My driver carshed on win10 pro,in NtfsFilterCallbackAcquireForCreateSection

My driver carshed on win10 pro,I don’t know how to solve it

Notepad.exe load a txt file,win 10 crash.

fffff800`142d6728 41f7470400000002 test dword ptr [r15+4],2000000h

the object is null.

windbg info

!analyze -v

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff800142d6728, Address of the instruction which caused the bugcheck
Arg3: ffffd001d4bf6980, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

DUMP_CLASS: 1
DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 10586.1176.amd64fre.th2_release_sec.170913-1848

DUMP_TYPE: 0

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff800142d6728

BUGCHECK_P3: ffffd001d4bf6980

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

FAULTING_IP:
NTFS!NtfsFilterCallbackAcquireForCreateSection+a8
fffff800142d6728 41f7470400000002 test dword ptr [r15+4],2000000h<br><br>CONTEXT: ffffd001d4bf6980 -- (.cxr 0xffffd001d4bf6980)<br>rax=0000000000000000 rbx=ffffcf80d3556d70 rcx=0000000100000001<br>rdx=0000000000000000 rsi=ffffd001d4bf7518 rdi=0000000000000000<br>rip=fffff800142d6728 rsp=ffffd001d4bf73a0 rbp=ffffd001d4bf73e0<br> r8=fffff800142d6680 r9=0000000000000000 r10=000000000000ffff<br>r11=ffffe001512a1500 r12=0000000000000000 r13=ffffe00151a03280<br>r14=ffffd001d4bf7500 r15=0000000000000000<br>iopl=0 nv up ei pl zr na po nc<br>cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246<br>NTFS!NtfsFilterCallbackAcquireForCreateSection+0xa8:<br>fffff800142d6728 41f7470400000002 test dword ptr [r15+4],2000000h ds:002b:0000000000000004=????????<br>Resetting default scope<br><br>CPU_COUNT: 4<br><br>CPU_MHZ: bb8<br><br>CPU_VENDOR: GenuineIntel<br><br>CPU_FAMILY: 6<br><br>CPU_MODEL: 9e<br><br>CPU_STEPPING: 9<br><br>CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 48'00000000 (cache) 0'00000000 (init)<br><br>DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT<br><br>BUGCHECK_STR: 0x3B<br><br>CURRENT_IRQL: 0<br><br>ANALYSIS_SESSION_HOST: ENMING-DESKTOP<br><br>ANALYSIS_SESSION_TIME: 10-28-2017 16:14:41.0527<br><br>ANALYSIS_VERSION: 10.0.16299.15 x86fre<br><br>LAST_CONTROL_TRANSFER: from fffff800f3d621a8 to fffff800142d6728<br><br>STACK_TEXT: <br>ffffd001d4bf73a0 fffff800f3d621a8 : ffffd001d4bf7518 ffffe00152986030 ffffd001d4bf7518 0000000000000000 : NTFS!NtfsFilterCallbackAcquireForCreateSection+0xa8<br>ffffd001d4bf7480 fffff800f412de02 : 0000000000000001 ffffe00154e0fcc0 ffffe00152320bf0 0000000000000001 : nt!FsFilterPerformCallbacks+0x138<br>ffffd001d4bf74d0 fffff800f412daae : 0000000000000001 ffffd001d4bf7920 0000000000000000 fffff800f41170c5 : nt!FsRtlAcquireFileExclusiveCommon+0xf2<br>ffffd001d4bf77b0 fffff800f412e7ed : 0000000000000000 0000000000000000 0000000000000000 00000000ffffffff : nt!FsRtlAcquireToCreateMappedSection+0x56<br>ffffd001d4bf7820 fffff800f412e059 : ffffd001d4bf7a60 0000000000000000 0000000000000000 ffffd001d4bf7a58 : nt!MiCreateSection+0x56d<br>ffffd001d4bf79f0 fffff800f3dc91a3 : ffffe001512a1500 000000d74b8deae8 ffffd001d4bf7aa8 0000000000000000 : nt!NtCreateSection+0x1c9<br>ffffd001d4bf7a90 00007fff8dd75a14 : 00007fff8a4bb08d 0000000000000002 0000010400000010 000000d74b8deb51 : nt!KiSystemServiceCopyEnd+0x13<br>000000d74b8deac8 00007fff8a4bb08d : 0000000000000002 0000010400000010 000000d74b8deb51 0000000000000000 : ntdll!NtCreateSection+0x14<br>000000d74b8dead0 00007fff8a4b9c70 : 0000000000000003 0000000000000000 0000000000000000 0000000000000000 : KERNELBASE!CreateFileMappingNumaW+0xed<br>000000d74b8deba0 00007ff724545dd6 : 0000000000000001 000002630000002a 0000000000000058 0000000000000000 : KERNELBASE!CreateFileMappingW+0x20<br>000000d74b8debf0 00007ff724542ed1 : 00000263a91c0088 00000263a91c0088 00007ff724563520 00007fff8a5125a1 : NOTEPAD!LoadFile+0x336<br>000000d74b8df590 00007ff7245437cc : 0000000000000000 0000000000000001 0000000000000000 0000000000000000 : NOTEPAD!doDrop+0xb1<br>000000d74b8df5e0 00007fff8b4f1169 : 0000000000000000 000000d74b8df829 0000000000000001 0000000000000000 : NOTEPAD!NPWndProc+0x42c<br>000000d74b8df620 00007fff8b4f0c97 : 00000263a7db96b0 00007ff7245433a0 000000000003046e 000000d74bbe8800 : USER32!UserCallWinProcCheckWow+0x1f9<br>000000d74b8df710 00007ff724543ba1 : 0000026300000004 00000000001103b1 00007ff724540000 00000263a7741b6c : USER32!DispatchMessageWorker+0x1a7<br>000000d74b8df790 00007ff7245590b5 : 00000263a7742a30 00000263a7742a32 0000000000000000 00007ff724559490 : NOTEPAD!WinMain+0x269<br>000000d74b8df890 00007fff8b188102 : 00007ff724558ef0 000000d74bbe7000 000000d74bbe7000 0000000000000000 : NOTEPAD!WinMainCRTStartup+0x1c5<br>000000d74b8df950 00007fff8dd2c5b4 : 00007fff8b1880e0 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x22<br>000000d74b8df980 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x34<br><br>THREAD_SHA1_HASH_MOD_FUNC: 0f20ec7de272744588b5d567f97d2aeb92d9f156<br><br>THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 8ff565dbf7fd4db3618f74a30c508963fea52612<br><br>THREAD_SHA1_HASH_MOD: 3801d63ce91bc0758d78b5f4d8cc03818909bab3<br><br>FOLLOWUP_IP: <br>NTFS!NtfsFilterCallbackAcquireForCreateSection+a8<br>fffff800142d6728 41f7470400000002 test dword ptr [r15+4],2000000h

FAULT_INSTR_CODE: 447f741

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: NTFS!NtfsFilterCallbackAcquireForCreateSection+a8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NTFS

IMAGE_NAME: NTFS.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 59ba144e

IMAGE_VERSION: 10.0.10586.1176

STACK_COMMAND: .cxr 0xffffd001d4bf6980 ; kb

BUCKET_ID_FUNC_OFFSET: a8

FAILURE_BUCKET_ID: 0x3B_VRF_NTFS!NtfsFilterCallbackAcquireForCreateSection

BUCKET_ID: 0x3B_VRF_NTFS!NtfsFilterCallbackAcquireForCreateSection

PRIMARY_PROBLEM_CLASS: 0x3B_VRF_NTFS!NtfsFilterCallbackAcquireForCreateSection

TARGET_TIME: 2017-10-28T08:05:01.000Z

OSBUILD: 10586

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-09-14 13:39:31

BUILDDATESTAMP_STR: 170913-1848

BUILDLAB_STR: th2_release_sec

BUILDOSVER_STR: 10.0.10586.1176.amd64fre.th2_release_sec.170913-1848

ANALYSIS_SESSION_ELAPSED_TIME: 2703

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x3b_vrf_ntfs!ntfsfiltercallbackacquireforcreatesection

FAILURE_ID_HASH: {4617c119-a987-07fb-1f13-a1c651814fd4}

Followup: MachineOwner

NtfsFilterCallbackAcquireForCreateSection without any infomation in msdn. This driver runs normally on Windows 7

What does your filter do?

This is NTFS’ equivalent of the IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION
callback. Do you register for this callback in your filter and do anything?

-scott
OSR
@OSRDrivers

hi Scott Noone

My filter driver handles file encryption.

My driver does not register the associated callback function with IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.

Does registration of this call back function have to be done?

Why is it working well on Windows 7?

hi Scott Noone

i assembler part of NtfsFilterCallbackAcquireForCreateSection functions

lkd> uf NTFS!NtfsFilterCallbackAcquireForCreateSection
NTFS!NtfsFilterCallbackAcquireForCreateSection:
fffff800af676680 48894c2408 mov qword ptr [rsp+8],rcx fffff800af676685 55 push rbp
fffff800af676686 4154 push r12 fffff800af676688 4155 push r13
fffff800af67668a 4156 push r14 fffff800af67668c 4157 push r15
fffff800af67668e 4881ecb0000000 sub rsp,0B0h fffff800af676695 488d6c2440 lea rbp,[rsp+40h]
fffff800af67669a 48899da8000000 mov qword ptr [rbp+0A8h],rbx fffff800af6766a1 4889b5b0000000 mov qword ptr [rbp+0B0h],rsi
fffff800af6766a8 4889bdb8000000 mov qword ptr [rbp+0B8h],rdi fffff800af6766af 488b053acbfcff mov rax,qword ptr [NTFS!_security_cookie (fffff800af6431f0)] fffff800af6766b6 4833c5 xor rax,rbp
fffff800af6766b9 48894560 mov qword ptr [rbp+60h],rax fffff800af6766bd 488bf1 mov rsi,rcx
fffff800af6766c0 c7450c26010000 mov dword ptr [rbp+0Ch],126h fffff800af6766c7 4532e4 xor r12b,r12b
fffff800af6766ca 44886501 mov byte ptr [rbp+1],r12b fffff800af6766ce 44886504 mov byte ptr [rbp+4],r12b
fffff800af6766d2 44886500 mov byte ptr [rbp],r12b fffff800af6766d6 44886503 mov byte ptr [rbp+3],r12b
fffff800af6766da 44886502 mov byte ptr [rbp+2],r12b fffff800af6766de 4c8b6910 mov r13,qword ptr [rcx+10h] _FILE_OBJECT
fffff800af6766e2 4c896d38 mov qword ptr [rbp+38h],r13 fffff800af6766e6 498b5d18 mov rbx,qword ptr [r13+18h] +0x018 FsContext : 0xffffc001f546a980 Void fffff800af6766ea 48895d28 mov qword ptr [rbp+28h],rbx
fffff800af6766ee 498b4520 mov rax,qword ptr [r13+20h] +0x028 SectionObjectPointer fffff800af6766f2 488b8ba8000000 mov rcx,qword ptr [rbx+0A8h]
fffff800af6766f9 48894d10 mov qword ptr [rbp+10h],rcx fffff800af6766fd 48894d40 mov qword ptr [rbp+40h],rcx
fffff800af676701 4c8bbbb0000000 mov r15,qword ptr [rbx+0B0h] fffff800af676708 4c897d20 mov qword ptr [rbp+20h],r15
fffff800af67670c 4c897d30 mov qword ptr [rbp+30h],r15 fffff800af676710 4885c0 test rax,rax
fffff800af676713 740d je NTFS!NtfsFilterCallbackAcquireForCreateSection+0xa2 (fffff800af676722) Branch

NTFS!NtfsFilterCallbackAcquireForCreateSection+0x95:
fffff800af676715 8b4004 mov eax,dword ptr [rax+4] fffff800af676718 0fbae00d bt eax,0Dh
fffff800af67671c 0f8296be0b00 jb NTFS!NtfsFilterCallbackAcquireForCreateSection+0xbbf38 (fffff800af7325b8) Branch

NTFS!NtfsFilterCallbackAcquireForCreateSection+0xa2:
fffff800af676722 837e1801 cmp dword ptr [rsi+18h],1 fffff800af676726 750e jne NTFS!NtfsFilterCallbackAcquireForCreateSection+0xb6 (fffff800`af676736) Branch

NTFS!NtfsFilterCallbackAcquireForCreateSection+0xa8:
fffff800af676728 41f7470400000002 test dword ptr [r15+4],2000000h fffff800af676730 0f85d4060000 jne NTFS!NtfsFilterCallbackAcquireForCreateSection+0x78a (fffff800`af676e0a) Branch

at What content is stored in ,what data stored in r15?

NTFS!NtfsFilterCallbackAcquireForCreateSection+0xb6:

mov rbx,qword ptr [r13+18h] +0x018 FsContext :
0xffffc001`f546a980 Void
…
mov r15,qword ptr [rbx+0B0h]

That would indicate that it’s some private field of NTFS’ Stream Context.

Does your encryption filter do the Isolation approach where you have both
upper and lower file objects? Could be a case of your upper file object
leaking down into NTFS. What does !pool 0xffffc001`f546a980 say?

-scott
OSR
@OSRDrivers

My driver doesn’t have any logic associated with Isolation approach

I dont know what is Isolation approach. my File_object has a custom FCB .i will set it ,In IRP_MJ_CREATE function.

Does that mean that you need to replace custom FCB and System FCB between my driver and ntfs.sys?

Can you provide relevant information?

fffff801`492a66e6 498b5d18 mov rbx,qword ptr [r13+18h]

kd> !pool ffffc00162806150
Unable to get size of nt!_MMPTE - probably bad symbols

You can’t EVER let the lower file system see your FCB. They don’t know how
to interpret it, so you’ll always crash eventually. I’m not sure how this
would have worked on Windows 7, you must have just been (un)lucky.

Need to fix your symbols

.symfix
.reload

-scott
OSR
@OSRDrivers

My problem has been solved,
i register call back function for IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.
Handle the custom in the function, return COMPLETE ,ntfs.sys running properly.

That works. Of course, NTFS now doesn’t have the file locked for the duration of the section create. Whether or not this matters ultimately depends on your design.

-scott
OSR
@OSRDrivers