Minifilter runs fine on 7/8 x64 but not x86 XP/7

Adam-3 · October 12, 2014, 9:14am

I’m tyring to run the Passthrough example from MS (amungst others but I’ll focus on that for the moment).

It compiles and runs 100% fine on x64 Win7 & Win8 in test mode w/VS2013.

When I compile the exact same code w/ddk7600 on XP and Win7 x86, I immediately get a BSOD (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M). I can post !analyze -v output but since the code comes from MS I don’t think it’s a problem in code, and probably a dumb error I am making.

Do you have any ideas? Thanks for reading.

Adam-3 · October 12, 2014, 9:24am

For example (in addition to the passthrough example) - this code runs 100% fine on win7/win8 x64 test mode VS2013, but BSOD’s on XP/7 x86 DDK 7600. The pre/post IRP_MJ_CREATE functions do nothing and only return FLT_PREOP_SUCCESS_W/CALLBACK

NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString; //for communication port name

UNREFERENCED_PARAMETER(RegistryPath);

DbgPrint(“NPminifilter!DriverEntry: Entered\n”);

//
// Register with FltMgr to tell it our callback routines
//

status = FltRegisterFilter(DriverObject,
&FilterRegistration,
&gFilterHandle);

ASSERT(NT_SUCCESS(status));

if (NT_SUCCESS(status)) {

//
// Start filtering i/o
//

status = FltStartFiltering(gFilterHandle);

if (!NT_SUCCESS(status)) {

FltUnregisterFilter(gFilterHandle);
}
}

status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);

if (!NT_SUCCESS(status)) {
goto final;
}

RtlInitUnicodeString(&uniString, MINISPY_PORT_NAME);

InitializeObjectAttributes(&oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd);

status = FltCreateCommunicationPort(gFilterHandle,
&gServerPort,
&oa,
NULL,
NPMiniConnect,
NPMiniDisconnect,
NPMiniMessage,
1);

FltFreeSecurityDescriptor(sd);

if (!NT_SUCCESS(status)) {
goto final;
}

final :

if (!NT_SUCCESS(status)) {

if (NULL != gServerPort) {
FltCloseCommunicationPort(gServerPort);
}

if (NULL != gFilterHandle) {
FltUnregisterFilter(gFilterHandle);
}
}
return status;
}

Petr_Kurtin · October 13, 2014, 1:42am

You should post “!analyze -v” output here (with loaded symbols).
It’s also better to create a communication port before FltStartFiltering
(because your create callbacks may start using ports immediately), also
you’re missing “goto final” after the first FltUnregisterFilter call.