MmGetSystemRoutineAddress produce 0xC0000005 exception.

OSR_Community_User · September 7, 2005, 8:59am

Hi,

Introduction:
********************
I am writing a profiling driver that filter registry access, this driver should work on Win2K ( prior to SP4 ) and above, On XP*.* I hook to the registry using CmRegisterCallback and friends, on Win2K I hook through the service table.

The problem:
********************
The same driver image should be compatible with XP & Win2K, this require me to know when to use the CmRegisterCallback ( On XP ) and when to hook the service-table ( Win2K ) during runtime, to be able to do that I was trying to ‘load the address’ of CmRegisterCallback using MmGetSystemRoutineAddress.
On WinXP this method works well, BUT, on Win2K MmGetSystemRoutineAddress produce an access violation ( 0xC0000005 ) exception, even stranger: I use MmGetSystemRoutineAddress to get the addresses of may other methods such as ‘IoVolumeDeviceToDosName’ & ‘RtlVolumeDeviceToDosName’ successfuly, only using it in combination with ‘CmRegisterCallback’ produce the access violation, and this happen only on Win2K…

To avoid this problem I can merely use a __try & __except section BUT, this would be a work-around and I would rather solve the problem directly…

What may cause this 0xC0000005 exception?

Any help comment or remark would be appreciated.

Naddav

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · September 7, 2005, 9:15am

Do you have the crash dump ?

L.

OSR_Community_User · September 7, 2005, 9:40am

Hi Ladislav, thanks for your immediate responce, following is the output of ‘!analyze -v’ resulting from the dump ( I don’t really know what to figure out of it ), also, follwoing are the lines of code that produce the problem:

RtlInitUnicodeString( &functionName, L"CmRegisterCallback" );
gSfDynamicFunctions.CmRegisterCallback = (PREG_CM_REGISTER_CALLBACK)MmGetSystemRoutineAddress( &functionName );

Note that this code is executed through the DriverEntry ( PASSIVE_LEVEL )

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804effa3, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00071140, Parameter 1 of the exception
Debugging Details:

GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
Unable to read selector for PCR for processor 0
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -
FAULTING_IP:
nt!MmGetSystemRoutineAddress+133
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
804effa3 8b348a mov esi,[edx+ecx4]
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00071140
READ_ADDRESS: 00071140
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x1E
STACK_TEXT:

STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!MmGetSystemRoutineAddress+133
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
GetContextState failed, 0x80004005
804effa3 8b348a mov esi,[edx+ecx4]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!MmGetSystemRoutineAddress+133
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x1E_nt!MmGetSystemRoutineAddress+133
BUCKET_ID: 0x1E_nt!MmGetSystemRoutineAddress+133
Followup: MachineOwner
---------

Ladislav Zezula wrote:
Do you have the crash dump ?

L.

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · September 7, 2005, 10:11am

I have looked at the code of MmGetSystemRoutine address,
but I can’t find the instruction at which the code crashed.
Could you paste me the complete assembly
of MmGetSystemROutineAdddress ?

Send me it off-list (zezula_at_volny_dot_cz).

L.

OSR_Community_User · September 7, 2005, 11:46am

I have looked at it, and the crash is really there.
I tried with my test driver.

The MmGetSystemRoutineAddress searches the function
in NTOSKRNL and HAL only. When it searches Hal.dll,
the MiFindExportedRoutineByName (used internally)
fails because of some pointer acrobatics when searching
the image export directory.

Maybe it is caused by using strcmp on the ANSI function name
inside the MiFindExportedRoutineByName:

strcmp(AnsiFunctionName->Buffer, (char *)BaseAddressOfDll + NameTableBase[Index]

Welcome to the “I have found a bug in the operating system” club

L.

OSR_Community_User · September 8, 2005, 3:25am

I reported this very issue a while back in NTDEV but
someone from MSFT said it’s never seen.

Calvin

— Ladislav Zezula wrote:

> I have looked at it, and the crash is really there.
> I tried with my test driver.
>
> The MmGetSystemRoutineAddress searches the function
> in NTOSKRNL and HAL only. When it searches Hal.dll,
> the MiFindExportedRoutineByName (used internally)
> fails because of some pointer acrobatics when
> searching
> the image export directory.
>
> Maybe it is caused by using strcmp on the ANSI
> function name
> inside the MiFindExportedRoutineByName:
>
> strcmp(AnsiFunctionName->Buffer, (char
> *)BaseAddressOfDll + NameTableBase[Index]
>
> Welcome to the “I have found a bug in the operating
> system” club
>
> L.
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown
> lmsubst tag argument: ‘’
> To unsubscribe send a blank email to
xxxxx@lists.osr.com

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

OSR_Community_User · September 8, 2005, 3:39am

Did you try to reproduce the access violation too ?
And have you succeed ?

All I needed to try, was just the code what Nadav reported:

UNICODE_STRING ProcName;
RtlInitUnicodeString( &ProcName, L"CmRegisterCallback" );
MmGetSystemRoutineAddress( &ProcName );

If I placed this into Driver entry (the driver has been started using
CreateService and StartService) and it was it.

L.