Hello Guys,
I have written a Encryption/Decryption filter driver based on the diskperf
sample Provided in the DDK.I have tried encrypting nearly 75% of the hard
disk, the system also boots fine. This has been achieved by having a
exclusive driver in the 16 bit mode for that. The system boots fine. But
some times after the system boots i get a crash with
PAGE_FAULT_IN_NONPAGED_AREA. As this is totally random it does not occur
quite frequently. Sometimes it occurs and crashes the system.But the system
boots fine after that.
An exception to that is when the disk is say 20%encrypted or part of the
operating system core is being encrypted. If at that time this crash occurs
the next time system is unbootable. It fails with BugCheck ED. So i assume
its a problem with Paged IO not handled properly…
Anyone who had similar problem or knows how to avoid this???
Thanks
Shal
My ReadWrite Handler is
if (currentIrpStack->MajorFunction == IRP_MJ_WRITE)
{
WriteLength = Irp->MdlAddress->ByteCount;
WriteByteOffset = currentIrpStack->Parameters.Write.ByteOffset.QuadPart;
llTempWriteOffSet=WriteByteOffset;
if((WriteLength > 0))
{
OutputBuffer = (unsigned char *)ExAllocatePool(NonPagedPool,deviceExtension-
CryptBufferSize);
if(!MmIsAddressValid(OutputBuffer))
goto End;
RtlZeroMemory(OutputBuffer,deviceExtension->CryptBufferSize);
}
else
goto End;
//Checked for pageable locked pages ???!!!???
if(!( ( Irp->MdlAddress )-> MdlFlags & ( MDL_MAPPED_TO_SYSTEM_VA |
MDL_SOURCE_IS_NONPAGED_POOL )))
{
InputBuffer = (unsigned char *)MmMapLockedPagesSpecifyCache(
Irp->MdlAddress,
KernelMode,MmNonCached,NULL,FALSE,HighPagePriority );
bPageableFlag=TRUE;
}else
{
bPageableFlag = FALSE;
if(Irp->MdlAddress != NULL)
InputBuffer = (unsigned char*)KernHelpGetSysAddrForMdl(Irp->MdlAddress);
//this is MmGetSystemAddressForMdlSafe (irp->MdlAddress,NormalPagePriority)
else
InputBuffer = (unsigned char*)Irp->UserBuffer;
}
Encrypt(InputBuffer);
IoSetCompletionRoutine(Irp,MyIoCompletion,DeviceObject,TRUE,TRUE,TRUE);
My IOCompletion Handler is
if (irpStack->MajorFunction == IRP_MJ_READ ||
irpStack->MajorFunction==IRP_MJ_WRITE){
ReadLength = Irp->MdlAddress->ByteCount;
ReadByteOffset = irpStack->Parameters.Read.ByteOffset.QuadPart;
llTempReadByteOffSet=ReadByteOffset ;
if(ReadLength >0)
{
OutputBuffer = (unsigned char *)ExAllocatePool(NonPagedPool,deviceExtension-
CryptBufferSize);
if(!MmIsAddressValid(OutputBuffer))
goto End;
RtlZeroMemory(OutputBuffer,deviceExtension->CryptBufferSize);
}
else
goto End;
if(irpStack->MajorFunction == IRP_MJ_READ)
{
if (( ( Irp->MdlAddress )->MdlFlags & ( MDL_PAGES_LOCKED ) ) )
{
InputBuffer = (unsigned char *)MmMapLockedPagesSpecifyCache(Irp->MdlAddress,
KernelMode,MmNonCached,NULL,FALSE,HighPagePriority);
bPageableFlag = TRUE;
}
else
bPageableFlag = FALSE;
}
else if(irpStack->MajorFunction == IRP_MJ_WRITE)
{
if (( ( Irp->MdlAddress ) -> MdlFlags & ( MDL_MAPPED_TO_SYSTEM_VA |
MDL_SOURCE_IS_NONPAGED_POOL ) ) )
{
InputBuffer = (unsigned char *)MmMapLockedPagesSpecifyCache(
Irp->MdlAddress,
KernelMode,MmNonCached,NULL,FALSE,HighPagePriority );
bPageableFlag = TRUE;
}
else
bPageableFlag = FALSE;
Decrypt( InputBuffer);
}
The entire crash dump is
*** Fatal System Error: 0x00000050
(0xE180F000,0x00000001,0x804F079B,0x00000001)
Break instruction exception - code 80000003 (first
chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have
not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target,
ptr64 FALSE
Loading Kernel Symbols
…
…
.
Loading unloaded module list
…
Loading User Symbols
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
Use !analyze -v to get detailed debugging information.
BugCheck 50, {e180f000, 1, 804f079b, 1}
Probably caused by : ntoskrnl.exe ( nt!RtlClearBits+5c
)
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
8050d064 cc int 3
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be
protected by try-except,
it must be protected by a Probe. Typically the
address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e180f000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write
operation.
Arg3: 804f079b, If non-zero, the instruction address
which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
WRITE_ADDRESS: e180f000 Paged pool
FAULTING_IP:
nt!RtlClearBits+5c
804f079b f3ab rep stosd
MM_INTERNAL_CODE: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
LAST_CONTROL_TRANSFER: from 80561688 to 804f079b
TRAP_FRAME: f78d6bf8 – (.trap fffffffff78d6bf8)
ErrCode = 00000002
eax=00000000 ebx=0006efcd ecx=00016f0f edx=e17fbc6f esi=00377e6b
edi=e180efff
eip=804f079b esp=f78d6c6c ebp=f78d6c78 iopl=0
nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
nt!RtlClearBits+0x5c:
804f079b f3ab rep stosd
Resetting default scope
STACK_TEXT:
f78d6c78 80561688 f78d6cd8 007c8f75 0006efcd nt!RtlClearBits+0x5c
f78d6ca0 80561087 e194a8b0 f78d6cd8 e194aad0 nt!HvpFlushMappedData+0xc6
f78d6d28 80560e1c e194a8b0 00000000 e194a8b0 nt!HvpDoWriteHive+0x1d2
f78d6d40 80562773 e194a801 80548abc 80542ba0 nt!HvSyncHive+0x86
f78d6d5c 8056285c 00000000 847f18b8 00000000 nt!CmpDoFlushAll+0x6c
f78d6d74 804ebd08 00000000 00000000 847f18b8 nt!CmpLazyFlushWorker+0x4f
f78d6dac 80559026 00000000 00000000 00000000 nt!ExpWorkerThread+0xfe
f78d6ddc 8050f513 804ebc35 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!RtlClearBits+5c
804f079b f3ab rep stosd
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!RtlClearBits+5c
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3b7de38f
STACK_COMMAND: .trap fffffffff78d6bf8 ; kb
BUCKET_ID: 0x50_W_nt!RtlClearBits+5c
Followup: MachineOwner