how to get the driver letter in filter driver

Mamoon_Ahmed · March 4, 2016, 2:31pm

After googling, sadly, i didn’t get the correct solution or I am not getting the point which may be the cause of BSOD. Here is the code in IRP_MJ_READ dispatch routine which I am trying to get the drive letter.

NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING volumeName;
status = IoVolumeDeviceToDosName((PVOID)FileObject->DeviceObject, &volumeName);
if (status == STATUS_SUCCESS)
DbgPrint(“Volume name %wZ”, &volumeName);

Is there anything wrong with this approach ? ( Surely it is ). But at least I am sure the error is in this piece of code.

Jamey_Kirby · March 4, 2016, 2:51pm

IRP_MJ_READ most likely will be call at a raised IRQL, so you probably
cannot call IoVolumeDevoceToDosName(). WDK documentation says tis function
must be called at PASSIVE_LEVEL.

On Fri, Mar 4, 2016 at 2:30 PM wrote:

> After googling, sadly, i didn’t get the correct solution or I am not
> getting the point which may be the cause of BSOD. Here is the code in
> IRP_MJ_READ dispatch routine which I am trying to get the drive letter.
>
> NTSTATUS status = STATUS_SUCCESS;
> UNICODE_STRING volumeName;
> status = IoVolumeDeviceToDosName((PVOID)FileObject->DeviceObject,
> &volumeName);
> if (status == STATUS_SUCCESS)
> DbgPrint(“Volume name %wZ”, &volumeName);
>
> Is there anything wrong with this approach ? ( Surely it is ). But at
> least I am sure the error is in this piece of code.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>

Mamoon_Ahmed · March 4, 2016, 5:26pm

The DSOD error was DRIVER_VERIFIER_IOMANAGER_VIOLATION
crash dump .....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 0000000c, Invalid IOSB in IRP at APC IopCompleteRequest (appears to be on
stack that was unwound)
Arg2: b87b3fd8, IOSB address
Arg3: cf61eed8, IRP address
Arg4: 00000000

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: OptiPlex 760

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A16

BIOS_DATE: 08/06/2013

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 0R230R

BASEBOARD_VERSION: A00

DUMP_TYPE: 2

BUGCHECK_P1: c

BUGCHECK_P2: ffffffffb87b3fd8

BUGCHECK_P3: ffffffffcf61eed8

BUGCHECK_P4: 0

BUGCHECK_STR: 0xc9_c

DRIVER_VERIFIER_IO_VIOLATION_TYPE: c

IOSB_ADDRESS: ffffffffb87b3fd8

IRP_ADDRESS: 0061eed8

DEVICE_OBJECT: 8b093508

CPU_COUNT: 4

CPU_MHZ: a64

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CPU_MICROCODE: 6,17,a,0 (F,M,S,R) SIG: A0B'00000000 (cache) A0B'00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 1

ANALYSIS_SESSION_HOST: MAMOONAHMED-PC

ANALYSIS_SESSION_TIME: 03-05-2016 03:21:59.0699

ANALYSIS_VERSION: 10.0.10586.567 x86fre

LAST_CONTROL_TRANSFER: from 82d869f1 to 82b33bfc

STACK_TEXT:
b87b4830 82d869f1 000000c9 0000000c b87b3fd8 nt!KeBugCheckEx+0x1e
b87b4850 82ad5504 8badfeb2 8a75d5e0 cf61ef18 nt!IovpCompleteRequest+0x3c
b87b4894 82b05a86 0061ef18 b87b48c0 b87b48cc nt!IopCompleteRequest+0x4a
b87b48e4 82a7cb48 00000000 00000000 00000000 nt!KiDeliverApc+0x111
b87b48f8 82a89fc8 b77c0000 00000000 b87b4934 nt!KiCheckForKernelApcDelivery+0x24
b87b4908 82b09a47 bac84ea0 b87b49f8 98e285f0 nt!MmWaitForCacheManagerPrefetch+0x54
b87b4934 82cbdeda 98e285f0 00000001 b87b49ac nt!CcFetchDataForRead+0xa4
b87b4970 82cb9407 98e285f0 00000000 00000000 nt!CcMapAndCopyFromCache+0x70
b87b49b4 8583fdf1 98e285f0 b87b49f8 00001000 nt!CcCopyRead+0x107
b87b49e0 85838779 8a75f788 98e285f0 bd3e2e00 Ntfs!NtfsCachedRead+0x13e
b87b4abc 85839cf7 8a75f788 bd3e2e00 3dfd01cb Ntfs!NtfsCommonRead+0x11a1
b87b4b2c 82d866c3 8b0c8020 bd3e2e00 00000000 Ntfs!NtfsFsdRead+0x279
b87b4b50 82a8bbd5 00000000 bd3e2e00 8b0c8020 nt!IovCallDriver+0x258
b87b4b64 855c920c 8b96c020 bd3e2e00 00000000 nt!IofCallDriver+0x1b
b87b4b88 855c93cb b87b4ba8 8b96c020 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
b87b4bc0 82d866c3 8b96c020 bd3e2e00 8b11a728 fltmgr!FltpDispatch+0xc5
b87b4be4 82a8bbd5 00000000 bd3e2e00 8b96c020 nt!IovCallDriver+0x258
b87b4bf8 bfa96b74 8ef7a2c0 b87b4c24 bfa96b48 nt!IofCallDriver+0x1b
WARNING: Stack unwind information not available. Following frames may be wrong.
b87b4c04 bfa96b48 8ef7a208 bd3e2e00 00060004 FsFilter+0x1b74
b87b4c24 82d866c3 8ef7a208 bd3e2e00 98e285f0 FsFilter+0x1b48
b87b4c48 82a8bbd5 00000000 bd3e2e00 8ef7a208 nt!IovCallDriver+0x258
b87b4c5c 82c7fbf9 bd3e2e00 bd3e2fd8 98e285f0 nt!IofCallDriver+0x1b
b87b4c7c 82cb8655 8ef7a208 98e285f0 00000001 nt!IopSynchronousServiceTail+0x1f8
b87b4d08 82a928c6 8ef7a208 bd3e2e00 00000000 nt!NtReadFile+0x644
b87b4d08 775470f4 8ef7a208 bd3e2e00 00000000 nt!KiSystemServicePostCall
0174e1b0 00000000 00000000 00000000 00000000 0x775470f4

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: d8b73541514d974bc982f63bf99d82c67aa148ac

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: cdfaf3e769a360b75e976d31fa34b6ed449f6f2e

THREAD_SHA1_HASH_MOD: 2e589bd1ecea5b0181364a8f066c846827f766e2

FOLLOWUP_IP:
FsFilter+1b74
bfa96b74 ?? ???

SYMBOL_STACK_INDEX: 12

SYMBOL_NAME: FsFilter+1b74

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: FsFilter

IMAGE_NAME: FsFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 56d9c911

FAILURE_BUCKET_ID: 0xc9_c_VRF_FsFilter+1b74

BUCKET_ID: 0xc9_c_VRF_FsFilter+1b74

PRIMARY_PROBLEM_CLASS: 0xc9_c_VRF_FsFilter+1b74

TARGET_TIME: 2016-03-04T17:42:51.000Z

OSBUILD: 7601

OSSERVICEPACK: 1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x86

OSNAME: Windows 7

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2013-08-29 05:58:30

BUILDDATESTAMP_STR: 130828-1532

BUILDLAB_STR: win7sp1_gdr

BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532

ANALYSIS_SESSION_ELAPSED_TIME: 5d0

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc9_c_vrf_fsfilter+1b74

FAILURE_ID_HASH: {04210dbb-c089-a919-1488-eacb0bde9446}

Followup: MachineOwner

Mamoon_Ahmed · March 4, 2016, 6:11pm

please correct me if i am wrong. FileObject->DeviceObject is the device
\Device\HarddiskVolume(1 2 3 or whatever the number of the volume on which the
file is located ) ? Am i right ? according to this article (
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx
).

If the above statement is correct would it be right to get the devices of har
disk 1 by 1 in a loop until the status says no device found and save all those
device in linked list. on IRP_MJ_READ dispatch routine i should check if
File->DeviceObject == LinkedList->DeviceObject then print its dos name like
LinkedList->name. ???

Jamey_Kirby · March 4, 2016, 10:19pm

I do something similar in a driver I wrote and I keep a list.

On Fri, Mar 4, 2016 at 6:11 PM wrote:

> please correct me if i am wrong. FileObject->DeviceObject is the device
> \Device\HarddiskVolume(1 2 3 or whatever the number of the volume on which
> the
> file is located ) ? Am i right ? according to this article (
>
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff545834(v=vs.85).aspx
> ).
>
> If the above statement is correct would it be right to get the devices of
> har
> disk 1 by 1 in a loop until the status says no device found and save all
> those
> device in linked list. on IRP_MJ_READ dispatch routine i should check if
> File->DeviceObject == LinkedList->DeviceObject then print its dos name like
> LinkedList->name. ???
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>