Thank you for that hint.
I used IoGetDeviceObjectPointer (“\Fat”) to get Fat’s device object.
Then IoBuildDeviceIoControlRequest/IoCallDriver to send that Ioctl passing a handle to \device\device126 (replacing the ZwFsControlFile(FSCTL_DISMOUNT_VOLUME) call I had before)
And the volume does get immediately unmounted, and my driver unloads.
However, repeating the mount results in a crash. (I: is a symlink to the device the 2nd time.)
Although the invalidation worked, my guess is that it invalidated more than I intended it to.
PROCESS_NAME: explorer.exe
FAULTING_IP:
nt!IopMountVolume+143
817ec9d7 8b4010 mov eax,dword ptr [eax+10h]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 817ec9d7 (nt!IopMountVolume+0x00000143)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000006c
Attempt to read from address 0000006c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0000006c
READ_ADDRESS: 0000006c
FOLLOWUP_IP:
nt!IopMountVolume+143
817ec9d7 8b4010 mov eax,dword ptr [eax+10h]
BUGCHECK_STR: ACCESS_VIOLATION
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8168da3e to 817ec9d7
STACK_TEXT:
8ef819ac 8168da3e 8fbd4030 8ef81c00 00000000 nt!IopMountVolume+0x143
8ef819dc 81869498 8ef81c14 8ef81b00 8ef81a98 nt!IopCheckVpbMounted+0x60
8ef81ab8 8188f2ff 8fbd4030 00000000 91053ac8 nt!IopParseDevice+0x7fe
8ef81b48 81866fea 00000000 8ef81ba0 00000040 nt!ObpLookupObjectName+0x5a8
8ef81ba8 8185562a 02d9f6d8 00000000 84615001 nt!ObOpenObjectByName+0x13c
8ef81d54 816a0a7a 02d9f6d8 02d9f6b0 02d9f6f8 nt!NtQueryAttributesFile+0x125
8ef81d54 77889a94 02d9f6d8 02d9f6b0 02d9f6f8 nt!KiFastCallEntry+0x12a
WARNING: Stack unwind information not available. Following frames may be wrong.
02d9f6f8 76a28844 02d9f714 0042b910 00000000 ntdll!KiFastSystemCallRet
02d9f920 76a2816f 02e763f8 02ed17a8 02ed17a8 SHELL32!CMtPtLocal::IsAutorunPresent+0x9d
STACK_COMMAND: kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!IopMountVolume+143
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12
FAILURE_BUCKET_ID: ACCESS_VIOLATION_VRF_nt!IopMountVolume+143
BUCKET_ID: ACCESS_VIOLATION_VRF_nt!IopMountVolume+143
Followup: MachineOwner
kd> dt _object_attributes 02d9f6d8
nt!_OBJECT_ATTRIBUTES
+0x000 Length : 0x18
+0x004 RootDirectory : (null)
+0x008 ObjectName : 0x02d9f6f0 _UNICODE_STRING “??\I:\autorun.inf”
+0x00c Attributes : 0x40
+0x010 SecurityDescriptor : (null)
+0x014 SecurityQualityOfService : (null)
kd> !devobj 8fbd4030
Device object (8fbd4030) is for:
\Driver\test126 DriverObject 881983d0
Current Irp 00000000 RefCount 1 Type 00000007 Flags 00000050
Vpb 8e52f1d8 Dacl 916b7bac DevExt 8fbd40e8 DevObjExt 8fbd4138 Dope 9105c008
ExtensionFlags (0xc0000800) DOE_BOTTOM_OF_FDO_STACK, DOE_DESIGNATED_FDO
Unknown flags 0x00000800