Help with debugging code needed

Konrad_Malinowski · August 13, 2006, 6:03pm

Hello Eveyone,

I am a novice kernel mode programmer who hardly tries to get things done. I intend to write a mini-driver which should in thery provide on-the-fly encryption/decryption of files (streams only). Nothing new as I have noticed (a lot of posts regarding similiar issues ca be found in archives of this forum).

I started with rewieving IFS Kit samples and currently I wrote some really basic code that attaches itself to NTFS volumes only and displays in the debugger the names of files and folders accessed from these volumes. The operation which “gets” the file/folder name is implemented in PostCreate callback. Everything works fine but after couple of seconds since initiaiton filtering with my mini-driver I receive the following error in the debugger:

Access violation - code c0000005 (!!! second chance !!!)
fltmgr!FltpExReleaseRundownProtection+0x21:
f83153d7 f00fc102 lock xadd dword ptr [edx],eax

I’m not experienced in debugging but it looks as an error caused by the Filter Manager somewhere in the FltpExReleaseRundownProtection routine. Could someone please “decode” it for me? Is it a problem with my driver doing something wrong or there is an issue with FM itself?

I’ll be gratefull for any help with this.

Konrad

Some stuff from debugger:

kd> u fltmgr!FltpExReleaseRundownProtection
fltmgr!FltpExReleaseRundownProtection:
f83153b6 8b11 mov edx,dword ptr [ecx]
f83153b8 f6c201 test dl,1
f83153bb 56 push esi
f83153bc 7513 jne fltmgr!FltpExReleaseRundownProtection+0x1b (f83153d1)
f83153be 8d72fe lea esi,[edx-2]
f83153c1 8bc2 mov eax,edx
f83153c3 f00fb131 lock cmpxchg dword ptr [ecx],esi
f83153c7 3bc2 cmp eax,edx

kd> u fltmgr!FltpExReleaseRundownProtection+0x21
fltmgr!FltpExReleaseRundownProtection+0x21:
f83153d7 f00fc102 lock xadd dword ptr [edx],eax
f83153db 750e jne fltmgr!FltpExReleaseRundownProtection+0x35 (f83153eb)
f83153dd 6a00 push 0
f83153df 6a00 push 0
f83153e1 83c204 add edx,4
f83153e4 52 push edx
f83153e5 ff15746031f8 call dword ptr [fltmgr!_imp__KeSetEvent (f8316074)]
f83153eb 5e pop esi

kd> !analyze -v
Connected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
…
Loading User Symbols
…
Loading unloaded module list
…
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

PROCESS_NAME: csrss.exe

FAULTING_IP:
fltmgr!FltpExReleaseRundownProtection+21
f83153d7 f00fc102 lock xadd dword ptr [edx],eax

EXCEPTION_RECORD: ffffffff – (.exr ffffffffffffffff)
ExceptionAddress: f83153d7 (fltmgr!FltpExReleaseRundownProtection+0x00000021)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00371008
Attempt to write to address 00371008

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

WRITE_ADDRESS: 00371008

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from f8314f16 to f83153d7

STACK_TEXT:
f7fcf958 f8314f16 f7fcf970 f830e0cd 0073006c fltmgr!FltpExReleaseRundownProtection+0x21
f7fcf960 f830e0cd 0073006c 82369d1c f7fcf9cc fltmgr!FltObjectDereference+0x10
f7fcf970 f830eb96 82369c68 00000000 82369c68 fltmgr!FltpCompleteCompletionNode+0x27
f7fcf9cc f8310fe0 00369c68 00000000 82369c68 fltmgr!FltpPerformPostCallbacks+0x1d8
f7fcf9e0 f831150f 82369c68 821872c0 f7fcfa20 fltmgr!FltpProcessIoCompletion+0x10
f7fcf9f0 f8311ba1 81b4a020 821872c0 82369c68 fltmgr!FltpPassThroughCompletion+0x89
f7fcfa20 f831f5af f7fcfa40 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
f7fcfa5c 80828c95 81b4a020 821872c0 821872c0 fltmgr!FltpCreate+0x23b
f7fcfa70 80907bfa f7fcfc18 82376968 00000000 nt!IofCallDriver+0x45
f7fcfb58 80902fad 82376980 00000000 821d5530 nt!IopParseDevice+0xa35
f7fcfbd8 80906a15 00000000 f7fcfc18 00000040 nt!ObpLookupObjectName+0x5a9
f7fcfc2c 8090613b 00000000 00000000 fcfc4401 nt!ObOpenObjectByName+0xea
f7fcfca8 8092b2c2 0051f08c 00100001 0051f044 nt!IopCreateFile+0x447
f7fcfd04 8091bd30 0051f08c 00100001 0051f044 nt!IoCreateFile+0xa3
f7fcfd44 8082337b 0051f08c 00100001 0051f044 nt!NtOpenFile+0x27
f7fcfd44 7c82ed54 0051f08c 00100001 0051f044 nt!KiFastCallEntry+0xf8
0051f014 7c821734 77e6a9d1 0051f08c 00100001 ntdll!KiFastSystemCallRet
0051f018 77e6a9d1 0051f08c 00100001 0051f044 ntdll!NtOpenFile+0xc
0051f30c 77e6abbc 00191298 00000000 0051f44c KERNEL32!FindFirstFileExW+0x1c3
0051f32c 75db2ef1 00191298 0051f44c 00000000 KERNEL32!FindFirstFileW+0x16
0051f6ac 75dae061 00190760 0051f700 0051f731 sxs!CProbedAssemblyInformation::LookForSxsWin32Policy+0x27c
0051f7d8 75dc50fa 00000000 00190760 00000001 sxs!CProbedAssemblyInformation::ProbeAssembly+0x161
0051f998 75dc450d 00000000 0016c000 00190760 sxs!SxspResolvePartialReference+0x5ca
0051f9f4 75db28ae 00000000 0016c000 00190760 sxs!SxspResolvePartialReference+0x7d
0051fa80 75dc4b54 00190760 001775b0 0016c000 sxs!SxspProcessPendingAssemblies+0x12f
0051fac8 75db4598 00190760 00000000 0051fd64 sxs!SxspProcessPendingAssemblies+0x6e
0051fb14 75db5165 00190760 00000000 0051fdc8 sxs!SxspCloseManifestGraph+0xbe
0051fd04 75a6a538 0051fd64 0051fe20 0051ff78 sxs!SxsGenerateActivationContext+0x3ed
0051fda4 75a6a85b 00000063 000001b0 0151fdc8 basesrv!BaseSrvSxsCreateActivationContextFromStruct+0x1a0
0051fe68 75a6499d 000004cc 000001b0 0051fed8 basesrv!BaseSrvSxsCreateProcess+0x161
0051febc 75a54cb8 000001b0 0051ffd8 00000005 basesrv!BaseSrvCreateProcess+0x149
0051fff4 00000000 00000084 00000000 00000000 CSRSRV!CsrApiRequestThread+0x3e0

STACK_COMMAND: kb

FOLLOWUP_IP:
fltmgr!FltpExReleaseRundownProtection+21
f83153d7 f00fc102 lock xadd dword ptr [edx],eax

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: fltmgr

IMAGE_NAME: fltmgr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 42435ba1

SYMBOL_NAME: fltmgr!FltpExReleaseRundownProtection+21

FAILURE_BUCKET_ID: ACCESS_VIOLATION_W_fltmgr!FltpExReleaseRundownProtection+21

BUCKET_ID: ACCESS_VIOLATION_W_fltmgr!FltpExReleaseRundownProtection+21

Followup: MachineOwner

kd> kb
ChildEBP RetAddr Args to Child
f7fcf958 f8314f16 f7fcf970 f830e0cd 0073006c fltmgr!FltpExReleaseRundownProtection+0x21
f7fcf960 f830e0cd 0073006c 82369d1c f7fcf9cc fltmgr!FltObjectDereference+0x10
f7fcf970 f830eb96 82369c68 00000000 82369c68 fltmgr!FltpCompleteCompletionNode+0x27
f7fcf9cc f8310fe0 00369c68 00000000 82369c68 fltmgr!FltpPerformPostCallbacks+0x1d8
f7fcf9e0 f831150f 82369c68 821872c0 f7fcfa20 fltmgr!FltpProcessIoCompletion+0x10
f7fcf9f0 f8311ba1 81b4a020 821872c0 82369c68 fltmgr!FltpPassThroughCompletion+0x89
f7fcfa20 f831f5af f7fcfa40 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
f7fcfa5c 80828c95 81b4a020 821872c0 821872c0 fltmgr!FltpCreate+0x23b
f7fcfa70 80907bfa f7fcfc18 82376968 00000000 nt!IofCallDriver+0x45
f7fcfb58 80902fad 82376980 00000000 821d5530 nt!IopParseDevice+0xa35
f7fcfbd8 80906a15 00000000 f7fcfc18 00000040 nt!ObpLookupObjectName+0x5a9
f7fcfc2c 8090613b 00000000 00000000 fcfc4401 nt!ObOpenObjectByName+0xea
f7fcfca8 8092b2c2 0051f08c 00100001 0051f044 nt!IopCreateFile+0x447
f7fcfd04 8091bd30 0051f08c 00100001 0051f044 nt!IoCreateFile+0xa3
f7fcfd44 8082337b 0051f08c 00100001 0051f044 nt!NtOpenFile+0x27
f7fcfd44 7c82ed54 0051f08c 00100001 0051f044 nt!KiFastCallEntry+0xf8
0051f014 7c821734 77e6a9d1 0051f08c 00100001 ntdll!KiFastSystemCallRet
0051f018 77e6a9d1 0051f08c 00100001 0051f044 ntdll!NtOpenFile+0xc
0051f30c 77e6abbc 00191298 00000000 0051f44c KERNEL32!FindFirstFileExW+0x1c3
0051f32c 75db2ef1 00191298 0051f44c 00000000 KERNEL32!FindFirstFileW+0x16

And here is the source code of my PostCreate callback procedure:

FLT_POSTOP_CALLBACK_STATUS KMSECPostCreate (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags
)
{
FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
PFLT_FILE_NAME_INFORMATION nameInfo;
NTSTATUS status;
UNICODE_STRING FileName;

DbgPrint(“KMSEC!KMSECPostCreate: Entered.\n”);
if (!NT_SUCCESS(Data->IoStatus.Status) || (STATUS_REPARSE == Data->IoStatus.Status))
{
DbgPrint(“KMSEC!KMSECPostCreate: Create operation unsuccessfull.\n”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
else
{
DbgPrint(“KMSEC!KMSECPostCreate: Create operation successfull.\n”);
if (FltObjects->FileObject != NULL)
{
DbgPrint(“KMSEC!KMSECPostCreate: FltObjects->FileObject != NULL\n”);

status = FltGetFileNameInformation(
Data,
FLT_FILE_NAME_NORMALIZED |FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );

if (!NT_SUCCESS(status))
{
DbgPrint(“KMSEC!KMSECPostCreate: FltGetFileNameInformation returned an error.\n”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
status = FltParseFileNameInformation(nameInfo);
if (!NT_SUCCESS(status))
{
DbgPrint(“KMSEC!KMSECPostCreate: FltParseFileNameInformation returned an error.\n”);
FltReleaseFileNameInformation(nameInfo);
return FLT_POSTOP_FINISHED_PROCESSING;
}
if ((nameInfo->FinalComponent.Length) != 0)
{
RtlCopyUnicodeString(&FileName,&nameInfo->FinalComponent);
DbgPrint(“KMSEC!KMSECPostCreate: FinalComponent.Length != 0\n”);
DbgPrint(“KMSEC!KMSECPostCreate: FinalComponent = %wZ\n”, &nameInfo->FinalComponent);
DbgPrint(“KMSEC!KMSECPostCreate: Collected filename is %wZ\n”, &FileName);
FltReleaseFileNameInformation(nameInfo);
returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
}
else
{
DbgPrint(“KMSEC!KMSECPostCreate: FinalComponent.Length == 0\n”);
FltReleaseFileNameInformation(nameInfo);
return FLT_POSTOP_FINISHED_PROCESSING;
}
}
else
{
DbgPrint(“KMSEC!KMSECPostCreate: FltObjects->FileObject == NULL\n”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
}
return returnStatus;
}

OSR_Community_User · August 14, 2006, 7:04am

Where are you initilizing FileName’s buffer?

I don’t think the NT_SUCCESS macro should be used like that either -
perhaps it’s fine, but
it does look a little screwy.

m.

FLT_POSTOP_CALLBACK_STATUS KMSECPostCreate (
IN OUT PFLT_CALLBACK_DATA Data,
IN PCFLT_RELATED_OBJECTS FltObjects,
IN PVOID CompletionContext,
IN FLT_POST_OPERATION_FLAGS Flags
)
{
FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
PFLT_FILE_NAME_INFORMATION nameInfo;
NTSTATUS status;
UNICODE_STRING FileName;

DbgPrint(“KMSEC!KMSECPostCreate: Entered.\n”);
if (!NT_SUCCESS(Data->IoStatus.Status) || (STATUS_REPARSE == Data->IoStatus.Status))
{
DbgPrint(“KMSEC!KMSECPostCreate: Create operation unsuccessfull.\n”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
else
{
DbgPrint(“KMSEC!KMSECPostCreate: Create operation successfull.\n”);
if (FltObjects->FileObject != NULL)
{
DbgPrint(“KMSEC!KMSECPostCreate: FltObjects->FileObject != NULL\n”);

status = FltGetFileNameInformation(
Data,
FLT_FILE_NAME_NORMALIZED |FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );

if (!NT_SUCCESS(status))
{
DbgPrint(“KMSEC!KMSECPostCreate: FltGetFileNameInformation returned an error.\n”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
status = FltParseFileNameInformation(nameInfo);
if (!NT_SUCCESS(status))
{
DbgPrint(“KMSEC!KMSECPostCreate: FltParseFileNameInformation returned an error.\n”);
FltReleaseFileNameInformation(nameInfo);
return FLT_POSTOP_FINISHED_PROCESSING;
}
if ((nameInfo->FinalComponent.Length) != 0)
{
RtlCopyUnicodeString(&FileName,&nameInfo->FinalComponent);
DbgPrint(“KMSEC!KMSECPostCreate: FinalComponent.Length != 0\n”);
DbgPrint(“KMSEC!KMSECPostCreate: FinalComponent = %wZ\n”, &nameInfo->FinalComponent);
DbgPrint(“KMSEC!KMSECPostCreate: Collected filename is %wZ\n”, &FileName);
FltReleaseFileNameInformation(nameInfo);
returnStatus = FLT_POSTOP_FINISHED_PROCESSING;
}
else
{
DbgPrint(“KMSEC!KMSECPostCreate: FinalComponent.Length == 0\n”);
FltReleaseFileNameInformation(nameInfo);
return FLT_POSTOP_FINISHED_PROCESSING;
}
}
else
{
DbgPrint(“KMSEC!KMSECPostCreate: FltObjects->FileObject == NULL\n”);
return FLT_POSTOP_FINISHED_PROCESSING;
}
}
return returnStatus;
}

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

Konrad_Malinowski · August 14, 2006, 6:43pm

Dear M.

Thanks for pointing this out. You were right about the possible location of the problem. I have removed the following lines:

…
RtlCopyUnicodeString(&FileName,&nameInfo->FinalComponent);
…
DbgPrint(“KMSEC!KMSECPostCreate: Collected filename is %wZ\n”, &FileName);
…

an everything seems to be working fine. I have some questions if you don’t mind:

How should I initilialise the FileName’s buffer if it is meant to contain a filename taken from FLT_FILE_NAME_INFORMATION->FinalComponent? I assume that UNICODE strings in FLT_FILE_NAME_INFORMATION structure are not null-terminated and that I shouldn’t be initialising it through RtlInitUnicodeString which requires a null-terminate one. Therefore should I use:

#define MAX_STRING_LEN 255 // max length of a filename
FileName.Buffer = ExAllocatePoolWithTag(PagedPool,MAX_STRING_LEN, ‘FBNF’);
…
Use FileName
…
ExFreePoolWithTag(&FileName.Buffer, ‘01NF’);

How should I secure my code by other means than NT_SUCCESS which as you have mentioned I use in a ‘screwy’ way? Any sugestions?

Thanks in adv.

Konrad.

OSR_Community_User · August 15, 2006, 8:27am

Cool, you figured it out. I suppose you also got the length parameters
from the unicode string structure you were copying from.

About that nt_status macro… That’s funny, it looked screwy last night
(yesterday, whatever); in reviewing my own code, I see I use it the same
way :-)…
I guess I shouldn’t stay up past my bed time.

m.

xxxxx@post.pl wrote:

Dear M.

Thanks for pointing this out. You were right about the possible location of the problem. I have removed the following lines:

…
RtlCopyUnicodeString(&FileName,&nameInfo->FinalComponent);
…
DbgPrint(“KMSEC!KMSECPostCreate: Collected filename is %wZ\n”, &FileName);
…

an everything seems to be working fine. I have some questions if you don’t mind:

How should I initilialise the FileName’s buffer if it is meant to contain a filename taken from FLT_FILE_NAME_INFORMATION->FinalComponent? I assume that UNICODE strings in FLT_FILE_NAME_INFORMATION structure are not null-terminated and that I shouldn’t be initialising it through RtlInitUnicodeString which requires a null-terminate one. Therefore should I use:

#define MAX_STRING_LEN 255 // max length of a filename
FileName.Buffer = ExAllocatePoolWithTag(PagedPool,MAX_STRING_LEN, ‘FBNF’);
…
Use FileName
…
ExFreePoolWithTag(&FileName.Buffer, ‘01NF’);

How should I secure my code by other means than NT_SUCCESS which as you have mentioned I use in a ‘screwy’ way? Any sugestions?

Thanks in adv.

Konrad.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 16, 2006, 12:54pm

Konrad,

You wrote:

A couple of comments:

I am not sure why yu use a fixed-size length. Why not just juse the
.Length field? Also, as I recall, there is a #define for the maximum single
component filename length in ntifs.h.
You are using different tags for the allocate and free… You should use
a #define for the tag.

Danilo