Hi All,
I am receiving an exception on FsRtlNotifyFullChangeDirectory. I don’t understand why the exception is coming.
What could be the possible reasons?
My best guess is that you are passing in an invalid parameter and thus the most likely reason is a bug in your driver.
Perhaps if you could provide more detail - like “!analyze -v” output from the debugger, we could provide you with more detailed suggestions.
Tony
OSR
Here is the output of !analyze -v, when it hit the hard break point in ExceptionFilter.
MODULE_NAME: mydriver
FAULTING_MODULE: 82805000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 503dd8ef
FAULTING_IP:
mydriver!mydriverExceptionFilter+1f [c:\users\user\documents\mydriver\except.c @ 21]
8f9cd2af cc int 3
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 8f9cd2af (mydriver!mydriverExceptionFilter+0x0000001f)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000000
Parameter[1]: 911dc6d0
Parameter[2]: 9a474a1c
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 911dc6d0
EXCEPTION_PARAMETER3: 9a474a1c
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x0
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8f9d3ee1 to 8f9cd2af
STACK_TEXT:
9a4744cc 8f9d3ee1 9b448fd8 9a474500 8f9d9d08 mydriver!mydriverExceptionFilter+0x1f [c:\users\user\documents\mydriver\except.c @ 21]
9a4744d8 8f9d9d08 00000001 9a474c3c 8f9e45d8 mydriver!IRPDispatcher+0x151 [c:\users\user\documents\mydriver\irp.c @ 1280]
9a4744ec 8f9d9b1e 00000000 00000000 00000000 mydriver!_EH4_CallFilterFunc+0x12 [d:\5359\minkernel\crts\crtw32\misc\i386\exsup4.asm @ 421]
9a474514 8285ad92 00000000 9a474c2c 9a474600 mydriver!_except_handler4+0x8e [d:\5359\minkernel\crts\crtw32\misc\i386\chandler4.c @ 356]
WARNING: Stack unwind information not available. Following frames may be wrong.
9a474538 8285ad64 9a474a1c 9a474c2c 9a474600 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0x1c6
9a4745f0 828ad431 9a474a1c 9a474600 0001003f nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0x198
9a474a00 8283b446 9a474a1c 00000000 9a474a70 nt!KeInitializeDpc+0xba1
9a474a7c 8291d8a2 00000000 00000000 9114050e nt!Kei386EoiHelper+0x1de
9a474b10 82aadd2d 91185218 9114050e 9b43cfd8 nt!ExAllocatePoolWithTag+0x89d
9a474b44 8f9cc200 91185218 9114050e 9b43cfd8 nt!FsRtlNotifyFullChangeDirectory+0x2a
9a474bc8 8f9cd24c 9b448fd8 00000002 c0000010 mydriver!mydriverNotifyChangeDirectory+0x240 [c:\users\user\documents\mydriver\dirctl.c @ 343]
9a474bdc 8f9d3a56 9b448fd8 0000000c 91140030 mydriver!mydriverDirectoryControl+0x3c [c:\users\user\documents\mydriver\dirctl.c @ 955]
9a474bf8 8f9d3ec8 9b448fd8 15d91b84 913cf620 mydriver!mydriverDispatchRequest+0xe6 [c:\users\user\documents\mydriver\irp.c @ 1123]
9a474c3c 82b2a6c3 91140030 9b526e00 913c3b10 mydriver!IRPDispatcher+0x138 [c:\users\user\documents\mydriver\irp.c @ 1277]
9a474c60 82833fc9 00000000 9b526e00 91140030 nt!PoSetHiberRange+0x902f
9a474c74 82a09a5d 913c3b10 9b526e00 9b526fd8 nt!IofCallDriver+0x1b
9a474c94 82a4d63d 91140030 913c3b10 00000000 nt!NtQueryInformationThread+0x5cd8
9a474d08 8283a85a 91140030 00000c00 00000000 nt!NtNotifyChangeDirectoryFile+0x274
9a474d34 771e70a6 badb0d00 029ff720 00000000 nt!ZwYieldExecution+0xb62
9a474d38 badb0d00 029ff720 00000000 00000000 ntdll!KiIntSystemCall+0x6
9a474d3c 029ff720 00000000 00000000 00000000 0xbadb0d00
9a474d40 00000000 00000000 00000000 00000000 0x29ff720
STACK_COMMAND: kb
FOLLOWUP_IP:
mydriver!mydriverExceptionFilter+1f [c:\users\user\documents\mydriver\except.c @ 21]
8f9cd2af cc int 3
FAULTING_SOURCE_CODE:
17: NTSTATUS nStatus = EXCEPTION_EXECUTE_HANDLER;
18: PEXCEPTION_RECORD pExceptRecord = pExceptionPointer->ExceptionRecord;
19: NTSTATUS nExceptionCode = pExceptRecord->ExceptionCode;
20:
21: DbgBreakPoint();
22:
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mydriver!mydriverExceptionFilter+1f
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: mydriver.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
One more thing, I get the exception only when i’m using the verifier.exe to check my driver.
Otherwise I don’t get any exception.
I don’t think your symbols are right - the stack shows call paths that don’t make much sense, which usually indicates there’s some sort of symbol mismatch.
For example, I’ve never seen a copy of ExAllocatePoolWithTag that called KeIntializeDpc. I’ve also never seen a copy of IofCallDriver that invoked PoSetHiberRange.
With that said, the exception indicates a breakpoint(STATUS_BREAKPOINT, 0x80000003). What I’d want to do in your situation is locate the context record and then feed that into .cxr (".cxr
").This is on an x86 box, so worst case, you can find the context record on the stack and then feed that value into the .cxr command. That will show you the state of the machine at the time the exception was raised. That's generally more useful than looking at the stack unwind logic that is on the stack subsequent to the original exception being trapped.
Since this only happens with Verifier, odds are it's a bug in your driver that it is detecting. If you can get a meaningful stack trace from the dump I suspect you will be able to figure out the breakpoint.
Tony
OSR
Few questions, which MSDN don’t answer
VOID FsRtlNotifyFullChangeDirectory(
In PNOTIFY_SYNC NotifySync,
In PLIST_ENTRY NotifyList,
In PVOID FsContext,
In PSTRING FullDirectoryName,
In BOOLEAN WatchTree,
In BOOLEAN IgnoreBuffer,
In ULONG CompletionFilter,
In_opt PIRP NotifyIrp,
In_opt PCHECK_FOR_TRAVERSE_ACCESS TraverseCallback,
In_opt PSECURITY_SUBJECT_CONTEXT SubjectContext
);
Is FullDirectoryName NULL terminated?
What if I don’t provide FsContext? Or if I provide FsContext2 instead?
I don’t have the TraverseCallback, which is usually the case in examples available.