hi
i use FltReadFile in IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION pre operation
for all files it work good but for some file i get NTFS_FILE_SYSTEM
after i search for solution i find checking PagingIoResource but it dont work and i get BSOD for another file like :
accesspath is \Device\HarddiskVolume2\Windows\System32\LogFiles\Scm\9b75c702-ea13-406a-badb-6c588ee4375b
fcbHeader = (FSRTL_COMMON_FCB_HEADER *)FltObjects->FileObject->FsContext;
if ( fcbHeader->PagingIoResource == 0 )
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if(!GetFilePath(Data,&FilePath))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if(FilePath.Buffer!=NULL)
{
DbgPrintEx( DPFLTR_IHVVIDEO_ID, DPFLTR_ERROR_LEVEL,“accesspath %wZ\r\n”,&FilePath);
ExFreePoolWithTag(FilePath.Buffer,‘NA’);
}
//else return
pFileBuffer =(char*)ExAllocatePoolWithTag(NonPagedPool, 4096, ‘sha1’);
status =FltReadFile(FltObjects->Instance,FltObjects->FileObject,&offset,4096,pFileBuffer,0,&bytesRead,NULL,NULL);
…
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904fb, 8a4306c4, 8a4302a0, 8944ea94}
Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonRead+6f4 )
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
816bc394 cc int 3
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904fb
Arg2: 8a4306c4
Arg3: 8a4302a0
Arg4: 8944ea94
Debugging Details:
EXCEPTION_RECORD: 8a4306c4 – (.exr 0xffffffff8a4306c4)
ExceptionAddress: 8944ea94 (Ntfs!NtfsCommonRead+0x000006f4)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004
CONTEXT: 8a4302a0 – (.cxr 0xffffffff8a4302a0)
eax=a646c0f8 ebx=00000001 ecx=00000000 edx=a646c228 esi=855a8c00 edi=00000000
eip=8944ea94 esp=8a43078c ebp=8a43083c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
Ntfs!NtfsCommonRead+0x6f4:
8944ea94 f7410400800000 test dword ptr [ecx+4],8000h ds:0023:00000004=???
Resetting default scope
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: System
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000004
READ_ADDRESS: 00000004
FOLLOWUP_IP:
Ntfs!NtfsCommonRead+6f4
8944ea94 f7410400800000 test dword ptr [ecx+4],8000h
FAULTING_IP:
Ntfs!NtfsCommonRead+6f4
8944ea94 f7410400800000 test dword ptr [ecx+4],8000h
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 89452bae to 8944ea94
STACK_TEXT:
8a43083c 89452bae 855a8c00 8490b8f8 03048219 Ntfs!NtfsCommonRead+0x6f4
8a4308ac 8168d4bc 848b9020 8490b8f8 8490b8f8 Ntfs!NtfsFsdRead+0x279
8a4308c4 891ad20c 00000000 8490c400 00000000 nt!IofCallDriver+0x63
8a4308e8 891ae0bf 8a430908 84873e78 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
8a430920 891ae4e7 84b51648 8a430a6c 00000000 fltmgr!FltPerformSynchronousIo+0xb9
8a430990 8980b701 84b51648 84abe4f0 8a4309d0 fltmgr!FltReadFile+0x2ed
8a430a4c 891a9aeb 8490ce40 8a430a6c 8a430a98 Mydrv!PreSync+0xb9
8a430ab8 891acc77 8a430ad0 8a430b64 8a430b30 fltmgr!FltpPerformPreCallbacks+0x34d
8a430ae8 816e2464 8a430b30 8a430b6c 8424b818 fltmgr!FltpPreFsFilterOperation+0xab
8a430b0c 818b1de5 00000000 00000000 8a430c63 nt!FsFilterPerformCallbacks+0xa4
8a430c68 818b20d6 84abe4f0 00000000 84abe4f0 nt!FsRtlAcquireFileExclusiveCommon+0x10a
8a430c7c 816e9cfe 84abe4f0 855f57a8 00000000 nt!FsRtlAcquireFileExclusive+0x12
8a430ca8 816f1ed6 8a430cc4 b29e6a99 83974138 nt!CcWriteBehind+0x570
8a430d00 816bef2b 83974138 00000000 8396fd48 nt!CcWorkerThread+0x164
8a430d50 8185f66d 00000000 b29e6a09 00000000 nt!ExpWorkerThread+0x10d
8a430d90 817110d9 816bee1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCommonRead+6f4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf45
STACK_COMMAND: .cxr 0xffffffff8a4302a0 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonRead+6f4
BUCKET_ID: 0x24_Ntfs!NtfsCommonRead+6f4
Followup: MachineOwner
0: kd> !fileobj 8980b701
8980b701 is not a file object
0: kd> !fileobj 84abe4f0
Device Object: 0x84786e20 \Driver\volmgr
Vpb: 0x84783878
Access: Read Write SharedRead SharedWrite SharedDelete
Flags: 0x40100
Stream File
Handle Created
FsContext: 0xa646c0f8 FsContext2: 0x00000000
CurrentByteOffset: 0
Cache Data:
Section Object Pointers: 8564aca0
Shared Cache Map: 848ef808 File Offset: 0 in VACB number 0
Vacb: 839443b0
Your data is at: a8ac0000
0: kd> dt nt!_FILE_OBJECT 84abe4f0
+0x000 Type : 5
+0x002 Size : 128
+0x004 DeviceObject : 0x84786e20 _DEVICE_OBJECT
+0x008 Vpb : 0x84783878 _VPB
+0x00c FsContext : 0xa646c0f8
+0x010 FsContext2 : (null)
+0x014 SectionObjectPointer : 0x8564aca0 _SECTION_OBJECT_POINTERS
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ‘’
+0x025 DeletePending : 0 ‘’
+0x026 ReadAccess : 0x1 ‘’
+0x027 WriteAccess : 0x1 ‘’
+0x028 DeleteAccess : 0 ‘’
+0x029 SharedRead : 0x1 ‘’
+0x02a SharedWrite : 0x1 ‘’
+0x02b SharedDelete : 0x1 ‘’
+0x02c Flags : 0x40100
+0x030 FileName : _UNICODE_STRING “”
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
+0x070 IrpListLock : 0
+0x074 IrpList : _LIST_ENTRY [0x84abe564 - 0x84abe564]
+0x07c FileObjectExtension : (null)
0: kd> dt nt!_FSRTL_ADVANCED_FCB_HEADER 0xa646c0f8
+0x000 NodeTypeCode : 1797
+0x002 NodeByteSize : 344
+0x004 Flags : 0x40 ‘@’
+0x005 IsFastIoPossible : 0x2 ‘’
+0x006 Flags2 : 0x3 ‘’
+0x007 Reserved : 0y0000
+0x007 Version : 0y0001
+0x008 Resource : 0x8564ac5c _ERESOURCE
+0x00c PagingIoResource : 0x8564acbc _ERESOURCE
+0x010 AllocationSize : _LARGE_INTEGER 0x10
+0x018 FileSize : _LARGE_INTEGER 0xc
+0x020 ValidDataLength : _LARGE_INTEGER 0xc
+0x028 FastMutex : 0x8564ac3c _FAST_MUTEX
+0x02c FilterContexts : _LIST_ENTRY [0x8564e2bc - 0x8564e2bc]
+0x034 PushLock : _EX_PUSH_LOCK
+0x038 FileContextSupportPointer : 0xa646c0f4 -> (null)