I have very strange, as for me, fail, for some reason instance setup callback i called at DPC level. As I know it should be always at passive level msdn: http://msdn.microsoft.com/en-us/library/windows/hardware/ff551096(v=vs.85).aspx.
Here the !analyze -v output:
AGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff7ffba9cab56, memory referenced.
Arg2: 0000000000000008, value 0 = read operation, 1 = write operation.
Arg3: fffff7ffba9cab56, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
READ_ADDRESS: fffff7ffba9cab56
FAULTING_IP:
+af97a71fa108
fffff7ff`ba9cab56 ?? ???
MM_INTERNAL_CODE: 2
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre
TRAP_FRAME: ffffd00023221230 – (.trap 0xffffd00023221230)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000016 rbx=0000000000000000 rcx=ffffd000232214d0
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff7ffba9cab56 rsp=ffffd000232213c8 rbp=ffffd00023221600
r8=0000000000000014 r9=000000000000000d r10=ffffcf8000ed6ca0
r11=ffffe00002f52fc8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
fffff7ff`ba9cab56 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff802399f27c6 to fffff8023996fc90
FAILED_INSTRUCTION_ADDRESS:
+af97a71fa108
fffff7ff`ba9cab56 ?? ???
STACK_TEXT:
ffffd0002321fe48 fffff802
399f27c6 : fffff6fb7dbf0040 fffff6fb
7dbedf80 0000000000000000 fffff802
399f313a : nt!DbgBreakPointWithStatus
ffffd0002321fe50 fffff802
399f2499 : fffff80200000004 fffff802
39ae8180 000000000000000a 00000000
00000002 : nt!KiBugCheckDebugBreak+0x12
ffffd0002321feb0 fffff802
399691a4 : 0000070000000000 00000000
00000000 ffffcf8000fe0000 fffff802
398e5f1f : nt!KeBugCheck2+0xc6d
ffffd000232205c0 fffff802
39974be9 : 000000000000000a fffff6fb
7dffeea0 0000000000000002 00000000
00000000 : nt!KeBugCheckEx+0x104
ffffd00023220600 fffff802
3997343a : 0000000000000000 00000700
00000000 0000000000000000 ffffd000
23220740 : nt!KiBugCheckDispatch+0x69
ffffd00023220740 fffff802
398cbae4 : 0000000000000060 00000000
00000008 ffffd00023221230 00000000
00000000 : nt!KiPageFault+0x23a
ffffd000232208d0 fffff802
399f1d04 : 0000070000000000 ffffd000
23220a00 fffff7ffba9cab56 0000007f
ffffffff : nt!MmIsSpecialPoolAddress+0x54
ffffd00023220900 fffff802
399691a4 : 0000000000000000 fffff802
39b0a180 00000000000c3500 fffff802
399f4e60 : nt!KeBugCheck2+0x4d8
ffffd00023221010 fffff802
39982615 : 0000000000000050 fffff7ff
ba9cab56 0000000000000008 ffffd000
23221230 : nt!KeBugCheckEx+0x104
ffffd00023221050 fffff802
39881ffd : 0000000000000008 ffffe000
02f52880 ffffd00023221230 ffff3067
967c4ed8 : nt! ?? ::FNODOBFM::string'+0x9085 ffffd000
232210f0 fffff8023997332f : 00000000
00000008 000000000000000d fffff802
39b08300 ffffd00023221230 : nt!MmAccessFault+0x7ed ffffd000
23221230 fffff7ffba9cab56 : fffff800
02448712 ffffd0002321c000 fffff802
39a432a8 ffffcf8000ed6cf8 : nt!KiPageFault+0x12f ffffd000
232213c8 fffff80002448712 : ffffd000
2321c000 fffff80239a432a8 ffffcf80
00ed6cf8 fffff802398e5f1f : 0xfffff7ff
ba9cab56
ffffd000232213d0 fffff800
009afa83 : ffffd000232214d0 fffff800
00000001 ffffd00000000014 ffffd000
0000000d : MyFilter!MyFilterInstanceSetup+0x22 [l:\gitrepos2\drivers - copy\MyFilter\MyFilter\MyFilter.c @ 262]
ffffd00023221450 fffff800
00995a27 : 0000000000000001 ffffd000
23221631 0000000000000000 ffffcf80
00cd6cf0 : fltmgr!FltvInstanceSetup+0x4f
ffffd000232214b0 fffff800
00997f4f : ffffcf8000cd6cf0 ffffcf80
000d4800 ffffcf80000d4802 ffffd000
232215e0 : fltmgr!FltpDoInstanceSetupNotification+0x87
ffffd00023221510 fffff800
00996af5 : 0000000000000000 ffffd000
232216d8 ffffd00000000001 00000000
00000004 : fltmgr!FltpInitInstance+0x2db
ffffd000232215a0 fffff800
009982e5 : 0000000000000000 ffffcf80
000d4800 0000000000000050 fffff800
0000001a : fltmgr!FltpCreateInstanceFromName+0x1ad
ffffd00023221680 fffff800
0099b9f1 : ffffcf8000060948 ffffe000
03957000 ffffcf8000ed6c02 ffffd000
00000028 : fltmgr!FltpEnumerateRegistryInstances+0x145
ffffd00023221720 fffff800
0099b90c : ffffcf8000060880 00000000
00000000 ffffe00003957000 ffffffff
80000e88 : fltmgr!FltpDoVolumeNotificationForNewFilter+0xb9
ffffd00023221780 fffff800
0244c3d6 : ffffcf8000ed6ca0 ffffe000
028cad00 ffffe00003957000 ffffe000
03957000 : fltmgr!FltStartFiltering+0x2c
ffffd000232217b0 fffff802
39c5901e : ffffe000028cad00 ffffe000
03957000 ffffe00003957000 ffffffff
000001c8 : MyFilter!DriverEntry+0x256 [l:\gitrepos2\drivers - copy\MyFilter\MyFilter\MyFilter.c @ 150]
ffffd00023221850 fffff802
39cd6292 : 0000000000000000 00000000
00000000 fffff80239abb1c0 ffffe000
02f52880 : nt!IopLoadDriver+0x5e2
ffffd00023221b10 fffff802
398553cd : fffff80200000000 ffffffff
80000e88 fffff80239cd6244 fffff802
39aef9a0 : nt!IopLoadUnloadDriver+0x4e
ffffd00023221b50 fffff802
39900664 : 00001ffffdd58fd8 ffffe000
02f52880 ffffe00002f52880 ffffe000
000d8580 : nt!ExpWorkerThread+0x2b5
ffffd00023221c00 fffff802
3996f6c6 : fffff80239b0a180 ffffe000
02f52880 ffffe000001a9580 ffcb8b48
01000003 : nt!PspSystemThreadStartup+0x58
ffffd00023221c60 00000000
00000000 : ffffd00023222000 ffffd000
2321c000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
MyFilter!MyFilterInstanceSetup+22 [l:\gitrepos2\drivers - copy\MyFilter\MyFilter\MyFilter.c @ 262]
fffff800`02448712 1800 sbb byte ptr [rax],al
FAULTING_SOURCE_LINE: l:\gitrepos2\drivers - copy\MyFilter\MyFilter\MyFilter.c
FAULTING_SOURCE_FILE: l:\gitrepos2\drivers - copy\MyFilter\MyFilter\MyFilter.c
FAULTING_SOURCE_LINE_NUMBER: 262
FAULTING_SOURCE_CODE:
258:
259: –*/
260: {
261: PFLT_VOLUME SystemVolume;
262: const UNICODE_STRING SystemRoot = RTL_CONSTANT_STRING(L"\SystemRoot");
263: NTSTATUS status = STATUS_FLT_DO_NOT_ATTACH;
264: PDEVICE_OBJECT diskDeviceObject = NULL;
265: BOOLEAN IsWriteable = FALSE;
266:
SYMBOL_STACK_INDEX: d
SYMBOL_NAME: MyFilter!MyFilterInstanceSetup+22
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MyFilter
IMAGE_NAME: MyFilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 546e0bcc
IMAGE_VERSION: 6.3.9600.17038
BUCKET_ID_FUNC_OFFSET: 22
FAILURE_BUCKET_ID: AV_VRF_BAD_IP_MyFilter!MyFilterInstanceSetup
BUCKET_ID: AV_VRF_BAD_IP_MyFilter!MyFilterInstanceSetup
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_bad_ip_MyFilter!MyFilterinstancesetup
FAILURE_ID_HASH: {c4458935-a4b4-30d4-095a-349491d5209e}
Followup: MachineOwner.
Can this be because driver verifier bug? I enabled it both for my minifilter and fltmgr.