Page Fault(0Eh) error in Callback routine of minifilter driver

Tran_Hieu_Trung · July 5, 2007, 12:35pm

Hi everyone,
I’m a newbie in File system driver development. Now, I’m developing a mini filter driver. In my driver, I have only one callback routine for IRP_MJ_CREATE operation, but unfortunately I always get “Break due to Page Fault(0Eh). Fault=0003” error when starting it (I used SoftIce to debug driver and got this message). Here is my callback routine:

FLT_PREOP_CALLBACK_STATUS
FpPreCreate (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)
{
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
NTSTATUS status;
CHAR szTmp[260];
ANSI_STRING ansiName;

szTmp[0] = ANSI_NULL;
if (FltObjects->FileObject != NULL) {
status = FltGetFileNameInformation(Data,
FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo);
if (!NT_SUCCESS(status)) {
RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
} else {
status = FltParseFileNameInformation(nameInfo);
if (!NT_SUCCESS(status)) {
RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
} else {
RtlUnicodeStringToAnsiString(&ansiName, &nameInfo->Name, FALSE);
if (ansiName.Length < 260 - 1) {
RtlCopyMemory(szTmp, ansiName.Buffer, ansiName.Length);
szTmp[ansiName.Length] = ANSI_NULL;
} else {
RtlCopyMemory(szTmp, INSUFFICIENCE_BUFFER, sizeof(INSUFFICIENCE_BUFFER));
}
}
}
}

if (NULL != nameInfo) {
FltReleaseFileNameInformation(nameInfo);
}

DbgPrint(“FpPreCreate::Filename=%s”, szTmp);

return returnStatus;
}

Please help me to show errors in my function and how to correct?
Many thanks.

trung

Got a little couch potato?
Check out fun summer activities for kids.

Don_Burn_1 · July 5, 2007, 12:58pm

First forget SoftIce, it is obsolete and worthless, use WinDBG and post the
results of !analyze if the results do not explain the problem to you.
Second, think about what you are doing here, not only are you converting
the string to ANSI which can cause problems in many environments since
Windows was designed for UNICODE, you are also coverting to a NULL
terminated string.

Old style C strings, are slow, inefficient and prone to buffer overflow
attacks. Microsoft does have the safe string library, but this is harder
to use IMHO than using the native counted strings.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Tran Hieu Trung” wrote in message
news:xxxxx@ntfsd…
> Hi everyone,
> I’m a newbie in File system driver development. Now, I’m developing a
> mini filter driver. In my driver, I have only one callback routine for
> IRP_MJ_CREATE operation, but unfortunately I always get “Break due to
> Page Fault(0Eh). Fault=0003” error when starting it (I used SoftIce to
> debug driver and got this message). Here is my callback routine:
>
> FLT_PREOP_CALLBACK_STATUS
> FpPreCreate (
> inout PFLT_CALLBACK_DATA Data,
> in PCFLT_RELATED_OBJECTS FltObjects,
> __deref_out_opt PVOID *CompletionContext
> )
> {
> FLT_PREOP_CALLBACK_STATUS returnStatus =
> FLT_PREOP_SUCCESS_NO_CALLBACK;
> PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
> NTSTATUS status;
> CHAR szTmp[260];
> ANSI_STRING ansiName;
>
> szTmp[0] = ANSI_NULL;
> if (FltObjects->FileObject != NULL) {
> status = FltGetFileNameInformation(Data,
> FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
> &nameInfo);
> if (!NT_SUCCESS(status)) {
> RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
> } else {
> status = FltParseFileNameInformation(nameInfo);
> if (!NT_SUCCESS(status)) {
> RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
> } else {
> RtlUnicodeStringToAnsiString(&ansiName, &nameInfo->Name,
> FALSE);
> if (ansiName.Length < 260 - 1) {
> RtlCopyMemory(szTmp, ansiName.Buffer,
> ansiName.Length);
> szTmp[ansiName.Length] = ANSI_NULL;
> } else {
> RtlCopyMemory(szTmp, INSUFFICIENCE_BUFFER,
> sizeof(INSUFFICIENCE_BUFFER));
> }
> }
> }
> }
>
> if (NULL != nameInfo) {
> FltReleaseFileNameInformation(nameInfo);
> }
>
> DbgPrint(“FpPreCreate::Filename=%s”, szTmp);
>
> return returnStatus;
> }
>
> Please help me to show errors in my function and how to correct?
> Many thanks.
>
>
> trung
>
>
> ---------------------------------
> Got a little couch potato?
> Check out fun summer activities for kids.

Daniel_Terhell · July 5, 2007, 1:44pm

Taking a quick look, it looks like ansiName.Buffer has not been set. You
chose not to allocate the destination buffer with
RtlUnicodeStringToAnsiString so it does set ansiName.Buffer. You should call
RtlInitAnsiString or set ansiName.Buffer yourself and set it to szTmp, then
it can go directly into your buffer and no need to copy (you must still
check lengths though). If you want to avoid the lengths checking, the
other option is to allocate the destination buffer.

/Daniel

“Don Burn” wrote in message news:xxxxx@ntfsd…
> First forget SoftIce, it is obsolete and worthless, use WinDBG and post
> the results of !analyze if the results do not explain the problem to you.
> Second, think about what you are doing here, not only are you converting
> the string to ANSI which can cause problems in many environments since
> Windows was designed for UNICODE, you are also coverting to a NULL
> terminated string.
>
> Old style C strings, are slow, inefficient and prone to buffer overflow
> attacks. Microsoft does have the safe string library, but this is harder
> to use IMHO than using the native counted strings.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
> Remove StopSpam to reply
>
> “Tran Hieu Trung” wrote in message
> news:xxxxx@ntfsd…
>> Hi everyone,
>> I’m a newbie in File system driver development. Now, I’m developing a
>> mini filter driver. In my driver, I have only one callback routine for
>> IRP_MJ_CREATE operation, but unfortunately I always get “Break due to
>> Page Fault(0Eh). Fault=0003” error when starting it (I used SoftIce to
>> debug driver and got this message). Here is my callback routine:
>>
>> FLT_PREOP_CALLBACK_STATUS
>> FpPreCreate (
>> inout PFLT_CALLBACK_DATA Data,
>> in PCFLT_RELATED_OBJECTS FltObjects,
>> __deref_out_opt PVOID *CompletionContext
>> )
>> {
>> FLT_PREOP_CALLBACK_STATUS returnStatus =
>> FLT_PREOP_SUCCESS_NO_CALLBACK;
>> PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
>> NTSTATUS status;
>> CHAR szTmp[260];
>> ANSI_STRING ansiName;
>>
>> szTmp[0] = ANSI_NULL;
>> if (FltObjects->FileObject != NULL) {
>> status = FltGetFileNameInformation(Data,
>> FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
>> &nameInfo);
>> if (!NT_SUCCESS(status)) {
>> RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
>> } else {
>> status = FltParseFileNameInformation(nameInfo);
>> if (!NT_SUCCESS(status)) {
>> RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
>> } else {
>> RtlUnicodeStringToAnsiString(&ansiName, &nameInfo->Name,
>> FALSE);
>> if (ansiName.Length < 260 - 1) {
>> RtlCopyMemory(szTmp, ansiName.Buffer,
>> ansiName.Length);
>> szTmp[ansiName.Length] = ANSI_NULL;
>> } else {
>> RtlCopyMemory(szTmp, INSUFFICIENCE_BUFFER,
>> sizeof(INSUFFICIENCE_BUFFER));
>> }
>> }
>> }
>> }
>>
>> if (NULL != nameInfo) {
>> FltReleaseFileNameInformation(nameInfo);
>> }
>>
>> DbgPrint(“FpPreCreate::Filename=%s”, szTmp);
>>
>> return returnStatus;
>> }
>>
>> Please help me to show errors in my function and how to correct?
>> Many thanks.
>>
>>
>> trung
>>
>>
>> ---------------------------------
>> Got a little couch potato?
>> Check out fun summer activities for kids.
>
>
>

OSR_Community_User · July 9, 2007, 1:23pm

What the IRQL? Messing with UNICODE at elevated IRQL will do this.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, July 05, 2007 12:56
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] Page Fault(0Eh) error in Callback routine of
minifilter driver

First forget SoftIce, it is obsolete and worthless, use WinDBG and post
the
results of !analyze if the results do not explain the problem to you.
Second, think about what you are doing here, not only are you converting

the string to ANSI which can cause problems in many environments since
Windows was designed for UNICODE, you are also coverting to a NULL
terminated string.

Old style C strings, are slow, inefficient and prone to buffer overflow
attacks. Microsoft does have the safe string library, but this is
harder
to use IMHO than using the native counted strings.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Tran Hieu Trung” wrote in message
news:xxxxx@ntfsd…
> Hi everyone,
> I’m a newbie in File system driver development. Now, I’m developing a
> mini filter driver. In my driver, I have only one callback routine for

> IRP_MJ_CREATE operation, but unfortunately I always get “Break due to
> Page Fault(0Eh). Fault=0003” error when starting it (I used SoftIce to

> debug driver and got this message). Here is my callback routine:
>
> FLT_PREOP_CALLBACK_STATUS
> FpPreCreate (
> inout PFLT_CALLBACK_DATA Data,
> in PCFLT_RELATED_OBJECTS FltObjects,
> __deref_out_opt PVOID *CompletionContext
> )
> {
> FLT_PREOP_CALLBACK_STATUS returnStatus =
> FLT_PREOP_SUCCESS_NO_CALLBACK;
> PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
> NTSTATUS status;
> CHAR szTmp[260];
> ANSI_STRING ansiName;
>
> szTmp[0] = ANSI_NULL;
> if (FltObjects->FileObject != NULL) {
> status = FltGetFileNameInformation(Data,
> FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
> &nameInfo);
> if (!NT_SUCCESS(status)) {
> RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
> } else {
> status = FltParseFileNameInformation(nameInfo);
> if (!NT_SUCCESS(status)) {
> RtlCopyMemory(szTmp, NO_NAME, sizeof(NO_NAME));
> } else {
> RtlUnicodeStringToAnsiString(&ansiName,
&nameInfo->Name,
> FALSE);
> if (ansiName.Length < 260 - 1) {
> RtlCopyMemory(szTmp, ansiName.Buffer,
> ansiName.Length);
> szTmp[ansiName.Length] = ANSI_NULL;
> } else {
> RtlCopyMemory(szTmp, INSUFFICIENCE_BUFFER,
> sizeof(INSUFFICIENCE_BUFFER));
> }
> }
> }
> }
>
> if (NULL != nameInfo) {
> FltReleaseFileNameInformation(nameInfo);
> }
>
> DbgPrint(“FpPreCreate::Filename=%s”, szTmp);
>
> return returnStatus;
> }
>
> Please help me to show errors in my function and how to correct?
> Many thanks.
>
>
> trung
>
>
> ---------------------------------
> Got a little couch potato?
> Check out fun summer activities for kids.

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com