FltReadFile() crashes in precreate

sachin_shinde · September 30, 2015, 9:58am

hi,

I am trying to read file in by FltReadFile() in precreate but it crashes system. Any help would thankful.

NTStatus = FltGetVolumeFromInstance( Instance, &volume );

if (!NT_SUCCESS( NTStatus )) {

return NTStatus;
}

NTStatus = FltGetVolumeProperties( volume,
&volumeProps,
sizeof( volumeProps ),
&Length );
if (NT_ERROR( NTStatus )) {

return NTStatus;
}

Length = max( 40, volumeProps.SectorSize );

Buffer = FltAllocatePoolAlignedWithTag(
Instance,
NonPagedPool,
Length,
‘ncaS’
);

pwszPath = ExAllocateFromNPagedLookasideList(&g_DriverGlobals.FilepathLookaside);
if (NULL == pwszPath)
{
return NTStatus;
}

RtlZeroMemory(pwszPath, FNS_MAX_FILEPATH_LEN * sizeof(WCHAR));
NTStatus = RtlStringCchCatNW(
pwszPath,
FNS_MAX_FILEPATH_LEN,
FNS_OBJNAME_PREFIX_W,
FNS_OBJNAME_PREFIX_LEN
);
if (STATUS_SUCCESS != NTStatus)
{
return NTStatus;
}
stLenInChars = wcslen(pwszPath);
NTStatus = RtlStringCchCatNW(
pwszPath,
FNS_MAX_FILEPATH_LEN,
pwszFileName,
(FNS_MAX_FILEPATH_LEN - stLenInChars)
);
if (STATUS_SUCCESS != NTStatus)
{
ExFreeToNPagedLookasideList(
&g_DriverGlobals.FilepathLookaside,
pwszPath);
return NTStatus;
}

RtlInitUnicodeString(&usObjectName, pwszPath);

InitializeObjectAttributes(
&oa,
&usObjectName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL
);

NTStatus = FltCreateFile(
g_DriverGlobals.pThisFilter,// Filter.
Instance, // Instance for the filter.
&hFile, // Handle to the file (on return).
FILE_GENERIC_READ, // Desired access.
&oa, // Object attributes.
&IoStatus, // IO status block.
NULL, // Allocation size.
FILE_ATTRIBUTE_NORMAL, // File attributes.
FILE_SHARE_READ |
FILE_SHARE_WRITE |
FILE_SHARE_DELETE, // Shared access.
FILE_OPEN, // Create disposition.
0, // Create options.
NULL, // EA buffer.
0, // EA length.
0 // Flags.
);
if (STATUS_SUCCESS != NTStatus)
{
return NTStatus;
}

NTStatus = FltReadFile(
Instance,
hFile,
&ByteOffset,
Length,
Buffer,
FLTFL_IO_OPERATION_NON_CACHED | FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&BytesRead,
NULL,
NULL);

if ((STATUS_SUCCESS != NTStatus)

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffff8000196c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800028d04e0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
PAGE_FAULT_IN_NONPAGED_AREA (50)

Thanks,
~Sachin

sachin_shinde · September 30, 2015, 10:28am

kd> kb
RetAddr : Args to Child : Call Site
fffff800029b86d2 : ffffffff80001840 fffffa8003c2e060 0000000000000065 fffff80002901314 : nt!DbgBreakPointWithStatus fffff800029b94be : fffff88000000003 fffff88002bdcf20 fffff800028fdee0 0000000000000050 : nt!HeadlessDispatch+0x192
fffff800028c3004 : 0000000000000000 fffffa80034b70c0 0000000000120089 0000000000000000 : nt!KeEnterKernelDebugger+0x76e fffff80002940b91 : 0000000000000050 ffffffff80001840 0000000000000000 fffff88002bdcf20 : nt!KeBugCheckEx+0x104
fffff800028c0fee : 0000000000000000 0000000000000000 0000000000000000 fffffa80034b7000 : nt!wcsncat_s+0x2d3a9 fffff800028d24e0 : fffff880010d5608 fffffa80044872f0 fffffa8004205090 fffffa80034b7000 : nt!KeSynchronizeExecution+0x28de
fffff880010d5608 : fffffa80044872f0 fffffa8004205090 fffffa80034b7000 0000000000000000 : nt!IoGetRelatedDeviceObject fffff880010d8353 : fffffa800400f5d0 fffff88002bdd1f0 0000000000000200 fffff88000000080 : fltmgr!FltpvValidateReadWriteParameters+0xa8
fffff88004725f2b : 0000000000000016 0000000000000016 fffff88002bdd218 fffff800028ffec0 : fltmgr!FltvReadFile+0x43 fffff8800472512f : fffffa80034b70c0 fffffa8002400060 fffffa8002400060 fffffa8000000000 : myflt!ReadFileContents+0x51b [d:\workdir\cat\projects\rnsmware\fnsys\callback.c @ 2161]
fffff880010d6c3e : fffffa8003b540c0 fffff88002bdd558 fffff88002bdd530 fffff88002bdd530 : myflt!FnsysPreCreate+0x5cf [d:\workdir\cat\projects\rnsmware\fnsys\callback.c @ 573] fffff88001098027 : fffffa8003b541e0 fffffa8002b898d0 fffffa8003262600 fffffa8003b541e0 : fltmgr!FltvPreOperation+0xbe
fffff8800109a8ca : fffffa8004196e00 fffffa8004196e00 fffffa8002a61500 fffffa8002a59000 : fltmgr!FltpPerformPreCallbacks+0x2f7 fffff880010b82a3 : fffff980047b4c60 fffff980047b4c60 fffff980047b4c60 fffffa8004196e80 : fltmgr!FltpPassThroughInternal+0x4a
fffff80002d68c16 : fffff980047b4c60 0000000000000002 0000000000000040 0000000000000000 : fltmgr!FltpCreate+0x293 fffff80002bc3477 : 0000000000000005 fffff80002bc2ed0 fffffa80032a6b10 fffffa8003c4b010 : nt!NtShutdownSystem+0x247e6
fffff80002bb9764 : fffffa80029dfcd0 0000000000000000 fffffa800406d610 fffff800028efe01 : nt!SeUnlockSubjectContext+0x647 fffff80002bbe876 : fffffa800406d610 fffff88002bdda30 0000000000000040 fffffa8000cf1080 : nt!SeQueryInformationToken+0x20b4
fffff80002bc5587 : 00000000000ae750 0000000000000001 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306 fffff80002bcf198 : 00000000000addb8 00000000c0100080 fffff8a001f0a110 00000000000addd0 : nt!SeUnlockSubjectContext+0x2757
fffff800028c2153 : 00000000752a2450 00000000000ae750 00000000000afd20 000000007532420c : nt!NtCreateFile+0x78 000000007767040a : 000000007532bfe3 000000000030f660 000000000030f678 00000000000ae670 : nt!KeSynchronizeExecution+0x3a43
000000007532bfe3 : 000000000030f660 000000000030f678 00000000000ae670 0000000000000000 : ntdll!NtCreateFile+0xa 000000007531cf87 : 000000000030f660 0000000000000000 0000000000000000 0000000000000060 : wow64!whNtCreateFile+0x10f
00000000752a276d : 000000007658cdc9 0000000075310023 0000000000000000 000000000031e9b0 : wow64!Wow64SystemServiceEx+0xd7 000000007531d07e : 0000000000000000 00000000752a1920 00000000000ae970 0000000077653ae1 : wow64cpu!ServiceNoTurbo+0x24
000000007531c549 : 0000000000000000 0000000000000000 0000000075314ac8 000000007ffe0030 : wow64!RunCpuSimulation+0xa 00000000776684c8 : 0000000000172de0 0000000000000000 0000000077753670 00000000777257a0 : wow64!Wow64LdrpInitialize+0x429
0000000077667623 : 0000000000000000 0000000077669181 0000000077620000 0000000000000000 : ntdll!LdrpInitializeProcess+0x17e2 000000007765308e : 00000000000af300 0000000000000000 000000007efdf000 0000000000000000 : ntdll! ?? ::FNODOBFM::string'+0x2bea0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe

sachin_shinde · September 30, 2015, 11:04am

Sorry, Got it, I was missing ObReferenceObjectByHandle

Gabriel_Bercea · October 1, 2015, 7:54am

That is really not the only thing wrong with the code you pasted.
Make sure you read documentation of the functions you call and check the
returned values .

Good luck,
Gabriel
On Sep 30, 2015 17:04, wrote:

> Sorry, Got it, I was missing ObReferenceObjectByHandle
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>