Help me on "PAGE_FAULT_IN_NONPAGED_AREA"

NTFSD
1

I’m working on FSFD, when I hooked IRP_MJ_WRITE, then I wanna copy data to another FileObject, but always cause “Fatal System Error : PAGE_FAULT_IN_NONPAGED_AREA”

Thanks for your help!

*** Fatal System Error: 0x00000050
(0xF7330000,0x00000000,0x80444836,0x00000000)

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f7330000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80444836, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: f7330000 Nonpaged pool

FAULTING_IP:
nt!MmCopyToCachedPage+5c
80444836 8a00 mov al,byte ptr [eax]

MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50

TRAP_FRAME: bcd564e8 – (.trap 0xffffffffbcd564e8)
ErrCode = 00000000
eax=f7330000 ebx=8129a208 ecx=00000000 edx=00000000 esi=00001000 edi=00000000
eip=80444836 esp=bcd5655c ebp=bcd565ec iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
nt!MmCopyToCachedPage+0x5c:
80444836 8a00 mov al,byte ptr [eax] ds:0023:f7330000=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 8042bcb9 to 80452e70

STACK_TEXT:
bcd560d0 8042bcb9 00000003 bcd56118 f7330000 nt!RtlpBreakWithStatusInstruction
bcd56100 8042c068 00000003 c03dccc0 80062e90 nt!KiBugCheckDebugBreak+0x31
bcd56488 80446eaf 00000000 f7330000 00000000 nt!KeBugCheckEx+0x37b
bcd564d0 80464966 00000000 f7330000 00000000 nt!MmAccessFault+0x74e
bcd564d0 80444836 00000000 f7330000 00000000 nt!KiTrap0E+0xc3
bcd565ec 804118b3 c7880000 f7330000 00000000 nt!MmCopyToCachedPage+0x5c
bcd56690 8040e35b 8129a208 f7330000 bcd566f0 nt!CcMapAndCopy+0x13e
bcd56740 bfef391d 812ad288 bcd56a54 00004159 nt!CcCopyWrite+0x41f
bcd56ac0 bfef3dc2 812b92e8 81214008 00000000 Ntfs!NtfsCommonWrite+0x23f6
bcd56b2c 8041f54b 81370020 81214008 81214190 Ntfs!NtfsFsdWrite+0xf0
bcd56b40 f731995c 812196c0 81214008 00000000 nt!IopfCallDriver+0x35
bcd56b94 8041f54b 812ad288 81214008 81214008 filespy!FsDispatch+0xa0f [f:\wdm_dev\filemo~1.34\filespy\filespy.c @ 361]
bcd56c48 804ba5e8 81209318 00000000 81209188 nt!IopfCallDriver+0x35
bcd56c5c 804af6dd 812196c0 81209188 812a3148 nt!IopSynchronousServiceTail+0x60
bcd56d38 80461691 000003ec 00000000 00000000 nt!NtWriteFile+0x67a
bcd56d38 77f891bb 000003ec 00000000 00000000 nt!KiSystemService+0xc4
0179e904 77e94aab 000003ec 00000000 00000000 ntdll!ZwWriteFile+0xb
0179e970 77e98b70 000003ec 01820000 00004159 KERNEL32!WriteFile+0x111
0179ee78 77e85b77 000c3644 000003f0 80000000 KERNEL32!BaseCopyStream+0x140d
0179f494 77e89a18 000c3644 000c384c 7761b033 KERNEL32!BasepCopyFileExW+0x5a1
0179f4f0 7761b34b 000c3644 000c384c 7761b033 KERNEL32!CopyFileExW+0x52
0179f734 7761cbe1 000c3570 000c3644 000c384c SHELL32!FileCopy+0x14b
0179f964 7761d1fc 000c3570 000c3644 000c384c SHELL32!DoFile_Copy+0x31
0179fe74 775eb820 00000000 00000000 000c3aa0 SHELL32!MoveCopyDriver+0x37b
0179fec0 776292ce 00000374 00000000 000c3aa0 SHELL32!SHFileOperationW+0x1a7
0179ff3c 776295e5 00000001 00000000 000c3ad8 SHELL32!_HandleMoveOrCopy+0x1da
0179ff84 77c8afc3 000c3aa0 77f89a99 00000000 SHELL32!FileDropTargetThreadProc+0x14d
0179ffb4 77e92ca8 00000000 77f89a99 00000000 SHLWAPI!WrapperThreadProc+0x3e
0179ffec 00000000 77c8af93 0129e858 00000000 KERNEL32!BaseThreadStart+0x52

STACK_COMMAND: kb
FOLLOWUP_IP:
filespy!FsDispatch+a0f [f:\filespy\filespy.c @ 361]
f731995c 5f pop edi

FAULTING_SOURCE_CODE:
357: }
358:
359: //
360: IoCopyCurrentIrpStackLocationToNext(Irp);

361: return IoCallDriver(hookExt->FileSystem, Irp);
362: }
363: //////////////////////////////////////////////////////////////////////////
364:
365: //////////////////////////////////////////////////////////////////////////
366: PDUP FsCreate(IN PHOOK_EXTENSION pHookExt, IN PFILE_OBJECT pFileObject, IN LONG lDisposition)

SYMBOL_STACK_INDEX: b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: filespy
IMAGE_NAME: filespy.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 464420d8
SYMBOL_NAME: filespy!FsDispatch+a0f
FAILURE_BUCKET_ID: 0x50_filespy!FsDispatch+a0f
BUCKET_ID: 0x50_filespy!FsDispatch+a0f
Followup: MachineOwner

2

You either pass an invalid buffer or there is an error in Irp initializing.

P.S. your way is a way to a deadlock.


Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> I’m working on FSFD, when I hooked IRP_MJ_WRITE, then I wanna copy data to
> another FileObject, but always cause “Fatal System Error :
> PAGE_FAULT_IN_NONPAGED_AREA”
>
>
> Thanks for your help!
>
> -------------------------------------------------------------------------------
> Fatal System Error: 0x00000050
> (0xF7330000,0x00000000,0x80444836,0x00000000)
>
> -------------------------------------------------------------------------------
>
> kd> !analyze -v
>****************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *******************************************************************************
>
> PAGE_FAULT_IN_NONPAGED_AREA (50)
> Invalid system memory was referenced. This cannot be protected by
> try-except,
> it must be protected by a Probe. Typically the address is just plain bad
> or it
> is pointing at freed memory.
> Arguments:
> Arg1: f7330000, memory referenced.
> Arg2: 00000000, value 0 = read operation, 1 = write operation.
> Arg3: 80444836, If non-zero, the instruction address which referenced the
> bad memory
> address.
> Arg4: 00000000, (reserved)
>
> Debugging Details:
> ------------------
>
> READ_ADDRESS: f7330000 Nonpaged pool
>
> FAULTING_IP:
> nt!MmCopyToCachedPage+5c
> 80444836 8a00 mov al,byte ptr [eax]
>
> MM_INTERNAL_CODE: 0
> DEFAULT_BUCKET_ID: DRIVER_FAULT
> BUGCHECK_STR: 0x50
>
> TRAP_FRAME: bcd564e8 – (.trap 0xffffffffbcd564e8)
> ErrCode = 00000000
> eax=f7330000 ebx=8129a208 ecx=00000000 edx=00000000 esi=00001000
> edi=00000000
> eip=80444836 esp=bcd5655c ebp=bcd565ec iopl=0 nv up ei ng nz ac pe
> cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010297
> nt!MmCopyToCachedPage+0x5c:
> 80444836 8a00 mov al,byte ptr [eax]
> ds:0023:f7330000=??
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 8042bcb9 to 80452e70
>
> STACK_TEXT:
> bcd560d0 8042bcb9 00000003 bcd56118 f7330000
> nt!RtlpBreakWithStatusInstruction
> bcd56100 8042c068 00000003 c03dccc0 80062e90 nt!KiBugCheckDebugBreak+0x31
> bcd56488 80446eaf 00000000 f7330000 00000000 nt!KeBugCheckEx+0x37b
> bcd564d0 80464966 00000000 f7330000 00000000 nt!MmAccessFault+0x74e
> bcd564d0 80444836 00000000 f7330000 00000000 nt!KiTrap0E+0xc3
> bcd565ec 804118b3 c7880000 f7330000 00000000 nt!MmCopyToCachedPage+0x5c
> bcd56690 8040e35b 8129a208 f7330000 bcd566f0 nt!CcMapAndCopy+0x13e
> bcd56740 bfef391d 812ad288 bcd56a54 00004159 nt!CcCopyWrite+0x41f
> bcd56ac0 bfef3dc2 812b92e8 81214008 00000000 Ntfs!NtfsCommonWrite+0x23f6
> bcd56b2c 8041f54b 81370020 81214008 81214190 Ntfs!NtfsFsdWrite+0xf0
> bcd56b40 f731995c 812196c0 81214008 00000000 nt!IopfCallDriver+0x35
> bcd56b94 8041f54b 812ad288 81214008 81214008 filespy!FsDispatch+0xa0f
> [f:\wdm_dev\filemo~1.34\filespy\filespy.c @ 361]
> bcd56c48 804ba5e8 81209318 00000000 81209188 nt!IopfCallDriver+0x35
> bcd56c5c 804af6dd 812196c0 81209188 812a3148
> nt!IopSynchronousServiceTail+0x60
> bcd56d38 80461691 000003ec 00000000 00000000 nt!NtWriteFile+0x67a
> bcd56d38 77f891bb 000003ec 00000000 00000000 nt!KiSystemService+0xc4
> 0179e904 77e94aab 000003ec 00000000 00000000 ntdll!ZwWriteFile+0xb
> 0179e970 77e98b70 000003ec 01820000 00004159 KERNEL32!WriteFile+0x111
> 0179ee78 77e85b77 000c3644 000003f0 80000000
> KERNEL32!BaseCopyStream+0x140d
> 0179f494 77e89a18 000c3644 000c384c 7761b033
> KERNEL32!BasepCopyFileExW+0x5a1
> 0179f4f0 7761b34b 000c3644 000c384c 7761b033 KERNEL32!CopyFileExW+0x52
> 0179f734 7761cbe1 000c3570 000c3644 000c384c SHELL32!FileCopy+0x14b
> 0179f964 7761d1fc 000c3570 000c3644 000c384c SHELL32!DoFile_Copy+0x31
> 0179fe74 775eb820 00000000 00000000 000c3aa0 SHELL32!MoveCopyDriver+0x37b
> 0179fec0 776292ce 00000374 00000000 000c3aa0
> SHELL32!SHFileOperationW+0x1a7
> 0179ff3c 776295e5 00000001 00000000 000c3ad8
> SHELL32!_HandleMoveOrCopy+0x1da
> 0179ff84 77c8afc3 000c3aa0 77f89a99 00000000
> SHELL32!FileDropTargetThreadProc+0x14d
> 0179ffb4 77e92ca8 00000000 77f89a99 00000000
> SHLWAPI!WrapperThreadProc+0x3e
> 0179ffec 00000000 77c8af93 0129e858 00000000 KERNEL32!BaseThreadStart+0x52
>
> STACK_COMMAND: kb
> FOLLOWUP_IP:
> filespy!FsDispatch+a0f [f:\filespy\filespy.c @ 361]
> f731995c 5f pop edi
>
> FAULTING_SOURCE_CODE:
> 357: }
> 358:
> 359: //
> 360: IoCopyCurrentIrpStackLocationToNext(Irp);
>> 361: return IoCallDriver(hookExt->FileSystem, Irp);
> 362: }
> 363:
> //////////////////////////////////////////////////////////////////////////
> 364:
> 365:
> //////////////////////////////////////////////////////////////////////////
> 366: PDUP FsCreate(IN PHOOK_EXTENSION pHookExt, IN PFILE_OBJECT
> pFileObject, IN LONG lDisposition)
>
> SYMBOL_STACK_INDEX: b
> FOLLOWUP_NAME: MachineOwner
> MODULE_NAME: filespy
> IMAGE_NAME: filespy.sys
> DEBUG_FLR_IMAGE_TIMESTAMP: 464420d8
> SYMBOL_NAME: filespy!FsDispatch+a0f
> FAILURE_BUCKET_ID: 0x50_filespy!FsDispatch+a0f
> BUCKET_ID: 0x50_filespy!FsDispatch+a0f
> Followup: MachineOwner
> ---------
> -------------------------------------------------------------------------------
>