FW: MiniSpy issue

NTFSD
1

So far no response for this. Maybe more information is required. Here is
some of the information from Windbg on my filter. I am not understanding why
my user mode app is receiving the IRP on the callbacks on one machine but
others and my debug machine seem to only get _FAST_IO_DISPATCH.

0: kd> dt fffffa8002b3fc60 nt!_DRIVER_OBJECT

+0x000 Type : 0n4

+0x002 Size : 0n336

+0x008 DeviceObject : (null)

+0x010 Flags : 0x12

+0x018 DriverStart : 0xfffff880`03dc9000 Void

+0x020 DriverSize : 0xc000

+0x028 DriverSection : 0xfffffa80`02d43700 Void

+0x030 DriverExtension : 0xfffffa80`02b3fdb0 _DRIVER_EXTENSION

+0x038 DriverName : _UNICODE_STRING “\FileSystem\Minispy”

+0x048 HardwareDatabase : 0xfffff800`02d4c558 _UNICODE_STRING
“\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”

+0x050 FastIoDispatch : (null)

+0x058 DriverInit : 0xfffff880`03dd1484 long +fffff88003dd1484

+0x060 DriverStartIo : (null)

+0x068 DriverUnload : 0xfffff880`00e31fb0 void
fltmgr!FltpMiniFilterDriverUnload+0

+0x070 MajorFunction : [28] 0xfffff800`02865b30 long
nt!IopInvalidDeviceRequest+0

dps fffffa8002b3fc60+0x070 L0n28

fffffa8002b3fcd0 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fcd8 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fce0 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fce8 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fcf0 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fcf8 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd00 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd08 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd10 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd18 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd20 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd28 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd30 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd38 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd40 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd48 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd50 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd58 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd60 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd68 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd70 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd78 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd80 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd88 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd90 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fd98 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fda0 fffff80002865b30 nt!IopInvalidDeviceRequest

fffffa8002b3fda8 fffff80002865b30 nt!IopInvalidDeviceRequest

0: kd> dt fffffa8002b3fc60 _FAST_IO_DISPATCH

nt!_FAST_IO_DISPATCH

+0x000 SizeOfFastIoDispatch : 0x1500004

+0x008 FastIoCheckIfPossible : (null)

+0x010 FastIoRead : 0x00000000`00000012 unsigned char +12

+0x018 FastIoWrite : 0xfffff880`03dc9000 unsigned char
+fffff88003dc9000

+0x020 FastIoQueryBasicInfo : 0x00000000`0000c000 unsigned char
+c000

+0x028 FastIoQueryStandardInfo : 0xfffffa80`02d43700 unsigned char
+fffffa8002d43700

+0x030 FastIoLock : 0xfffffa80`02b3fdb0 unsigned char
+fffffa8002b3fdb0

+0x038 FastIoUnlockSingle : 0x00000000`00260026 unsigned char
+260026

+0x040 FastIoUnlockAll : 0xfffffa80`02e69170 unsigned char
+fffffa8002e69170

+0x048 FastIoUnlockAllByKey : 0xfffff800`02d4c558 unsigned char
nt!CmRegistryMachineHardwareDescriptionSystemName+0

+0x050 FastIoDeviceControl : (null)

+0x058 AcquireFileForNtCreateSection : 0xfffff880`03dd1484 void
+fffff88003dd1484

+0x060 ReleaseFileForNtCreateSection : (null)

+0x068 FastIoDetachDevice : 0xfffff880`00e31fb0 void
fltmgr!FltpMiniFilterDriverUnload+0

+0x070 FastIoQueryNetworkOpenInfo : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x078 AcquireForModWrite : 0xfffff800`02865b30 long
nt!IopInvalidDeviceRequest+0

+0x080 MdlRead : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x088 MdlReadComplete : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x090 PrepareMdlWrite : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x098 MdlWriteComplete : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x0a0 FastIoReadCompressed : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x0a8 FastIoWriteCompressed : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x0b0 MdlReadCompleteCompressed : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x0b8 MdlWriteCompleteCompressed : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x0c0 FastIoQueryOpen : 0xfffff800`02865b30 unsigned char
nt!IopInvalidDeviceRequest+0

+0x0c8 ReleaseForModWrite : 0xfffff800`02865b30 long
nt!IopInvalidDeviceRequest+0

+0x0d0 AcquireForCcFlush : 0xfffff800`02865b30 long
nt!IopInvalidDeviceRequest+0

+0x0d8 ReleaseForCcFlush : 0xfffff800`02865b30 long
nt!IopInvalidDeviceRequest+0

0: kd> dt 0xfffffa80`02b3fdb0 nt!_DRIVER_EXTENSION

+0x000 DriverObject : 0xfffffa80`02b3fc60 _DRIVER_OBJECT

+0x008 AddDevice : (null)

+0x010 Count : 0

+0x018 ServiceKeyName : _UNICODE_STRING “Minispy”

+0x028 ClientDriverExtension : (null)

+0x030 FsFilterCallbacks : (null)

0: kd> !fltkd.instance fffffa80023036b0 4

FLT_INSTANCE: fffffa80023036b0 “Minispy - Top Instance” “385100”

CallbackNodes : (fffffa8002303740)

** No callbacks **

I am obviously a new comer to mini filters. I am looking to collect changes
to a transaction log for a Pervasive DB that is stored as binary data. I
want to collect the offset and length and or buffer if possible. Either way,
I can pull the data from the log file into a structure for the particular
btrieve file and send it to a real database like MSSQL. So here is my multi
part issue. I compiled it, put it on a machine and it worked fine (Windows
2008 r2 x64). It was on a VM and I could not seem to get the debugger to
work from a remote machine. Therefore I decided to put it on some machines
with real com ports. I installed (Windows 2008 r2 x64) on the “server” and
installed my filter ran it, and it just sat there staring at me with not
output to the user mode screen. Ok, frustrated, confused, I installed Win7
x64 on the machine and still am getting no output to the user mode screen
even though it still works on the VM machine. I have searched extensively
and have not found any reason for this.

Please advise,

Robert

2

[offtopic]

one learns new quirks of windbg even after using it for years together
:slight_smile: never knew that i could put the address before the command and
windbg will interpret it right

dt 864e5b08 nt!_EPROCESS -y ima ; !process 864e5b08 0
+0x174 ImageFileName : [16] “explorer.exe”
PROCESS 864e5b08 SessionId: 0 Cid: 06d8 Peb: 7ffde000 ParentCid: 0698
DirBase: 10940220 ObjectTable: e3340f28 HandleCount: 385.
Image: explorer.exe

[offtopic]

@robert

this is not an answer to your question but some observations on the
output you posted

you issue this
0: kd> dt fffffa8002b3fc60 nt!_DRIVER_OBJECT
0: kd> dt fffffa8002b3fc60 _FAST_IO_DISPATCH

using the same address on different commands will yield correct
results to only one of the correct invocation other commands will
interpret the address as they are designed to interpret and will spit
out garbage

_FAST_IO_DISPATCH output in your post is a result of incorrect address
provided to the command

+0x018 DriverStart : 0xfffff88003dc9000 Void +0x018 FastIoWrite : 0xfffff88003dc9000 unsigned char +fffff88003dc9000

to find the IRP_XXXXX_ you can try using the Array inside dt like this
no need to use dps

lkd> dt nt!_DRIVER_OBJECT -ya maj 0x86b50880
+0x038 MajorFunction :
[00] 0xa987b450 long +ffffffffa987b450
[01] 0x804f355a long nt!IopInvalidDeviceRequest+0
[02] 0xa987b450 long +ffffffffa987b450
[03] 0x804f355a long nt!IopInvalidDeviceRequest+0
[04] 0x804f355a long nt!IopInvalidDeviceRequest+0
[05] 0x804f355a long nt!IopInvalidDeviceRequest+0
[06] 0x804f355a long nt!IopInvalidDeviceRequest+0
[07] 0x804f355a long nt!IopInvalidDeviceRequest+0
[08] 0x804f355a long nt!IopInvalidDeviceRequest+0
[09] 0x804f355a long nt!IopInvalidDeviceRequest+0
[10] 0x804f355a long nt!IopInvalidDeviceRequest+0
[11] 0x804f355a long nt!IopInvalidDeviceRequest+0
[12] 0x804f355a long nt!IopInvalidDeviceRequest+0
[13] 0x804f355a long nt!IopInvalidDeviceRequest+0
[14] 0xa987b450 long +ffffffffa987b450
[15] 0xa987b450 long +ffffffffa987b450
[16] 0x804f355a long nt!IopInvalidDeviceRequest+0
[17] 0x804f355a long nt!IopInvalidDeviceRequest+0
[18] 0x804f355a long nt!IopInvalidDeviceRequest+0
[19] 0x804f355a long nt!IopInvalidDeviceRequest+0
[20] 0x804f355a long nt!IopInvalidDeviceRequest+0
[21] 0x804f355a long nt!IopInvalidDeviceRequest+0
[22] 0xa987b450 long +ffffffffa987b450
[23] 0xa987b450 long +ffffffffa987b450
[24] 0x804f355a long nt!IopInvalidDeviceRequest+0
[25] 0x804f355a long nt!IopInvalidDeviceRequest+0
[26] 0x804f355a long nt!IopInvalidDeviceRequest+0
[27] 0xa987b450 long +ffffffffa987b450

On 11/4/13, Robert Maersch wrote:
> So far no response for this. Maybe more information is required. Here is
> some of the information from Windbg on my filter. I am not understanding
> why
> my user mode app is receiving the IRP on the callbacks on one machine but
> others and my debug machine seem to only get _FAST_IO_DISPATCH.
>
> 0: kd> dt fffffa8002b3fc60 nt!_DRIVER_OBJECT
>
> +0x000 Type : 0n4
>
> +0x002 Size : 0n336
>
> +0x008 DeviceObject : (null)
>
> +0x010 Flags : 0x12
>
> +0x018 DriverStart : 0xfffff88003dc9000 Void<br>&gt;<br>&gt; +0x020 DriverSize : 0xc000<br>&gt;<br>&gt; +0x028 DriverSection : 0xfffffa8002d43700 Void
>
> +0x030 DriverExtension : 0xfffffa8002b3fdb0 _DRIVER_EXTENSION<br>&gt;<br>&gt; +0x038 DriverName : _UNICODE_STRING "\FileSystem\Minispy"<br>&gt;<br>&gt; +0x048 HardwareDatabase : 0xfffff80002d4c558 _UNICODE_STRING
> “\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
>
> +0x050 FastIoDispatch : (null)
>
> +0x058 DriverInit : 0xfffff88003dd1484 long<br>&gt; +fffff88003dd1484<br>&gt;<br>&gt; +0x060 DriverStartIo : (null)<br>&gt;<br>&gt; +0x068 DriverUnload : 0xfffff88000e31fb0 void
> fltmgr!FltpMiniFilterDriverUnload+0
>
> +0x070 MajorFunction : [28] 0xfffff80002865b30 long<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; dps fffffa8002b3fc60+0x070 L0n28<br>&gt;<br>&gt; fffffa8002b3fcd0 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fcd8 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fce0 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fce8 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fcf0 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fcf8 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd00 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd08 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd10 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd18 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd20 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd28 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd30 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd38 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd40 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd48 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd50 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd58 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd60 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd68 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd70 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd78 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd80 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd88 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd90 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fd98 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fda0 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt; fffffa8002b3fda8 fffff80002865b30 nt!IopInvalidDeviceRequest<br>&gt;<br>&gt;<br>&gt;<br>&gt; 0: kd&gt; dt fffffa8002b3fc60 _FAST_IO_DISPATCH<br>&gt;<br>&gt; nt!_FAST_IO_DISPATCH<br>&gt;<br>&gt; +0x000 SizeOfFastIoDispatch : 0x1500004<br>&gt;<br>&gt; +0x008 FastIoCheckIfPossible : (null)<br>&gt;<br>&gt; +0x010 FastIoRead : 0x0000000000000012 unsigned char +12
>
> +0x018 FastIoWrite : 0xfffff88003dc9000 unsigned char<br>&gt; +fffff88003dc9000<br>&gt;<br>&gt; +0x020 FastIoQueryBasicInfo : 0x000000000000c000 unsigned char
> +c000
>
> +0x028 FastIoQueryStandardInfo : 0xfffffa8002d43700 unsigned char<br>&gt; +fffffa8002d43700<br>&gt;<br>&gt; +0x030 FastIoLock : 0xfffffa8002b3fdb0 unsigned char
> +fffffa8002b3fdb0
>
> +0x038 FastIoUnlockSingle : 0x0000000000260026 unsigned char<br>&gt; +260026<br>&gt;<br>&gt; +0x040 FastIoUnlockAll : 0xfffffa8002e69170 unsigned char
> +fffffa8002e69170
>
> +0x048 FastIoUnlockAllByKey : 0xfffff80002d4c558 unsigned char<br>&gt; nt!CmRegistryMachineHardwareDescriptionSystemName+0<br>&gt;<br>&gt; +0x050 FastIoDeviceControl : (null)<br>&gt;<br>&gt; +0x058 AcquireFileForNtCreateSection : 0xfffff88003dd1484 void
> +fffff88003dd1484
>
> +0x060 ReleaseFileForNtCreateSection : (null)
>
> +0x068 FastIoDetachDevice : 0xfffff88000e31fb0 void<br>&gt; fltmgr!FltpMiniFilterDriverUnload+0<br>&gt;<br>&gt; +0x070 FastIoQueryNetworkOpenInfo : 0xfffff80002865b30 unsigned
> char
> nt!IopInvalidDeviceRequest+0
>
> +0x078 AcquireForModWrite : 0xfffff80002865b30 long<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; +0x080 MdlRead : 0xfffff80002865b30 unsigned char
> nt!IopInvalidDeviceRequest+0
>
> +0x088 MdlReadComplete : 0xfffff80002865b30 unsigned char<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; +0x090 PrepareMdlWrite : 0xfffff80002865b30 unsigned char
> nt!IopInvalidDeviceRequest+0
>
> +0x098 MdlWriteComplete : 0xfffff80002865b30 unsigned char<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; +0x0a0 FastIoReadCompressed : 0xfffff80002865b30 unsigned char
> nt!IopInvalidDeviceRequest+0
>
> +0x0a8 FastIoWriteCompressed : 0xfffff80002865b30 unsigned char<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; +0x0b0 MdlReadCompleteCompressed : 0xfffff80002865b30 unsigned char
> nt!IopInvalidDeviceRequest+0
>
> +0x0b8 MdlWriteCompleteCompressed : 0xfffff80002865b30 unsigned<br>&gt; char<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; +0x0c0 FastIoQueryOpen : 0xfffff80002865b30 unsigned char
> nt!IopInvalidDeviceRequest+0
>
> +0x0c8 ReleaseForModWrite : 0xfffff80002865b30 long<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt; +0x0d0 AcquireForCcFlush : 0xfffff80002865b30 long
> nt!IopInvalidDeviceRequest+0
>
> +0x0d8 ReleaseForCcFlush : 0xfffff80002865b30 long<br>&gt; nt!IopInvalidDeviceRequest+0<br>&gt;<br>&gt;<br>&gt;<br>&gt; 0: kd&gt; dt 0xfffffa8002b3fdb0 nt!_DRIVER_EXTENSION
>
> +0x000 DriverObject : 0xfffffa80`02b3fc60 _DRIVER_OBJECT
>
> +0x008 AddDevice : (null)
>
> +0x010 Count : 0
>
> +0x018 ServiceKeyName : _UNICODE_STRING “Minispy”
>
> +0x028 ClientDriverExtension : (null)
>
> +0x030 FsFilterCallbacks : (null)
>
>
>
> 0: kd> !fltkd.instance fffffa80023036b0 4
>
>
>
> FLT_INSTANCE: fffffa80023036b0 “Minispy - Top Instance” “385100”
>
> CallbackNodes : (fffffa8002303740)
>
> No callbacks
>
>
>
>
>
>
>
> I am obviously a new comer to mini filters. I am looking to collect
> changes
> to a transaction log for a Pervasive DB that is stored as binary data. I
> want to collect the offset and length and or buffer if possible. Either
> way,
> I can pull the data from the log file into a structure for the particular
> btrieve file and send it to a real database like MSSQL. So here is my multi
> part issue. I compiled it, put it on a machine and it worked fine (Windows
> 2008 r2 x64). It was on a VM and I could not seem to get the debugger to
> work from a remote machine. Therefore I decided to put it on some machines
> with real com ports. I installed (Windows 2008 r2 x64) on the “server” and
> installed my filter ran it, and it just sat there staring at me with not
> output to the user mode screen. Ok, frustrated, confused, I installed Win7
> x64 on the machine and still am getting no output to the user mode screen
> even though it still works on the VM machine. I have searched extensively
> and have not found any reason for this.
>
>
>
> Please advise,
>
> Robert
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer