Does anyone see a problem with the below mini-filter code? (other
than the obvious “check for error return” and file name might be
tunneled in post create).
On one VM, sent by a customer, this code bluescreens with Kaspersky
IS, if the mini-filter loads at boot. Bugcheck 0x7F, DOUBLE_FAULT (very
likely a stack overflow), after the GetFileID call.
It’s funny that if I remove the FltGetFileNameInformation call, I
don’t get the issue to happen. Note that the BSOD occurs in the
processing of GetFileID, in NTFS. WinDBG output attached at the end.
I should also note the KIS is not the latest version (I could not
repro this on any of our VMs).
The amount of issues I’ve seen with an API as simple as
FltGetFileNameInformation lately makes me think whether doing a
mini-filter was a good idea at all.
#include <winerror.h>
#include <fltkernel.h>
#include “scanner.h”
PFLT_FILTER gFilter;
const FLT_OPERATION_REGISTRATION Callbacks = {
{ IRP_MJ_CREATE, 0, ScannerPreCreate, ScannerPostCreate},
{ IRP_MJ_OPERATION_END}
};
const FLT_CONTEXT_REGISTRATION ContextRegistration = {
{ FLT_CONTEXT_END }
};
const FLT_REGISTRATION FilterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
ContextRegistration, // Context Registration.
Callbacks, // Operation callbacks
ScannerUnload, // FilterUnload
ScannerInstanceSetup, // InstanceSetup
ScannerQueryTeardown, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL, // GenerateFileName
NULL, // GenerateDestinationFileName
NULL // NormalizeNameComponent
};
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
PSECURITY_DESCRIPTOR sd;
NTSTATUS status;
FltRegisterFilter(DriverObject,
&FilterRegistration,
&gFilter );
FltStartFiltering( gFilter );
return STATUS_SUCCESS;
}
NTSTATUS
ScannerUnload (
FLT_FILTER_UNLOAD_FLAGS Flags
)
{
FltUnregisterFilter( gFilter );
return STATUS_SUCCESS;
}
NTSTATUS
ScannerInstanceSetup (
IN PCFLT_RELATED_OBJECTS FltObjects,
IN FLT_INSTANCE_SETUP_FLAGS Flags,
IN DEVICE_TYPE VolumeDeviceType,
IN FLT_FILESYSTEM_TYPE VolumeFilesystemType
)
{
return STATUS_SUCCESS;
}
NTSTATUS
ScannerQueryTeardown (
IN PCFLT_RELATED_OBJECTS FltObjects,
IN FLT_INSTANCE_QUERY_TEARDOWN_FLAGS Flags
)
{
return STATUS_SUCCESS;
}
FLT_PREOP_CALLBACK_STATUS
ScannerPreCreate (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
OUT PVOID *CompletionContext
)
{
PFLT_FILE_NAME_INFORMATION lpFileNameInfo;
NTSTATUS ntRes;
ntRes = FltGetFileNameInformation(Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_ALWAYS_ALLOW_CACHE_LOOKUP,
&lpFileNameInfo);
if(NT_SUCCESS(ntRes))
FltReleaseFileNameInformation(lpFileNameInfo);
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}
__int64 GetFileID(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects)
{
FILE_INTERNAL_INFORMATION FileData;
NTSTATUS ntRes;
FileData.IndexNumber.QuadPart = 0;
ntRes = FltQueryInformationFile(FltObjects->Instance,
FltObjects->FileObject,
&FileData,
sizeof(FileData),
FileInternalInformation,
NULL);
if(!NT_SUCCESS(ntRes))
{
return 0;
}
return (FileData.IndexNumber.QuadPart & 0x0000FFFFFFFFFFFF);
}
FLT_POSTOP_CALLBACK_STATUS
ScannerPostCreate (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags
)
{
FLT_POSTOP_CALLBACK_STATUS returnStatus =
FLT_POSTOP_FINISHED_PROCESSING;
if (!NT_SUCCESS( Data->IoStatus.Status ) ||
(STATUS_REPARSE == Data->IoStatus.Status)) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
GetFileID(Data, FltObjects);
return returnStatus;
}
BUGCHECK_STR: 0x7f_8
TSS: 00000028 – (.tss 28)
eax=00000390 ebx=f7e6c2ac ecx=f7e6c298 edx=00000001 esi=f7e6c3c8
edi=0000000f
eip=8053831a esp=f7e6bedc ebp=f7e6c27c iopl=0 nv up di ng nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010082
nt!_SEH_prolog+0x1a:
8053831a 53 push ebx
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 8053e471 to 8053831a
STACK_TEXT:
f7e6c27c 8053e471 f7e6c298 00000000 f7e6c2ec nt!_SEH_prolog+0x1a
f7e6c2e4 8053eb81 f7e6c374 8052e883 badb0d00
nt!CommonDispatchException+0x4d
f7e6c2e4 8052e884 f7e6c374 8052e883 badb0d00 nt!KiTrap03+0xad
f7e6c374 8052e8ce 00000001 f7e6c3c8 0000000f nt!DebugService+0x1c
f7e6c390 805280d3 f7e6c3b0 ffffffff 00000000 nt!DebugPrint+0x1c
f7e6c5e4 80528268 80528248 ffffffff 00000000
nt!vDbgPrintExWithPrefix+0x101
f7e6c600 f9d9b57d f9d9b5da 0000354d 00000000 nt!DbgPrint+0x1a
WARNING: Stack unwind information not available. Following frames may be
wrong.
f7e6c614 bae2bef3 812a649c f7e6c638 00000000 scanner+0x57d
f7e6c67c bae2e338 002a6440 00000000 812a6440
fltMgr!FltpPerformPostCallbacks+0x1c5
f7e6c690 bae2e867 812a6440 81de8de0 f7e6c6d0
fltMgr!FltpProcessIoCompletion+0x10
f7e6c6a0 bae2eef9 8175a5c0 81de8de0 812a6440
fltMgr!FltpPassThroughCompletion+0x89
f7e6c6d0 bae3b448 f7e6c6f0 00000000 00000000
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
f7e6c70c 804eefe3 8175a5c0 81de8de0 806d12e8 fltMgr!FltpCreate+0x26a
f7e6c71c 8064c8a8 81de8fb8 81de8fdc 81de8de0 nt!IopfCallDriver+0x31
f7e6c740 f81bd9a7 816af4a8 815eef38 00000000 nt!IovCallDriver+0xa0
f7e6c75c 804eefe3 816af4a8 81de8f94 806d12e8 fslx+0x49a7
f7e6c76c 8064c8a8 81de8fd4 81de8ff8 00000000 nt!IopfCallDriver+0x31
f7e6c790 f7b56908 812bc720 8139c548 8129dd00 nt!IovCallDriver+0xa0
f7e6c834 f7b58fc3 002bc720 81de8de0 804eefe3 klif+0x12908
f7e6c874 80578672 816af490 8159bb44 f7e6ca1c klif+0x14fc3
f7e6c954 805b490a 816af4a8 00000000 8159baa0 nt!IopParseDevice+0xa12
f7e6c9dc 805b0deb 00000000 f7e6ca1c 00000240
nt!ObpLookupObjectName+0x56a
f7e6ca30 8056b3b1 00000000 00000000 ffffff00 nt!ObOpenObjectByName+0xeb
f7e6caac 8056bd28 8137743c 00100000 f7e6cc2c nt!IopCreateFile+0x407
f7e6cb08 8056e3fa 8137743c 00100000 f7e6cc2c nt!IoCreateFile+0x8e
f7e6cb48 8053da28 8137743c 00100000 f7e6cc2c nt!NtCreateFile+0x30
f7e6cb48 804fe735 8137743c 00100000 f7e6cc2c nt!KiFastCallEntry+0xf8
f7e6cbec f81d6ee7 8137743c 00100000 f7e6cc2c nt!ZwCreateFile+0x11
f7e6cc50 f81c3ed3 8129d008 8137743c 00100000 fslx+0x1dee7
f7e6cc8c f81bdd59 8175a5c0 8129c038 00000043 fslx+0xaed3
f7e6ccd0 f81bd77e 8175a5c0 81828de0 0000067c fslx+0x4d59
f7e6cd00 f81bd9b0 8155a3d0 81828de0 8155a3d0 fslx+0x477e
f7e6cd24 804eefe3 8155a3d0 81828f94 806d12e8 fslx+0x49b0
f7e6cd34 8064c8a8 81828fd4 81828ff8 00000000 nt!IopfCallDriver+0x31
f7e6cd58 f7b56908 812bca68 8139c548 8129c000 nt!IovCallDriver+0xa0
f7e6cdfc f7b58fc3 002bca68 81828de0 804eefe3 klif+0x12908
f7e6ce3c 80578672 817aeb48 81299724 f7e6cfe4 klif+0x14fc3
f7e6cf1c 805b490a 817aeb60 00000000 81299680 nt!IopParseDevice+0xa12
f7e6cfa4 805b0deb 00000000 f7e6cfe4 00000040
nt!ObpLookupObjectName+0x56a
f7e6cff8 8056b3b1 00000000 00000000 e6d09400 nt!ObOpenObjectByName+0xeb
f7e6d074 8056bd28 f7e6d228 00000000 f7e6d20c nt!IopCreateFile+0x407
f7e6d0d0 8056e3fa f7e6d228 00000000 f7e6d20c nt!IoCreateFile+0x8e
f7e6d110 8053da28 f7e6d228 00000000 f7e6d20c nt!NtCreateFile+0x30
f7e6d110 804fe735 f7e6d228 00000000 f7e6d20c nt!KiFastCallEntry+0xf8
f7e6d1b4 f7b4bd0f f7e6d228 00000000 f7e6d20c nt!ZwCreateFile+0x11
f7e6d220 f7b55443 00000000 00000000 81becde0 klif+0x7d0f
00000000 00000000 00000000 00000000 00000000 klif+0x11443
FOLLOWUP_IP:
scanner+57d
f9d9b57d 83c40c add esp,0xc
SYMBOL_STACK_INDEX: 7
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: scanner+57d
MODULE_NAME: scanner
IMAGE_NAME: scanner.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 46c55585
STACK_COMMAND: .tss 28 ; kb
FAILURE_BUCKET_ID: 0x7f_8_scanner+57d
BUCKET_ID: 0x7f_8_scanner+57d
Followup: MachineOwner
---------
–
Kind regards, Dejan
http://www.alfasp.com
File system audit, security and encryption kits.</fltkernel.h></winerror.h>