hi
we’re developing anti-virus software include file filter driver.
my filter driver works well on the NT4.0 but raise a problem on the W2K professional
sometimes(very few), the problem is page fault from ntfs. bluescreen messages are
bugcheck = 0x24( NTFS_FILE_SYSTEM ) …
i’m debugging with bugcheck code and extra parameters.
A few days ago i found the point to down window 2000. the point is
call IoGetTopLevelIrp
push dword ptr [eax+0x14] ; of cause eax == 0, so die
the code fragments exist in Ntfs!NtfsCleanupIrpContext, Ntfs!NtfsCreateCompletionRoutine,
and so on.
the call stack is
Ntfs!NtfsCleanupIrpContext+0xe0 <----- the point to be crash
Ntfs!NtfsCompleteRequest+0x32
Ntfs!NtfsCommonCleanup+0x24e2
Ntfs!NtfsFsdCleanup+0x113
ntoskrnl!IopfCallDriver+0x35
v3filw2k!V3filterHookRoutine+0x50 <----- my filter driver routine
ntoskrnl!ObpDecrementHandleCount+0x13c
ntoskrnl!NtClose+0x1f0
ntoskrnl!KiSystemService+0xc4
ntdll!NtClose+0xb
KERNEL32!DeleteFileW+0x24b
KERNEL32!DeleteFileA+0x15
what i want to know is as follows
- i can’t understand why IoGetTopLevelIrp return 0.
we think the system never be crashed druring normal operation( without my filter driver ),
because IoGetTopLevelIrp always return non zero on the same condition( as above call stack )
But sometimes the system is crashed while my filter driver is running.
does my filter driver affect Ntfs? is it right?
TopLevelIrp to be NULL because of my filter driver???
- Why doesn’t the procedure(NtfsCleanupIrpContext) do NULL check?
All routines use IoGetTopLevelIrp always check the return value whether it is zero
or not when i was debugging NT4.0 ntfs. But W2K does not( as above code fragments ).
is it correct? if so, how does NTFS make sure TopLevelIrp is not NULL in NtfsCleanupIrpContext
routine or NtfsCreateCompletionRoutine?
( IoGetTopLevelIrp can return NULL by W2K DDK Document )
please let me know the mystery!!!
Best regards,
Kim SungHyun