
NAVEX15.SYS
Probably caused by : FiLeOCK.sys ( FiLeOCK!SpyLogIrpCompletion+23 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
80455d74 cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 -- (.tss 28)
.tss 28
eax=f8341e08 ebx=00000000 ecx=ff20f868 edx=ff214008 esi=ff214008 edi=ff214153
eip=fc92e6f3 esp=f8340db8 ebp=f834160c iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
FiLeOCK!SpyLogIrpCompletion+0x23:
fc92e6f3 53 push ebx
.trap
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from fc92c254 to fc92e6f3

STACK_TEXT:
f834160c fc92c254 ff214008 ff20f868 ff20f868
FiLeOCK!SpyLogIrpCompletion+0x23
[d:\development\fileock\source\backend\driver\fileock\fspyhash.c @ 341]
f8341620 8041f953 fcd84d60 ff214008 ff20f868
FiLeOCK!SpyPassThroughCompletion+0x84
[d:\development\fileock\source\backend\driver\fileock\filespy.c @ 1476]
f834164c fc90e511 e1299e28 fc9106a4 ff3753e8 nt!IopfCompleteRequest+0xab
f8341654 fc9106a4 ff3753e8 ff214008 c0000034
Fastfat!FatCompleteRequest_Real+0x47
f8341e18 fc90c0d7 ff3753e8 ff214008 fcd849c0 Fastfat!FatCommonCreate+0x1116
f8341e5c 8041f79f fcd849c0 ff214008 ff21416c Fastfat!FatFsdCreate+0x79
f8341e70 fc92bfb1 fcd84d60 ff214008 ff544868 nt!IopfCallDriver+0x35
f8342324 fc92c4ae fcd84d60 ff214008 00000000 FiLeOCK!SpyPassThrough+0x8a1
[d:\development\fileock\source\backend\driver\fileock\filespy.c @ 1348]
f834233c 8041f79f fcd84d60 ff214008 00000000 FiLeOCK!SpyCreate+0xde
[d:\development\fileock\source\backend\driver\fileock\filespy.c @ 1699]
f8342350 f7fac2b3 f83423a0 f8042300 00000000 nt!IopfCallDriver+0x35
WARNING: Stack unwind information not available. Following frames may be
wrong.
f8342558 8045110c fcd88750 00000000 f8342608 SYMEVENT+0x62b3
f83425c8 804a412d 00000000 fcda0000 00000040 nt!ObpLookupObjectName+0x4db
f83426d8 804960c1 00000000 00000000 f8342700 nt!ObOpenObjectByName+0xc5
f83427ac 80497dcd f83428d8 80100180 f834291c nt!IoCreateFile+0x3ec
f83427ec 80465091 f83428d8 80100180 f834291c nt!NtCreateFile+0x2e
f83427ec 80400a11 f83428d8 80100180 f834291c nt!KiSystemService+0xc4
f8342890 f7ef3731 f83428d8 80100180 f834291c nt!ZwCreateFile+0xb
f83428dc f7ef5059 f8342940 80100080 f834291c SAVRT+0x2f731
f8342958 f7a35b13 e1d4863a 00000000 00000000 SAVRT+0x31059
f8343034 f7a35cd1 f7efda80 00000001 00000000 NAVENG+0xb13
f8343260 f7a570bb f7efda80 00000001 00000000 NAVENG+0xcd1
f83436a4 f7ed634e f7efda80 00000000 f7a44288 NAVEX15+0x110bb
8042d8a4 565314ec 24a16457 8b000001 567e80f0 SAVRT+0x1234e
83ec8b55 00000000 00000000 00000000 00000000 0x565314ec

FOLLOWUP_IP:
FiLeOCK!SpyLogIrpCompletion+23
[d:\development\fileock\source\backend\driver\fileock\fspyhash.c @ 341]
fc92e6f3 53 push ebx

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: FiLeOCK!SpyLogIrpCompletion+23

MODULE_NAME: FiLeOCK

IMAGE_NAME: FiLeOCK.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4142a879

STACK_COMMAND: .tss 28 ; kb

BUCKET_ID: 0x7f_8_FiLeOCK!SpyLogIrpCompletion+23

Followup: MachineOwner

kd> .tss 28
eax=f8341e08 ebx=00000000 ecx=ff20f868 edx=ff214008 esi=ff214008 edi=ff214153
eip=fc92e6f3 esp=f8340db8 ebp=f834160c iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
FiLeOCK!SpyLogIrpCompletion+0x23:
fc92e6f3 53 push ebx
kd> !thread
THREAD ff5a8540 Cid 25c.288 Teb: 7ffdb000 Win32Thread: 00000000 RUNNING
IRP List:
ff214008: (0006,01b4) Flags: 00000884 Mdl: 00000000
ff5d4c48: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
Owning Process ff5b4940
Wait Start TickCount 13240 Elapsed Ticks: 4
Context Switch Count 160
UserTime 0:00:00.0010
KernelTime 0:00:00.0470
Loading symbols for 77e80000 KERNEL32.dll -> KERNEL32.dll
*** WARNING: Unable to verify timestamp for KERNEL32.dll
*** ERROR: Module load completed but symbols could not be loaded for
KERNEL32.dll
Start Address KERNEL32 (0x77e88785)
Loading symbols for 78000000 MSVCRT.dll -> MSVCRT.dll
*** WARNING: Unable to verify timestamp for MSVCRT.dll
*** ERROR: Module load completed but symbols could not be loaded for
MSVCRT.dll
Win32 Start Address MSVCRT (0x7800c994)
Stack Init f8344000 Current f83428e4 Base f8344000 Limit f8341000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr Args to Child
804706e4 8042c0c3 00000003 8047072c 00000008
nt!RtlpBreakWithStatusInstruction
80470714 8042c487 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x31
80470aa0 804670ae 0000007f 00000008 00000000 nt!KeBugCheckEx+0x390
80470aa0 fc92e6f3 0000007f 00000008 00000000 nt!KiTrap08+0x3e
f834160c fc92c254 ff214008 ff20f868 ff20f868 FiLeOCK!SpyLogIrpCompletion+0x23
f8341620 8041f953 fcd84d60 ff214008 ff20f868
FiLeOCK!SpyPassThroughCompletion+0x84
f834164c fc90e511 e1299e28 fc9106a4 ff3753e8 nt!IopfCompleteRequest+0xab
f8341654 fc9106a4 ff3753e8 ff214008 c0000034
Fastfat!FatCompleteRequest_Real+0x47
f8341e18 fc90c0d7 ff3753e8 ff214008 fcd849c0 Fastfat!FatCommonCreate+0x1116
f8341e5c 8041f79f fcd849c0 ff214008 ff21416c Fastfat!FatFsdCreate+0x79
f8341e70 fc92bfb1 fcd84d60 ff214008 ff544868 nt!IopfCallDriver+0x35
f8342324 fc92c4ae fcd84d60 ff214008 00000000 FiLeOCK!SpyPassThrough+0x8a1
f834233c 8041f79f fcd84d60 ff214008 00000000 FiLeOCK!SpyCreate+0xde
f8342350 f7fac2b3 f83423a0 f8042300 00000000 nt!IopfCallDriver+0x35
f8342558 8045110c fcd88750 00000000 f8342608 SYMEVENT+0x62b3
f83425c8 804a412d 00000000 fcda0000 00000040 nt!ObpLookupObjectName+0x4db
f83426d8 804960c1 00000000 00000000 f8342700 nt!ObOpenObjectByName+0xc5
f83427ac 80497dcd f83428d8 80100180 f834291c nt!IoCreateFile+0x3ec
f83427ec 80465091 f83428d8 80100180 f834291c nt!NtCreateFile+0x2e
f83427ec 80400a11 f83428d8 80100180 f834291c nt!KiSystemService+0xc4
f8342890 f7ef3731 f83428d8 80100180 f834291c nt!ZwCreateFile+0xb
f83428dc f7ef5059 f8342940 80100080 f834291c SAVRT+0x2f731
f8342958 f7a35b13 e1d4863a 00000000 00000000 SAVRT+0x31059
f8343034 f7a35cd1 f7efda80 00000001 00000000 NAVENG+0xb13
f8343260 f7a570bb f7efda80 00000001 00000000 NAVENG+0xcd1
f83436a4 f7ed634e f7efda80 00000000 f7a44288 NAVEX15+0x110bb
8042d8a4 565314ec 24a16457 8b000001 567e80f0 SAVRT+0x1234e
83ec8b55 00000000 00000000 00000000 00000000 +0x565314ec

kd> !pcr
PCR Processor 0 @ffdff000
NtTib.ExceptionList: 8047022c
NtTib.StackBase: f8343df0
NtTib.StackLimit: f8341000
NtTib.SubSystemTib: 00000000
NtTib.Version: 00000000
NtTib.UserPointer: 00000000
NtTib.SelfTib: 7ffdb000

SelfPcr: ffdff000
Prcb: ffdff120
Irql: 00000000
IRR: 00000000
IDR: ffff24f0
InterruptMode: 00000000
IDT: 80036400
GDT: 80036000
TSS: 80473ac0

CurrentThread: ff5a8540
NextThread: 00000000
IdleThread: 8046f870

DpcQueue:
kd> .formats esp ^ ebp
Evaluate expression:
Hex: 00001bb4
Decimal: 7092
Octal: 00000015664
Binary: 00000000 00000000 00011011 10110100
Chars: ....
Time: Thu Jan 01 07:28:12 1970
Float: low 9.93801e-042 high 0
Double: 3.50391e-320
kd> !cpuinfo
CP F/M/S Manufacturer MHz Update Signature Features
0 6,8,6 GenuineIntel 634 0000000800000000 00002fff
kd> !cpuinfo
CP F/M/S Manufacturer MHz Update Signature Features
0 6,8,6 GenuineIntel 634 0000000800000000 00002fff
kd> !pcitree
Loading symbols for f0400000 pci.sys -> pci.sys
Bus 0x0 (FDO Ext fcd7e998)
0600 71208086 (d=0, f=0) devext fcd7d868 Bridge/HOST to PCI
0300 71218086 (d=1, f=0) devext fcd7c0e8 Display Controller/VGA
0604 24188086 (d=1e, f=0) devext fcd7cee8 Bridge/PCI to PCI
Bus 0x1 (FDO Ext fcd94358)
0200 802910ec (d=5, f=0) devext fcd91ee8 Network Controller/Ethernet
0601 24108086 (d=1f, f=0) devext fcd7cce8 Bridge/PCI to ISA
0101 24118086 (d=1f, f=1) devext fcd7cae8 Mass Storage Controller/IDE
0c03 24128086 (d=1f, f=2) devext fcd7c788 Serial Bus Controller/USB
0401 24158086 (d=1f, f=5) devext fcd7c428 Multimedia Device/Audio
Total PCI Root busses processed = 1

Regards,
Naren.

2

narendra.bhongale wrote:<>
[snip]

<>eip=fc92e6f3 esp=f8340db8 ebp=f834160c iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297

[snip]

<>NtTib.StackLimit: f8341000

[snip]

Looks like stack overflow, doesn’t it?

Regards,
Filip

3

Hi filip,
thanks for reply.

I also think so. So i made change to my code. Moved my code to new function.
And called this fuction from previous point. Its working for me now.
Is it a wite way? Will it cause any problem with my code in future?

Regards,
Naren.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Filip Navara
Sent: Saturday, September 11, 2004 4:18 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Crash with Nortan antivirus 2003,memory dump included

narendra.bhongale wrote:<>
[snip]

<>eip=fc92e6f3 esp=f8340db8 ebp=f834160c iopl=0 nv up ei ng nz ac po
cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297

[snip]

<>NtTib.StackLimit: f8341000

[snip]

Looks like stack overflow, doesn’t it?

Regards,
Filip

4

Remember, the tack in kernel mode is very limited and many of these virus
scanners consume a large amount fo stack; esp. when re-entering the IRP
stack to do the actual scanning from their associated services.

It is a good idea to move structure definitions and buffers off of the stack
and put them in static or allocated memory. Zones and look-aside lists are
good for this if these are common structures of a common size (i.e. per IRP
allocations and such).

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of narendra.bhongale
Sent: Saturday, September 11, 2004 4:23 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Crash with Nortan antivirus 2003,memory dump included

Hi filip,
thanks for reply.

I also think so. So i made change to my code. Moved my code to new function.
And called this fuction from previous point. Its working for me now.
Is it a wite way? Will it cause any problem with my code in future?

Regards,
Naren.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Filip Navara
Sent: Saturday, September 11, 2004 4:18 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Crash with Nortan antivirus 2003,memory dump included

narendra.bhongale wrote:<>
[snip]

<>eip=fc92e6f3 esp=f8340db8 ebp=f834160c iopl=0 nv up ei ng nz ac po
cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297

[snip]

<>NtTib.StackLimit: f8341000

[snip]

Looks like stack overflow, doesn’t it?

Regards,
Filip

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.860 (20040903) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

5

Kernel stack overflows are a large issue on W2K.

Issue #1 is that NTFS uses too much stack. We have greatly improved
this in XP and later. I have been pushing to get some of these stack
usage reduction fixes backported but have had no luck so far from the
NTFS devs.

Issue #2 is that filters use too much stack themselves. Rearranging
your code (as Jamey suggested) to call subroutines to do your “real”
work so that the routines which call IoCallDriver consumes little or no
stack is the best thing you can do today.

Issue #3 is filters that do recursive IO. For most operations this is
easily solved by generating your own IRP. For filters that need to open
a file this is harder so they typically call ZwCreateFile.

Almost every stack overflow issue I have looked at has to do with a
filter calling ZwCreateFile while processing a create IRP. In XP and
later this is addressed by using IoCreateFileSpecifyDeviceObjectHint
(don’t you love that name :), hereafter I am going to use
“CreateWithHint”). Unfortunately this API does not generally exist in
W2K. We are making it available but it will take time to get out there.
If possible I would recommend that you attempt to dynamically import
“CreateWithHint” and if it exists use it; if it does not then use
ZwCreateFile. As “CreateWithHint” becomes more widely available on W2K
you will start seeing fewer issues.

Shameless Filter Manager plug:
As the filter manager becomes generally available over the next year (it
is already released with XP SP2, will be released with Srv03 SP1, and a
redistributable update will be available for W2K SP4) and more filters
start using it I believe these issues will significantly decrease. The
filter manager addresses the stack overflow issues by:

  • Using a call-back model instead of a call-through model for processing
    IOs
  • Supports doing non-recursive IO from your filter

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of narendra.bhongale
Sent: Saturday, September 11, 2004 4:23 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Crash with Nortan antivirus 2003,memory dump
included

Hi filip,
thanks for reply.

I also think so. So i made change to my code. Moved my code to new
function.
And called this fuction from previous point. Its working for me now.
Is it a wite way? Will it cause any problem with my code in future?

Regards,
Naren.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Filip Navara
Sent: Saturday, September 11, 2004 4:18 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Crash with Nortan antivirus 2003,memory dump
included

narendra.bhongale wrote:<>
[snip]

<>eip=fc92e6f3 esp=f8340db8 ebp=f834160c iopl=0 nv up ei ng nz ac po
cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297

[snip]

<>NtTib.StackLimit: f8341000

[snip]

Looks like stack overflow, doesn’t it?

Regards,
Filip

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

hi,
Thanx for reply

I had a #2 issue

>>Issue #2 is that filters use too much stack themselves. Rearranging
your code (as Jamey suggested) to call subroutines to do your “real”
work so that the routines which call IoCallDriver consumes little or no
stack is the best thing you can do today.

I was using larger static memory in SpyLogIrpComplition and in irp_mj_create
too. I made that memory global, and reduced its size.

How can dev handle these stack overflows(at runtime)if they occure? At
runtime, small memory may also cause problem, bcos of others.

Regards,
Naren.

7

> I was using larger static memory in SpyLogIrpComplition and in

irp_mj_create
too. I made that memory global, and reduced its size.

Only for sure - didn’t you make a *request-specific* data
global ?

L.

8

There is no way to handle stack overflows at runtime. When they occur
the system will bug check. You must code defensively to prevent them.

Since this was a local on the stack, by making it global you must be
using some sort of synchronization to serialize its use; if not you
probably have a bug.

If you need to remove locals from the stack a better way than making
them global is to create a lookaside list and then allocate and free the
memory as you need it. This will eliminate the serialization issues you
will encounter by sharing one buffer.

Over time the system will dynamically tune your lookaside cache so most
of the time you can immediately get the memory you need without
internally calling ExAllocatePool. The one draw back to this approach
is that you have to handle the allocation failure.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of narendra.bhongale
Sent: Thursday, September 16, 2004 10:12 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] Crash with Nortan antivirus 2003,memory dump
included

hi,
Thanx for reply

I had a #2 issue

>>Issue #2 is that filters use too much stack themselves. Rearranging
your code (as Jamey suggested) to call subroutines to do your “real”
work so that the routines which call IoCallDriver consumes little or no
stack is the best thing you can do today.

I was using larger static memory in SpyLogIrpComplition and in
irp_mj_create
too. I made that memory global, and reduced its size.

How can dev handle these stack overflows(at runtime)if they occure? At
runtime, small memory may also cause problem, bcos of others.

Regards,
Naren.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com