error while "Try to run program from Start->Run" in Post callback of Directory_Contro

i m facing here a strange prblem …i m trying to change directroy content by changing the buffer asociated…in mini-filter… but i did’t have changed the buffer yet…just fetching some ualues…like long-filename and short-filename…ect in PFILE_BOTH_DIR_INFORMATION …

this code work well normally…!!! and explorer open directories normally…but some strange happen when i use start->run to rum any command even a wrong command…this code just crashes…and the error appears…!!!

i m new to this field plz …keep this in consideration while answering…!!!

thanks in advance…!!!

analysis of bugcheck and stack trave are included… m using vmware as a test bed…

FLT_POSTOP_CALLBACK_STATUS
PtPostOperationDirectoryCtrl (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags
)

{

NTSTATUS Status;
WCHAR ShortFileName[13];
PWCHAR FullFileName = NULL ;
PVOID Bufff;
ULONG Counter;
PFILE_BOTH_DIR_INFORMATION Buffer;

// FltCompareUnicodeString()

Status = FltLockUserBuffer( Data );

if(NT_SUCCESS(Status))
{

Bufff = MmGetSystemAddressForMdlSafe(
Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress,
NormalPagePriority
);

if (Bufff != NULL)
{
Buffer = (PFILE_BOTH_DIR_INFORMATION)
ExAllocatePoolWithTag(
NonPagedPool,
sizeof(FILE_BOTH_DIR_INFORMATION),
‘BUFF’
);

if (Buffer == NULL)
{
return FLT_PREOP_SUCCESS_WITH_CALLBACK;

}

Counter = 0;

RtlZeroMemory(Buffer, sizeof(FILE_BOTH_DIR_INFORMATION));
do
{

Counter = Counter + Buffer->NextEntryOffset;

*Buffer = *(PFILE_BOTH_DIR_INFORMATION )(PVOID)((PCHAR)Bufff + Counter);

FullFileName = (PWCHAR)ExAllocatePoolWithTag(
NonPagedPool,
Buffer->FileNameLength,
‘FUNA’
);

if (FullFileName == NULL)
{

ExFreePoolWithTag(Buffer, ‘BUFF’);

return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

RtlZeroMemory(ShortFileName, 24);

// RtlCopyMemory(ShortFileName, Buffer->ShortName, 24);

// RtlCopyMemory(
// FullFileName ,
// Buffer->FileName,
// 2*Buffer->FileNameLength);

ExFreePoolWithTag(FullFileName, ‘FUNA’);

}while(Buffer->NextEntryOffset != 0);

}

DbgPrint(“\n directory control callred”);

ExFreePoolWithTag(Buffer, ‘BUFF’);
}

return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fca0c9a4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: fb0f76ba, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT ***
*** ***
*************************************************************************

READ_ADDRESS: fca0c9a4 Nonpaged pool expansion

FAULTING_IP:
PassThrough!PtPostOperationDirectoryCtrl+ca [c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
fb0f76ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

IMAGE_NAME: PassThrough.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e1f8470

MODULE_NAME: PassThrough

FAULTING_MODULE: fb0f7000 PassThrough

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

PROCESS_NAME: Explorer.EXE

TRAP_FRAME: f8dfe984 – (.trap fffffffff8dfe984)
ErrCode = 00000000
eax=00000000 ebx=ffaa33cc ecx=00000018 edx=0184df18 esi=fca0c9a4 edi=812aa5e8
eip=fb0f76ba esp=f8dfe9f8 ebp=f8dfea38 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
PassThrough!PtPostOperationDirectoryCtrl+0xca:
fb0f76ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:812aa5e8=0184df18 ds:0023:fca0c9a4=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 805328e7 to 804e3b25

STACK_TEXT:
f8dfe4d4 805328e7 00000003 fca0c9a4 00000000 nt!RtlpBreakWithStatusInstruction
f8dfe520 805333be 00000003 806ee298 c03f2830 nt!KiBugCheckDebugBreak+0x19
f8dfe900 805339ae 00000050 fca0c9a4 00000000 nt!KeBugCheck2+0x574
f8dfe920 805246fb 00000050 fca0c9a4 00000000 nt!KeBugCheckEx+0x1b
f8dfe96c 804e1ff1 00000000 fca0c9a4 00000000 nt!MmAccessFault+0x6f5
f8dfe96c fb0f76ba 00000000 fca0c9a4 00000000 nt!KiTrap0E+0xcc
f8dfea38 faa67fa1 ffaa33cc f8dfea5c 00000000 PassThrough!PtPostOperationDirectoryCtrl+0xca [c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
f8dfeaa0 faa6a3ea 00aa3370 812479fb ffaa3370 fltMgr!FltpPerformPostCallbacks+0x1c5
f8dfeab4 faa6a817 ffaa3370 812478b0 f8dfeaf4 fltMgr!FltpProcessIoCompletion+0x10
f8dfeac4 804e42cc 81283bd8 812478b0 ffaa3370 fltMgr!FltpPassThroughCompletion+0x89
f8dfeaf4 faa47bb1 f8dfec28 faa4bb0b 81245590 nt!IopfCompleteRequest+0xa2
f8dfeafc faa4bb0b 81245590 812478b0 c000000f Fastfat!FatCompleteRequest_Real+0x49
f8dfeb0c faa4ba9f 00000000 812478b0 ffaa3370 Fastfat!FatQueryDirectory+0xce2
f8dfec28 faa4c63d 81245590 812478b0 f8dfec7c Fastfat!FatQueryDirectory+0xc7b
f8dfec38 faa4bb75 81245590 812478b0 00000000 Fastfat!FatCommonDirectoryControl+0x3e
f8dfec7c 804e3d77 812aca68 812478b0 812478b0 Fastfat!FatFsdDirectoryControl+0x3e
f8dfec8c faa6ae67 ffa7cc18 812478b0 00000000 nt!IopfCallDriver+0x31
f8dfecb0 faa6b00c f8dfecd0 81283bd8 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f8dfece8 804e3d77 81283bd8 812478b0 806ee2d0 fltMgr!FltpDispatch+0x104
f8dfecf8 8056a9ab f8dfed64 0184da20 80574dad nt!IopfCallDriver+0x31
f8dfed0c 80574e0a 81283bd8 812478b0 8118f788 nt!IopSynchronousServiceTail+0x60
f8dfed30 804df06b 00000644 00000000 00000000 nt!NtQueryDirectoryFile+0x5d
f8dfed30 7c90eb94 00000644 00000000 00000000 nt!KiFastCallEntry+0xf8
0184d9e8 7c90df6a 7c80eec2 00000644 00000000 ntdll!KiFastSystemCallRet
0184d9ec 7c80eec2 00000644 00000000 00000000 ntdll!ZwQueryDirectoryFile+0xc
0184dcf8 7c80f0f7 0184e56c 00000000 0184e0c0 kernel32!FindFirstFileExW+0x3a0
0184dd18 77f7924f 0184e56c 0184e0c0 0184e56c kernel32!FindFirstFileW+0x16
0184e088 77fb185b 0184e56c 0184e0c0 00000000 SHLWAPI!FindFirstFileWrapW+0x72
0184e314 77f920af 0000003f 00000000 0171200c SHLWAPI!PathMakeSystemFolderW+0x1bb
0184e32c 77f81ba8 0184e56c 0000003f 00000000 SHLWAPI!PathFileExistsDefExtAndAttributesW+0x3b
0184e340 77f920e6 0184e56c 0000003f 0171200c SHLWAPI!PathFileExistsDefExtW+0x2d
0184e778 7ca3fc76 0171200c 0184e7d0 0000003f SHLWAPI!PathFindOnPathExW+0x73
0184e78c 7ca33cd0 0171200c 0184e7d0 00000001 SHELL32!LookForExtensions+0x29
0184e7b4 7cac55b7 0171200c 0184e7d0 00000017 SHELL32!PathResolve+0xb4
0184e7dc 7ca49c51 0184e804 0184e84c 01712008 SHELL32!CShellExecute::_Resolve+0x4a
0184e7f8 7ca0d760 0184e84c 00000000 00000009 SHELL32!CShellExecute::_TryExecPidl+0x55
0184e810 7ca0d6c9 00000000 00000009 0184e84c SHELL32!CShellExecute::ExecuteNormal+0x74
0184e824 7ca0d665 0184e84c 00000000 00000009 SHELL32!ShellExecuteNormal+0x30
0184e840 7ca37a49 0184e84c 0000003c 04000b00 SHELL32!ShellExecuteExW+0x8d
0184eca0 7ca37749 001100e2 0184ecd4 0184f834 SHELL32!ShellExecCmdLine+0x143
0184f16c 7ca375ff 0184f1e4 7ca36f01 0184f1a8 SHELL32!CRunDlg::OKPushed+0x179
0184f17c 77d48709 00070132 00000111 00000001 SHELL32!RunDlgProc+0x121
0184f1a8 77d54ca6 7ca36f01 00070132 00000111 USER32!InternalCallWinProc+0x28
0184f214 77d54af2 00094848 7ca36f01 00070132 USER32!UserCallDlgProcCheckWow+0x146
0184f25c 77d6bf51 00000000 00000111 00000001 USER32!DefDlgProcWorker+0xa8
0184f28c 77d4b7ab 0054db28 005338e8 00000001 USER32!SendMessageWorker+0x384
0184f2ac 77d56c26 00070132 00000111 00000001 USER32!SendMessageW+0x7f
0184f2dc 77d6e956 00070132 0054d9d8 001100e2 USER32!IsDialogMessageW+0x41f
0184f318 77d5688a 00070132 001100e2 00000001 USER32!DialogBox2+0x144
0184f340 77d568cc 7c9c0000 7cc23d30 001100e2 USER32!InternalDialogBox+0xd0
0184f360 77d56741 7c9c0000 7cc23d30 001100e2 USER32!DialogBoxIndirectParamAorW+0x37
0184f384 7ca371fc 7c9c0000 000003eb 001100e2 USER32!DialogBoxParamW+0x3f
0184f3cc 7ca37139 7c9c0000 000003eb 001100e2 SHELL32!SHFusionDialogBoxParam+0x3b
0184f400 0101f867 001100e2 00000000 0184f834 SHELL32!RunFileDlg+0xc4
0184fa40 0101f6bf 001100e2 00000000 000d2710 Explorer!_RunFileDlg+0x12f
0184fee0 77f68ea5 000005f0 0010a260 77f68e88 Explorer!CTray::_RunDlgThreadProc+0x29a
0184fef8 7c927545 0010a260 7c97c3a0 0018b5d0 SHLWAPI!ExecuteWorkItem+0x1d
0184ff40 7c927583 77f68e88 0010a260 0009f778 ntdll!RtlpWorkerCallout+0x70
0184ff60 7c927645 00000000 0010a260 0018b5d0 ntdll!RtlpExecuteWorkerRequest+0x1a
0184ff74 7c92761c 7c927569 00000000 0010a260 ntdll!RtlpApcCallout+0x11
0184ffb4 7c80b50b 00000000 00eaec60 00eaec60 ntdll!RtlpWorkerThread+0x87
0184ffec 00000000 7c910760 00000000 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND: kb

FOLLOWUP_IP:
PassThrough!PtPostOperationDirectoryCtrl+ca [c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
fb0f76ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

FAULTING_SOURCE_CODE:
785: {
786:
787: Counter = Counter + Buffer->NextEntryOffset;
788:

789: *Buffer = *(PFILE_BOTH_DIR_INFORMATION )(PVOID)((PCHAR)Bufff + Counter);
790:
791: FullFileName = (PWCHAR)ExAllocatePoolWithTag(
792: NonPagedPool,
793: Buffer->FileNameLength,
794: ‘FUNA’

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: PassThrough!PtPostOperationDirectoryCtrl+ca

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_PassThrough!PtPostOperationDirectoryCtrl+ca

BUCKET_ID: 0x50_PassThrough!PtPostOperationDirectoryCtrl+ca

Followup: MachineOwner

kd> kd
f8dfe4d4 00000246
f8dfe4d8 805328e7 nt!KiBugCheckDebugBreak+0x19
f8dfe4dc 00000003
f8dfe4e0 fca0c9a4
f8dfe4e4 00000000
f8dfe4e8 00000000
f8dfe4ec ffffffff
f8dfe4f0 f8dfec18
f8dfe4f4 804e2af1 nt!_except_handler3
f8dfe4f8 805058a0 nt!ObWatchHandles+0x8dc
f8dfe4fc ffffffff
f8dfe500 8050589d nt!vDbgPrintExWithPrefix+0x11e
f8dfe504 805058cb nt!DbgPrint+0x1a
f8dfe508 f8dfe4e0
f8dfe50c ffffffff
f8dfe510 f8dfec18
f8dfe514 804e2af1 nt!_except_handler3
f8dfe518 80532978 nt!RamdiskBootDiskGuid+0xcc
f8dfe51c 00000000
f8dfe520 f8dfe900
kd> kv
ChildEBP RetAddr Args to Child
f8dfe4d4 805328e7 00000003 fca0c9a4 00000000 nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
f8dfe520 805333be 00000003 806ee298 c03f2830 nt!KiBugCheckDebugBreak+0x19 (FPO: [Non-Fpo])
f8dfe900 805339ae 00000050 fca0c9a4 00000000 nt!KeBugCheck2+0x574 (FPO: [Non-Fpo])
f8dfe920 805246fb 00000050 fca0c9a4 00000000 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f8dfe96c 804e1ff1 00000000 fca0c9a4 00000000 nt!MmAccessFault+0x6f5 (FPO: [Non-Fpo])
f8dfe96c fb0f76ba 00000000 fca0c9a4 00000000 nt!KiTrap0E+0xcc (FPO: [0,0] TrapFrame @ f8dfe984)
f8dfea38 faa67fa1 ffaa33cc f8dfea5c 00000000 PassThrough!PtPostOperationDirectoryCtrl+0xca (FPO: [Non-Fpo]) (CONV: stdcall) [c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
f8dfeaa0 faa6a3ea 00aa3370 812479fb ffaa3370 fltMgr!FltpPerformPostCallbacks+0x1c5 (FPO: [Non-Fpo])
f8dfeab4 faa6a817 ffaa3370 812478b0 f8dfeaf4 fltMgr!FltpProcessIoCompletion+0x10 (FPO: [Non-Fpo])
f8dfeac4 804e42cc 81283bd8 812478b0 ffaa3370 fltMgr!FltpPassThroughCompletion+0x89 (FPO: [Non-Fpo])
f8dfeaf4 faa47bb1 f8dfec28 faa4bb0b 81245590 nt!IopfCompleteRequest+0xa2 (FPO: [Non-Fpo])
f8dfeafc faa4bb0b 81245590 812478b0 c000000f Fastfat!FatCompleteRequest_Real+0x49 (FPO: [Non-Fpo])
f8dfeb0c faa4ba9f 00000000 812478b0 ffaa3370 Fastfat!FatQueryDirectory+0xce2 (FPO: [Non-Fpo])
f8dfec28 faa4c63d 81245590 812478b0 f8dfec7c Fastfat!FatQueryDirectory+0xc7b (FPO: [Non-Fpo])
f8dfec38 faa4bb75 81245590 812478b0 00000000 Fastfat!FatCommonDirectoryControl+0x3e (FPO: [Non-Fpo])
f8dfec7c 804e3d77 812aca68 812478b0 812478b0 Fastfat!FatFsdDirectoryControl+0x3e (FPO: [Non-Fpo])
f8dfec8c faa6ae67 ffa7cc18 812478b0 00000000 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f8dfecb0 faa6b00c f8dfecd0 81283bd8 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO: [Non-Fpo])
f8dfece8 804e3d77 81283bd8 812478b0 806ee2d0 fltMgr!FltpDispatch+0x104 (FPO: [Non-Fpo])
f8dfecf8 8056a9ab f8dfed64 0184da20 80574dad nt!IopfCallDriver+0x31 (FPO: [0,0,0])

hey help me…!!!

i know that this was because im accessing invalid memory…!!! but as the documentation says that the memory which i m acessing is resides in NoN-pagable area and a locked fully…!!!

then also i m getting this error…!!!

i thing i should check by probing but where i have done wrong…???

help me to clear my concepts…!!!

You know, no one is obligated to help you,
and especially if you will write such screaming mails.

L.

----- Original Message -----
From:
To: “Windows File Systems Devs Interest List”
Sent: Monday, November 13, 2006 12:01 PM
Subject: RE:[ntfsd] error while “Try to run program from Start->Run” in Post
callback of Directory_Contro

> hey help me…!!!
>
> i know that this was because im accessing invalid memory…!!! but as
> the documentation says that the memory which i m acessing is resides in
> NoN-pagable area and a locked fully…!!!
>
> then also i m getting this error…!!!
>
> i thing i should check by probing but where i have done wrong…???
>
> help me to clear my concepts…!!!
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@volny.cz
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

three and half hours and posting another query without substantially more
information requesting help isnt the way to go

most of those who read would probably be irritated by the insistence

and also consider the fact its around 4 ’ o clock early morning on a busy
monday

most of the knowledgeable people havent yet had a remote chance to read your
query yet

go google debug step thorugh and wait till some one either answers your
query
or it hasnt been answered for about lets say 10 days time before asking for
help

or post new information that would help in pinpointing stuff without having
to break heads perusing through your code crash dump and all

On 11/13/06, xxxxx@yahoo.com wrote:
>
> hey help me…!!!
>
> i know that this was because im accessing invalid memory…!!! but as
> the documentation says that the memory which i m acessing is resides in
> NoN-pagable area and a locked fully…!!!
>
> then also i m getting this error…!!!
>
> i thing i should check by probing but where i have done wrong…???
>
> help me to clear my concepts…!!!
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

sorry if i did somthing wrong…!!!

i read in previous postings that while posting query one should provide as much as information he can give like analysis and stack trace…etc… i think i gave that all…!!!

what else i can do…???

even i m not able to pinpoint the problem, that is why i m here asking u experts…!!!

if i had pinpointed the problem…then definity i must have asked that perticular problem…!!!

i have already requested that i m new to this era…!!!

even then insted of, just asking a a word that "just precise ur question " or any thing,
u r giving such a taunting answer…!!!

i m amazed…!!!

welll i have just asked a question …!!!

no body is bound here to answer anyone…!!!
i believe if i would at ur place my answer must be somthing else…!!! not like this…!!!

thank u all …!!

Try something like this:

PFILE_BOTH_DIR_INFORMATION currentEntry = NULL;
UNICODE_STRING filename = {0, 0, NULL};

currentEntry = (PFILE_BOTH_DIR_INFORMATION)Buffer;

while(currentEntry != NULL)
{
filename.Length = (USHORT)currentEntry->FileNameLength;
filename.Buffer = currentEntry->FileName;

if (currentEntry->NextEntryOffset == 0)
{
//End
currentEntry = NULL;
}
else
{
currentEntry = (PFILE_BOTH_DIR_INFORMATION)((PUCHAR)currentEntry

• currentEntry->
  NextEntryOffset);
  }
  }

Also relax a bit on the exclamation marks!

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: 13 November 2006 07:35
To: Windows File Systems Devs Interest List
Subject: [ntfsd] error while “Try to run program from Start->Run” in
Post callback of Directory_Contro

*** WARNING ***

This mail has originated outside your organization, either from an
external partner or the Global Internet.
Keep this in mind if you answer this message.

i m facing here a strange prblem …i m trying to change directroy
content by changing the buffer asociated…in mini-filter… but i
did’t have changed the buffer yet…just fetching some
ualues…like long-filename and short-filename…ect in
PFILE_BOTH_DIR_INFORMATION …

this code work well normally…!!! and explorer open directories
normally…but some strange happen when i use start->run to rum any
command even a wrong command…this code just crashes…and the
error appears…!!!

i m new to this field plz …keep this in consideration while
answering…!!!

thanks in advance…!!!

analysis of bugcheck and stack trave are included… m using vmware as a
test bed…

FLT_POSTOP_CALLBACK_STATUS
PtPostOperationDirectoryCtrl (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags
)

{

NTSTATUS Status;
WCHAR ShortFileName[13];
PWCHAR FullFileName = NULL ;
PVOID Bufff;
ULONG Counter;
PFILE_BOTH_DIR_INFORMATION Buffer;

// FltCompareUnicodeString()

Status = FltLockUserBuffer( Data );

if(NT_SUCCESS(Status))
{

Bufff = MmGetSystemAddressForMdlSafe(

Data->Iopb->Parameters.DirectoryControl.QueryDirectory.MdlAddress,
NormalPagePriority
);

if (Bufff != NULL)
{
Buffer = (PFILE_BOTH_DIR_INFORMATION)
ExAllocatePoolWithTag(
NonPagedPool,

sizeof(FILE_BOTH_DIR_INFORMATION),
‘BUFF’
);

if (Buffer == NULL)
{
return
FLT_PREOP_SUCCESS_WITH_CALLBACK;

}

Counter = 0;

RtlZeroMemory(Buffer,
sizeof(FILE_BOTH_DIR_INFORMATION));
do
{

Counter = Counter +
Buffer->NextEntryOffset;

*Buffer = *(PFILE_BOTH_DIR_INFORMATION
)(PVOID)((PCHAR)Bufff + Counter);

FullFileName =
(PWCHAR)ExAllocatePoolWithTag(

NonPagedPool,

Buffer->FileNameLength,

‘FUNA’

);

if (FullFileName == NULL)
{

ExFreePoolWithTag(Buffer,
‘BUFF’);

return
FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

RtlZeroMemory(ShortFileName, 24);

// RtlCopyMemory(ShortFileName,
Buffer->ShortName, 24);

// RtlCopyMemory(
// FullFileName ,
// Buffer->FileName,
//
2*Buffer->FileNameLength);

ExFreePoolWithTag(FullFileName, ‘FUNA’);

}while(Buffer->NextEntryOffset != 0);

}

DbgPrint(“\n directory control callred”);

ExFreePoolWithTag(Buffer, ‘BUFF’);
}

return FLT_PREOP_SUCCESS_WITH_CALLBACK; }

kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except, it must be protected by a Probe. Typically the address is
just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fca0c9a4, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: fb0f76ba, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

************************************************************************
*
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT
***
***
***
************************************************************************
*
************************************************************************
*
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT
***
***
***
************************************************************************
*
************************************************************************
*
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT
***
***
***
************************************************************************
*
************************************************************************
*
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: mssmbios!_SMBIOS_DATA_OBJECT
***
***
***
************************************************************************
*

READ_ADDRESS: fca0c9a4 Nonpaged pool expansion

FAULTING_IP:
PassThrough!PtPostOperationDirectoryCtrl+ca
[c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
fb0f76ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

IMAGE_NAME: PassThrough.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e1f8470

MODULE_NAME: PassThrough

FAULTING_MODULE: fb0f7000 PassThrough

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0x50

PROCESS_NAME: Explorer.EXE

TRAP_FRAME: f8dfe984 – (.trap fffffffff8dfe984) ErrCode = 00000000
eax=00000000 ebx=ffaa33cc ecx=00000018 edx=0184df18 esi=fca0c9a4
edi=812aa5e8
eip=fb0f76ba esp=f8dfe9f8 ebp=f8dfea38 iopl=0 nv up ei ng nz ac
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010292
PassThrough!PtPostOperationDirectoryCtrl+0xca:
fb0f76ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
es:0023:812aa5e8=0184df18 ds:0023:fca0c9a4=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 805328e7 to 804e3b25

STACK_TEXT:
f8dfe4d4 805328e7 00000003 fca0c9a4 00000000
nt!RtlpBreakWithStatusInstruction f8dfe520 805333be 00000003 806ee298
c03f2830 nt!KiBugCheckDebugBreak+0x19 f8dfe900 805339ae 00000050
fca0c9a4 00000000 nt!KeBugCheck2+0x574 f8dfe920 805246fb 00000050
fca0c9a4 00000000 nt!KeBugCheckEx+0x1b f8dfe96c 804e1ff1 00000000
fca0c9a4 00000000 nt!MmAccessFault+0x6f5 f8dfe96c fb0f76ba 00000000
fca0c9a4 00000000 nt!KiTrap0E+0xcc
f8dfea38 faa67fa1 ffaa33cc f8dfea5c 00000000
PassThrough!PtPostOperationDirectoryCtrl+0xca
[c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
f8dfeaa0 faa6a3ea 00aa3370 812479fb ffaa3370
fltMgr!FltpPerformPostCallbacks+0x1c5
f8dfeab4 faa6a817 ffaa3370 812478b0 f8dfeaf4
fltMgr!FltpProcessIoCompletion+0x10
f8dfeac4 804e42cc 81283bd8 812478b0 ffaa3370
fltMgr!FltpPassThroughCompletion+0x89
f8dfeaf4 faa47bb1 f8dfec28 faa4bb0b 81245590 nt!IopfCompleteRequest+0xa2
f8dfeafc faa4bb0b 81245590 812478b0 c000000f
Fastfat!FatCompleteRequest_Real+0x49
f8dfeb0c faa4ba9f 00000000 812478b0 ffaa3370
Fastfat!FatQueryDirectory+0xce2
f8dfec28 faa4c63d 81245590 812478b0 f8dfec7c
Fastfat!FatQueryDirectory+0xc7b
f8dfec38 faa4bb75 81245590 812478b0 00000000
Fastfat!FatCommonDirectoryControl+0x3e
f8dfec7c 804e3d77 812aca68 812478b0 812478b0
Fastfat!FatFsdDirectoryControl+0x3e
f8dfec8c faa6ae67 ffa7cc18 812478b0 00000000 nt!IopfCallDriver+0x31
f8dfecb0 faa6b00c f8dfecd0 81283bd8 00000000
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f8dfece8 804e3d77 81283bd8 812478b0 806ee2d0 fltMgr!FltpDispatch+0x104
f8dfecf8 8056a9ab f8dfed64 0184da20 80574dad nt!IopfCallDriver+0x31
f8dfed0c 80574e0a 81283bd8 812478b0 8118f788
nt!IopSynchronousServiceTail+0x60 f8dfed30 804df06b 00000644 00000000
00000000 nt!NtQueryDirectoryFile+0x5d f8dfed30 7c90eb94 00000644
00000000 00000000 nt!KiFastCallEntry+0xf8
0184d9e8 7c90df6a 7c80eec2 00000644 00000000 ntdll!KiFastSystemCallRet
0184d9ec 7c80eec2 00000644 00000000 00000000
ntdll!ZwQueryDirectoryFile+0xc
0184dcf8 7c80f0f7 0184e56c 00000000 0184e0c0
kernel32!FindFirstFileExW+0x3a0
0184dd18 77f7924f 0184e56c 0184e0c0 0184e56c
kernel32!FindFirstFileW+0x16
0184e088 77fb185b 0184e56c 0184e0c0 00000000
SHLWAPI!FindFirstFileWrapW+0x72
0184e314 77f920af 0000003f 00000000 0171200c
SHLWAPI!PathMakeSystemFolderW+0x1bb
0184e32c 77f81ba8 0184e56c 0000003f 00000000
SHLWAPI!PathFileExistsDefExtAndAttributesW+0x3b
0184e340 77f920e6 0184e56c 0000003f 0171200c
SHLWAPI!PathFileExistsDefExtW+0x2d
0184e778 7ca3fc76 0171200c 0184e7d0 0000003f
SHLWAPI!PathFindOnPathExW+0x73 0184e78c 7ca33cd0 0171200c 0184e7d0
00000001 SHELL32!LookForExtensions+0x29
0184e7b4 7cac55b7 0171200c 0184e7d0 00000017 SHELL32!PathResolve+0xb4
0184e7dc 7ca49c51 0184e804 0184e84c 01712008
SHELL32!CShellExecute::_Resolve+0x4a
0184e7f8 7ca0d760 0184e84c 00000000 00000009
SHELL32!CShellExecute::_TryExecPidl+0x55
0184e810 7ca0d6c9 00000000 00000009 0184e84c
SHELL32!CShellExecute::ExecuteNormal+0x74
0184e824 7ca0d665 0184e84c 00000000 00000009
SHELL32!ShellExecuteNormal+0x30 0184e840 7ca37a49 0184e84c 0000003c
04000b00 SHELL32!ShellExecuteExW+0x8d 0184eca0 7ca37749 001100e2
0184ecd4 0184f834 SHELL32!ShellExecCmdLine+0x143 0184f16c 7ca375ff
0184f1e4 7ca36f01 0184f1a8 SHELL32!CRunDlg::OKPushed+0x179 0184f17c
77d48709 00070132 00000111 00000001 SHELL32!RunDlgProc+0x121
0184f1a8 77d54ca6 7ca36f01 00070132 00000111
USER32!InternalCallWinProc+0x28
0184f214 77d54af2 00094848 7ca36f01 00070132
USER32!UserCallDlgProcCheckWow+0x146
0184f25c 77d6bf51 00000000 00000111 00000001
USER32!DefDlgProcWorker+0xa8 0184f28c 77d4b7ab 0054db28 005338e8
00000001 USER32!SendMessageWorker+0x384 0184f2ac 77d56c26 00070132
00000111 00000001 USER32!SendMessageW+0x7f 0184f2dc 77d6e956 00070132
0054d9d8 001100e2 USER32!IsDialogMessageW+0x41f
0184f318 77d5688a 00070132 001100e2 00000001 USER32!DialogBox2+0x144
0184f340 77d568cc 7c9c0000 7cc23d30 001100e2
USER32!InternalDialogBox+0xd0 0184f360 77d56741 7c9c0000 7cc23d30
001100e2 USER32!DialogBoxIndirectParamAorW+0x37
0184f384 7ca371fc 7c9c0000 000003eb 001100e2 USER32!DialogBoxParamW+0x3f
0184f3cc 7ca37139 7c9c0000 000003eb 001100e2
SHELL32!SHFusionDialogBoxParam+0x3b
0184f400 0101f867 001100e2 00000000 0184f834 SHELL32!RunFileDlg+0xc4
0184fa40 0101f6bf 001100e2 00000000 000d2710 Explorer!_RunFileDlg+0x12f
0184fee0 77f68ea5 000005f0 0010a260 77f68e88
Explorer!CTray::_RunDlgThreadProc+0x29a
0184fef8 7c927545 0010a260 7c97c3a0 0018b5d0
SHLWAPI!ExecuteWorkItem+0x1d 0184ff40 7c927583 77f68e88 0010a260
0009f778 ntdll!RtlpWorkerCallout+0x70 0184ff60 7c927645 00000000
0010a260 0018b5d0 ntdll!RtlpExecuteWorkerRequest+0x1a
0184ff74 7c92761c 7c927569 00000000 0010a260 ntdll!RtlpApcCallout+0x11
0184ffb4 7c80b50b 00000000 00eaec60 00eaec60 ntdll!RtlpWorkerThread+0x87
0184ffec 00000000 7c910760 00000000 00000000
kernel32!BaseThreadStart+0x37

STACK_COMMAND: kb

FOLLOWUP_IP:
PassThrough!PtPostOperationDirectoryCtrl+ca
[c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @ 789]
fb0f76ba f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

FAULTING_SOURCE_CODE:
785: {
786:
787: Counter = Counter +
Buffer->NextEntryOffset;
788:

789: *Buffer =
*(PFILE_BOTH_DIR_INFORMATION )(PVOID)((PCHAR)Bufff + Counter);
790:
791: FullFileName =
(PWCHAR)ExAllocatePoolWithTag(
792:
NonPagedPool,
793:
Buffer->FileNameLength,
794:
‘FUNA’

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: PassThrough!PtPostOperationDirectoryCtrl+ca

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_PassThrough!PtPostOperationDirectoryCtrl+ca

BUCKET_ID: 0x50_PassThrough!PtPostOperationDirectoryCtrl+ca

Followup: MachineOwner

kd> kd
f8dfe4d4 00000246
f8dfe4d8 805328e7 nt!KiBugCheckDebugBreak+0x19 f8dfe4dc 00000003
f8dfe4e0 fca0c9a4
f8dfe4e4 00000000
f8dfe4e8 00000000
f8dfe4ec ffffffff
f8dfe4f0 f8dfec18
f8dfe4f4 804e2af1 nt!_except_handler3
f8dfe4f8 805058a0 nt!ObWatchHandles+0x8dc f8dfe4fc ffffffff f8dfe500
8050589d nt!vDbgPrintExWithPrefix+0x11e
f8dfe504 805058cb nt!DbgPrint+0x1a
f8dfe508 f8dfe4e0
f8dfe50c ffffffff
f8dfe510 f8dfec18
f8dfe514 804e2af1 nt!_except_handler3
f8dfe518 80532978 nt!RamdiskBootDiskGuid+0xcc f8dfe51c 00000000
f8dfe520 f8dfe900
kd> kv
ChildEBP RetAddr Args to Child
f8dfe4d4 805328e7 00000003 fca0c9a4 00000000
nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0]) f8dfe520 805333be
00000003 806ee298 c03f2830 nt!KiBugCheckDebugBreak+0x19 (FPO: [Non-Fpo])
f8dfe900 805339ae 00000050 fca0c9a4 00000000 nt!KeBugCheck2+0x574 (FPO:
[Non-Fpo]) f8dfe920 805246fb 00000050 fca0c9a4 00000000
nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo]) f8dfe96c 804e1ff1 00000000
fca0c9a4 00000000 nt!MmAccessFault+0x6f5 (FPO: [Non-Fpo]) f8dfe96c
fb0f76ba 00000000 fca0c9a4 00000000 nt!KiTrap0E+0xcc (FPO: [0,0]
TrapFrame @ f8dfe984)
f8dfea38 faa67fa1 ffaa33cc f8dfea5c 00000000
PassThrough!PtPostOperationDirectoryCtrl+0xca (FPO: [Non-Fpo]) (CONV:
stdcall) [c:\winddk\src\filesys\minifilter\passthrough\passthrough.c @
789] f8dfeaa0 faa6a3ea 00aa3370 812479fb ffaa3370
fltMgr!FltpPerformPostCallbacks+0x1c5 (FPO: [Non-Fpo])
f8dfeab4 faa6a817 ffaa3370 812478b0 f8dfeaf4
fltMgr!FltpProcessIoCompletion+0x10 (FPO: [Non-Fpo])
f8dfeac4 804e42cc 81283bd8 812478b0 ffaa3370
fltMgr!FltpPassThroughCompletion+0x89 (FPO: [Non-Fpo])
f8dfeaf4 faa47bb1 f8dfec28 faa4bb0b 81245590 nt!IopfCompleteRequest+0xa2
(FPO: [Non-Fpo]) f8dfeafc faa4bb0b 81245590 812478b0 c000000f
Fastfat!FatCompleteRequest_Real+0x49 (FPO: [Non-Fpo]) f8dfeb0c faa4ba9f
00000000 812478b0 ffaa3370 Fastfat!FatQueryDirectory+0xce2 (FPO:
[Non-Fpo])
f8dfec28 faa4c63d 81245590 812478b0 f8dfec7c
Fastfat!FatQueryDirectory+0xc7b (FPO: [Non-Fpo])
f8dfec38 faa4bb75 81245590 812478b0 00000000
Fastfat!FatCommonDirectoryControl+0x3e (FPO: [Non-Fpo]) f8dfec7c
804e3d77 812aca68 812478b0 812478b0 Fastfat!FatFsdDirectoryControl+0x3e
(FPO: [Non-Fpo]) f8dfec8c faa6ae67 ffa7cc18 812478b0 00000000
nt!IopfCallDriver+0x31 (FPO: [0,0,0]) f8dfecb0 faa6b00c f8dfecd0
81283bd8 00000000
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO:
[Non-Fpo])
f8dfece8 804e3d77 81283bd8 812478b0 806ee2d0 fltMgr!FltpDispatch+0x104
(FPO: [Non-Fpo])
f8dfecf8 8056a9ab f8dfed64 0184da20 80574dad nt!IopfCallDriver+0x31
(FPO: [0,0,0])

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@baesystems.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************

thank u …

thank u a lot mr. oliver…!!!

i know that my post was very lengthy… as some experts noticed.
thanks for showing such a greate patience … to read my post…

i m happy now…

There are many people on this list in many different time zones. Only a
few of us keep strings tied to our toes to pull and wake us up when
someone posts to NTFSD (and last night was my night off. :-p)

The address isn’t present. Try “!pte” on the address in ESI. Figure
out where the ESI register came from because that address is the invalid
one. Since it is in non-paged pool you get the appropriate bug check
(0x50) for that type of invalid memory access.

It seems very likely that you’re overrunning the end of the buffer, but
it is difficult to tell based upon the information provided. If this is
reproducible, why not walk through it (step by step) with the debugger?
This takes time, but usually this shows up the issue fairly quickly.

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com