Since there is 3rd party driver installed could not get the call stack
properly and so manually constructed
the call stack. Still the call stack is not 100% clear. What i could
construct is
ChildEBP RetAddr Args to Child
ba92481c 804e5a30 8050db68 ffffffff ba92489c nt!KeBugCheckEx+0x19 (FPO:
[Non-Fpo])
ba924910 f7898e38 00000007 00000000 00000000 nt!_except_handler3 (FPO: [Uses
EBP] [3,0,7])
862f1398 8639f420 0001010d 86493048 86324020 Mydrv!MountVolume
ba924948 ba9bcc6c 8639f420 862f11c8 862f1398 MyDrv!FsControl
WARNING: Stack unwind information not available. Following frames may be
wrong.
ba924984 804f04f3 8639f420 862f11c8 862f13bc BsUDF+0xfc6c
ba924994 f74ef1d8 862f11c8 8655f5a8 8639f420 nt!IofCallDriver+0x3f (FPO:
[0,0,0])
ba9249bc 804f04f3 86345bf0 862f11c8 863053c0 Dfs!DfsFilterFsControl+0x80
(FPO: [Non-Fpo])
ba9249cc 805b8d23 8639f420 80748020 807480a0 nt!IofCallDriver+0x3f (FPO:
[0,0,0])
ba924a24 80517d60 86345bf0 862da901 00000000 nt!IopMountVolume+0x1d3 (FPO:
[Non-Fpo])
ba924a50 8058f04e 862da950 8639f400 ba924b9c nt!IopCheckVpbMounted+0x5a
(FPO: [Non-Fpo])
ba924b58 8058e1a2 8639f420 00000000 8630bdc8 nt!IopParseDevice+0x3f0 (FPO:
[Non-Fpo])
ba924bd4 8058d9a9 00000000 ba924c14 00000040 nt!ObpLookupObjectName+0x545
(FPO: [Non-Fpo])
ba924c28 8058f549 00000000 00000000 00000101 nt!ObOpenObjectByName+0xe8
(FPO: [Non-Fpo])
ba924ca4 8058f61d 0054fc20 80100080 0054fbbc nt!IopCreateFile+0x413 (FPO:
[Non-Fpo])
ba924cf0 8058dfae 0054fc20 80100080 0054fbbc nt!IoCreateFile+0x3d (FPO:
[Non-Fpo])
ba924d30 804dfd24 0054fc20 80100080 0054fbbc nt!NtCreateFile+0x2e (FPO:
[Non-Fpo])
ba924d30 7ffe0304 0054fc20 80100080 0054fbbc nt!KiSystemService+0xd0 (FPO:
[0,0] TrapFrame @ ba924d64)
0054fb78 77f42473 77e49810 0054fc20 80100080
SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
0054fb7c 77e49810 0054fc20 80100080 0054fbbc ntdll!NtCreateFile+0xc (FPO:
[11,0,0])
0054fc18 76b4b70f 00000000 80000000 00000003 kernel32!CreateFileW+0x364
(FPO: [Non-Fpo])
0054fc38 76b4e530 000aba58 80000000 00269fa0 shsvcs!_GetDeviceHandle+0x17
(FPO: [2,0,0])
0054fc80 76b4feb2 0054fca0 00000001 00000000
shsvcs!CVolume::_GetDeviceHandleSafe+0x2c (FPO: [Non-Fpo])
0054fcb8 76b50300 0054fd0c 00267e60 00267e60
shsvcs!CVolume::_InitHelper+0xa3 (FPO: [Non-Fpo])
0054fcd0 76b576c4 0054fd0c 00000000 0054fd0c shsvcs!CVolume::Init+0x59 (FPO:
[Non-Fpo])
0054fce8 76b57cc4 0054fd0c 00000000 00267d28
shsvcs!CNamedElemList::_Add+0x20 (FPO: [Non-Fpo])
0054ff24 77e42da7 76b5d458 00000000 76b5d458
shsvcs!CNamedElemList::ReEnum+0xcb (FPO: [Uses EBP] [0,133,0])
0054ff34 76b4b49a 76b5d458 00000000 c4f2a77e
kernel32!InitializeCriticalSectionAndSpinCount+0x12 (FPO: [2,0,0])
0054ff58 76b4b3c7 00267d2c 0009ce44 0009ce44 shsvcs!CCritSect::Init+0xc
(FPO: [0,0,0])
0054ff78 010011a0 00000001 0009ce40 00000000
shsvcs!CGenericServiceManager::_ServiceMain+0xca (FPO: [Non-Fpo])
0054ffa8 77db571b 00000001 0009ce40 00000000 svchost!ServiceStarter+0x8a
(FPO: [Non-Fpo])
0054ffb8 77e4a990 0009ce38 00000000 00000000 ADVAPI32!ScSvcctrlThreadA+0xe
(FPO: [1,0,0])
0054ffec 00000000 77db570d 0009ce38 00000000 kernel32!BaseThreadStart+0x34
(FPO: [Non-Fpo])
Can I rely on above call stack because it still says that
“WARNING: Stack unwind information not available. Following frames may be
wrong.”
More, i examined the IRP and it gives foll:
Irp is active with 11 stacks 9 is current (= 0x862f1358)
No Mdl: No System Buffer: Thread 863053c0: Irp stack trace.
cmd flg cl Device File Completion-Context
[0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
::::::::::
Args: 00000000 00000000 00000000 00000000
[d, 1] 1 e0 00000003 00000000 f78974a6-ba924924 Success Error Cancel
00000003: Could not read device object or _DEVICE_OBJECT not found
Mydrv!MountVolumeCompletion
Args: 86493048 86324020 00000000 00000000
[d, 1] 1 e0 86341658 00000000 f74e95ca-8639f420 Success Error Cancel
\Driver\Mydrv Dfs!DfsCompleteMountRequest
Args: 86493048 86324020 00000000 00000000
[d, 1] 1 0 86345bf0 00000000 00000000-00000000
\FileSystem\DfsDriver
Args: 86493048 86324020 00000000 00000000
I examined the attached chain and it says that DFS->Mydrv->BsUDF
So i think the DFS driver passes the IRP to me and BsUDF thing should not be
there.
Is there any known issue with DFS Filter. It passes a corrupt deivce object
to my MountVolume routine and that gives BugCheck 8E. running on 2k3 SP1.