Hi all,
When Norton Anti-virus is enabled, my minifilter always cause system crash. From the bugcheck analysis, some problem occurs in SYMEVENT. My filter was trying to read the file object in the post creation. I tried to make the read buffer aligned with sector size, but it doesn’t help.
To be honest, I haven’t got idea how to debug and troubleshooting this kind of issue. Can you please kindly give some advices?
Thanks,
Wilson Wang
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: f9061548
Arg3: f9061244
Arg4: 804e4b58
Debugging Details:
OVERLAPPED_MODULE: Address regions for ‘docCrypto’ and ‘kmixer.sys’ overlap
EXCEPTION_RECORD: f9061548 – (.exr fffffffff9061548)
.exr fffffffff9061548
ExceptionAddress: 804e4b58 (nt!ExAcquireResourceExclusiveLite+0x00000036)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000000c
Attempt to read from address 0000000c
CONTEXT: f9061244 – (.cxr fffffffff9061244)
.cxr fffffffff9061244
eax=ffac9878 ebx=ffaac948 ecx=0000635f edx=07c70000 esi=00000000 edi=ffac9878
eip=804e4b58 esp=f9061610 ebp=f9061618 iopl=0 nv up di ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010086
nt!ExAcquireResourceExclusiveLite+0x36:
804e4b58 66837e0c00 cmp word ptr [esi+0Ch],0 ds:0023:0000000c=???
.cxr
Resetting default scope
DEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: svchost.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 0000000c
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from fc331d6a to 804e4b58
MISALIGNED_IP:
nt!ExAcquireResourceExclusiveLite+36
804e4b58 66837e0c00 cmp word ptr [esi+0Ch],0
STACK_TEXT:
f9061618 fc331d6a 00000000 00000001 80d0a7f8 nt!ExAcquireResourceExclusiveLite+0x36
f90616e4 fc32cfbf ffaac948 80d0a7f8 00000001 Ntfs!NtfsCommonRead+0x39d
f9061784 804e4d77 80e46108 80d0a7f8 80ea7e20 Ntfs!NtfsFsdRead+0x22d
f9061794 fc3ce459 f90617ec 804e4d77 80e46ad0 nt!IopfCallDriver+0x31
f906179c 804e4d77 80e46ad0 80d0a7f8 80d0a7f8 sr!SrPassThrough+0x31
f90617ac f86aa1fb 00000000 80d9c300 804e4d77 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
f90617ec fc3e4af5 f906180c 80defee8 00000000 SYMEVENT+0x61fb
f9061824 fc3e4d22 ffaceb50 ffa4c638 ffa4c6ec fltMgr!FltPerformSynchronousIo+0xb9
f9061850 f8507896 80de83dc 00061cc0 010618dc fltMgr!FltReadFile+0xf8
f906190c fc3e0fa1 ffa4c694 f9061930 00000000 docCrypto!CryptoPostCreate+0x386 [d:\infoprotection\cryptodrv\mf_create_post.c @ 249]
f9061974 fc3e33ea 00a4c638 00000000 ffa4c638 fltMgr!FltpPerformPostCallbacks+0x1c5
f9061988 fc3e3817 ffa4c638 80df32a8 f90619c8 fltMgr!FltpProcessIoCompletion+0x10
f9061998 fc3e3ec5 80defee8 80df32a8 ffa4c638 fltMgr!FltpPassThroughCompletion+0x89
f90619c8 fc3f0153 f90619e8 00000000 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
f9061a04 804e4d77 80defee8 80df3480 80df32a8 fltMgr!FltpCreate+0x1e3
f9061a14 80571f9c 80e3f898 ffbce9a4 f9061bbc nt!IopfCallDriver+0x31
f9061af4 8056486c 80e3f8b0 00000000 ffbce900 nt!IopParseDevice+0xa58
f9061b7c 80568c63 00000000 f9061bbc 00000040 nt!ObpLookupObjectName+0x56a
f9061bd0 80572fbc 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
f9061d54 804e006b 0138fb4c 0138fb88 0138fb6c nt!NtQueryAttributesFile+0xf1
f9061d54 7c92eb94 0138fb4c 0138fb88 0138fb6c nt!KiFastCallEntry+0xf8
0138fb38 7c92deec 76b44622 0138fb4c 0138fb88 ntdll!KiFastSystemCallRet
0138fb3c 76b44622 0138fb4c 0138fb88 00000018 ntdll!NtQueryAttributesFile+0xc
0138fb6c 76b48f8c 03369a30 0138fb88 00000000 schedsvc!PfSvGetFileBasicInformation+0x42
0138fbc0 76b49afc 00000000 00000001 00f50000 schedsvc!PfSvApplyPrefetchPolicy+0x1f1
0138ff18 76b4a6b1 00f50008 00000000 00000000 schedsvc!PfSvProcessTrace+0x15c
0138ffb4 7c80b50b 00000000 00000000 00000000 schedsvc!PfSvProcessTraceThread+0x11a
0138ffec 00000000 76b4a597 00000000 00000000 kernel32!BaseThreadStart+0x37
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
!chkimg -lo 50 -d !nt
804da10c - nt!KiXMMIZeroPage+73
[fb:90]
804da112-804da115 4 bytes - nt!KiXMMIZeroPage+79 (+0x06)
[57 ff ff ff:6d 7f 6f 7f]
804da545-804da54a 6 bytes - nt!ExAcquireResourceSharedLite+10 (+0x433)
[fa 8b 75 08 33 db:e9 a3 7b 6f 7f cc]
804da564 - nt!ExAcquireResourceSharedLite+98 (+0x1f)
[fb:90]
804da569-804da570 8 bytes - nt!ExAcquireResourceSharedLite+b8 (+0x05)
[c2 08 00 90 90 90 90 90:e9 45 0b 80 00 c2 08 00]
804dcb82 - nt!ExReleaseResourceLite+ba (+0x2619)
[99:3f]
804dcb94 - nt!ExReleaseResourceLite+c8 (+0x12)
[87:2d]
804dcba0 - nt!ExReleaseResourceLite+d0 (+0x0c)
[7e:24]
804dcbc5-804dcbcd 9 bytes - nt!ExReleaseResourceLite+f5 (+0x25)
[90 90 90 90 90 90 90 90:e9 bd e4 7f 00 5f 5e 5b]
804dcbd5-804dcbda 6 bytes - nt!ExReleaseResourceLite+5 (+0x10)
[64 a1 24 01 00 00:e9 f4 54 6f 7f cc]
804dcbe8 - nt!ExReleaseResourceLite+18 (+0x13)
[36:dc]
804dcbf9 - nt!ExReleaseResourceLite+29 (+0x11)
[25:cb]
804dcc16-804dcc1a 5 bytes - nt!ExReleaseResourceLite+75 (+0x1d)
[66 81 e2 7f ff:e9 a1 54 6f 7f]
804dfff2-804dfff8 7 bytes - nt!KiFastCallEntry+7f (+0x33dc)
[c7 45 08 00 0d db ba:e9 96 20 6f 7f cc cc]
804e007c-804e007f 4 bytes - nt!KiServiceExit (+0x8a)
[fa f7 45 70:e9 66 b0 7f]
804e016b-804e016d 3 bytes - nt!KiSystemCallExitBranch+2 (+0xef)
[5a 59 9d:c8 02 04]
804e08fb-804e08fe 4 bytes - nt!KiExceptionExit (+0x790)
[fa f7 45 70:e9 30 a8 7f]
804e2fc9-804e2fce 6 bytes - nt!KiTrap0E+a4 (+0x26ce)
[fb f7 45 70 00 02:90 e9 7e 81 7f 00]
804e44b4-804e44b8 5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x14eb)
[fa 8b 01 89 02:e9 83 db 6e 7f]
804e44d1-804e44d6 6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)
[fa 8b 41 04 89 0a:e9 89 db 6e 7f cc]
804e44f2-804e44f6 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)
[fa 8b 01 3b c1:e9 1d db 6e 7f]
804e4b4c-804e4b4f 4 bytes - nt!ExAcquireResourceExclusiveLite+7 (+0x65a)
[64 a1 24 01:e9 78 65 7f]
804e4b6d-804e4b71 5 bytes - nt!ExAcquireResourceExclusiveLite+47 (+0x21)
[89 46 1c 66 89:e9 f8 64 7f 00]
804ea175-804ea17a 6 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x5608)
[fa 8b 75 08 33 db:e9 64 7f 6e 7f cc]
804ea194 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f)
[fb:90]
804ea199-804ea1a0 8 bytes - nt!ExAcquireSharedWaitForExclusive+ef (+0x05)
[c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00]
804ee809-804ee80f 7 bytes - nt!CcGetActiveVacb+5 (+0x4670)
[fa 8b 45 08 8b 48 48:e9 ee 38 6e 7f cc cc]
804f01dc-804f01e3 8 bytes - nt!CcSetActiveVacb+7 (+0x19d3)
[fa 8b 45 08 83 78 48 00:e9 70 1f 6e 7f cc cc cc]
804f01ff-804f020c 14 bytes - nt!CcSetActiveVacb+a3 (+0x23)
[8b 0a 89 48 48 89 58 50:e9 3d 1f 6e 7f e9 2c 1f]
138 errors : !nt (804da10c-804f020c)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
STACK_COMMAND: .cxr 0xfffffffff9061244 ; kb
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE