Page Fault while Debugging an application in VC6

Hi, all.
I build a file system filter driver based on FILEMON. In IRP_MJ_CREATE dispatch, I want to
get the process full path name and the file full path name which is to be opened by the
process, the code like this:

////////////////////////////////////////////////////////////////////////////////////
PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
hookExt = HookDevice->DeviceExtension;

case IRP_MJ_CREATE:
fileObject = currentIrpStack->FileObject;
fullPathName = ExAllocatePool(NonPagedPool, MAXPATHLEN );
if(fullPathName)
{
FilemonGetFullPath( fileObject, hookExt, fullPathName );
}

CurrentProcessName = GetCurrentProcessFileName( );
if ((CurrentProcessName != NULL))
{
//

RtlInitUnicodeString(&ProcessUnicodeName, CurrentProcessName); //Errors happened here!
}
////////////////////////////////////////////////////////////////////////////////////
PCWSTR GetCurrentProcessFileName()

{
DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
return NULL;

dwAddress += 0x1B0; //PEPROCESS->Peb
if((dwAddress = *(DWORD*)dwAddress) == 0)
return NULL;

dwAddress += 0x10; //Peb->ProcessParameters
if((dwAddress = *(DWORD*)dwAddress) == 0)
return NULL;

dwAddress += 0x3C; //Peb->ProcessParameters.ImageFile
dwAddress = *((DWORD*)dwAddress);
return (PCWSTR)dwAddress;
}
//////////////////////////////////////////////////////////////////////////////////////////////
All is work fine except some conditions. For example, we want to debugg an application in VC6(or BCB) and
set breakpoints at the fist line in winmain. When we press F5 to start debugging, before stop at the
breakpoint we set, a fage fault occurs
at the “RtlInitUnicodeString(&ProcessUnicodeName, CurrentProcessName)”. At this point, we get
the fullpathname:
fullpathname = “c:\dev\debug\test.exe” // the application we debugg.
CurrentProcessName != NULl, such as 0x8e8.
: dd 0x8e8
0x8e8 ??? ??? ??? ???
it means NULL! That means at this time EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
initilized with proper value. And exam the process list of the system using SOFTICE proc command,
I see process “test.exe” is at RUNNING state with both USERTIME and KERNELTIME equal to Zero. Also,
I can get the IRP_MJ_CREATE dispatch’ process id using PsGetCurrentProcessId(). Ccompare this pid
with the process list we get from softice proc command, I find IRP_MJ_CREATE dispatch is running with
the context in process “test.exe”! It means process “test.exe” want to open “c:\dev\debug\test.exe”.
The IRQL is equal to PASSIVE_LEVEL.
It is strange!

Please give me some advices.

best regards
yours
brucie
xxxxx@sina.com
2002-09-01

Want an advice? Forget about undocumented structures! Find another way to
solve your problem. That’s my advice.

-htfv

----- Original Message -----
From: “brucie”
To: “File Systems Developers”
Sent: Sunday, September 01, 2002 1:59 PM
Subject: [ntfsd] Page Fault while Debugging an application in VC6

> Hi, all.
> I build a file system filter driver based on FILEMON. In IRP_MJ_CREATE
dispatch, I want to
> get the process full path name and the file full path name which is to be
opened by the
> process, the code like this:
>
>
////////////////////////////////////////////////////////////////////////////
////////
> PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
> PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
> hookExt = HookDevice->DeviceExtension;
>
> case IRP_MJ_CREATE:
> fileObject = currentIrpStack->FileObject;
> fullPathName = ExAllocatePool(NonPagedPool, MAXPATHLEN );
> if(fullPathName)
> {
> FilemonGetFullPath( fileObject, hookExt, fullPathName );
> }
> …
> CurrentProcessName = GetCurrentProcessFileName( );
> if ((CurrentProcessName != NULL))
> {
> //
> …
> RtlInitUnicodeString(&ProcessUnicodeName,
CurrentProcessName); //Errors happened here!
> }
>
////////////////////////////////////////////////////////////////////////////
////////
> PCWSTR GetCurrentProcessFileName()
>
> {
> DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
> if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
> return NULL;
>
> dwAddress += 0x1B0; //PEPROCESS->Peb
> if((dwAddress = (DWORD)dwAddress) == 0)
> return NULL;
>
> dwAddress += 0x10;
//Peb->ProcessParameters
> if((dwAddress = (DWORD)dwAddress) == 0)
> return NULL;
>
> dwAddress += 0x3C;
//Peb->ProcessParameters.ImageFile
> dwAddress = ((DWORD)dwAddress);
> return (PCWSTR)dwAddress;
> }
>
////////////////////////////////////////////////////////////////////////////
//////////////////
> All is work fine except some conditions. For example, we want to debugg an
application in VC6(or BCB) and
> set breakpoints at the fist line in winmain. When we press F5 to start
debugging, before stop at the
> breakpoint we set, a fage fault occurs
> at the “RtlInitUnicodeString(&ProcessUnicodeName, CurrentProcessName)”.
At this point, we get
> the fullpathname:
> fullpathname = “c:\dev\debug\test.exe” // the application
we debugg.
> CurrentProcessName != NULl, such as 0x8e8.
> : dd 0x8e8
> 0x8e8 ??? ??? ??? ???
> it means NULL! That means at this time
EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
> initilized with proper value. And exam the process list of the system
using SOFTICE proc command,
> I see process “test.exe” is at RUNNING state with both USERTIME and
KERNELTIME equal to Zero. Also,
> I can get the IRP_MJ_CREATE dispatch’ process id using
PsGetCurrentProcessId(). Ccompare this pid
> with the process list we get from softice proc command, I find
IRP_MJ_CREATE dispatch is running with
> the context in process “test.exe”! It means process “test.exe” want to
open “c:\dev\debug\test.exe”.
> The IRQL is equal to PASSIVE_LEVEL.
> It is strange!
>
> Please give me some advices.
>
>
>
>
>
> best regards
> yours
> brucie
> xxxxx@sina.com
> 2002-09-01

Hi, Alexey Logachyov
???What is the undocumented structures? All the structure used here can be find
in the book Inside Win2k 3rd. I just want to discuss the phenomenon what happened
in the kernel when we debugg an application.

=======================================

Want an advice? Forget about undocumented structures! Find another way to
solve your problem. That’s my advice.

-htfv

----- Original Message -----
From: “brucie”
>To: “File Systems Developers”
>Sent: Sunday, September 01, 2002 1:59 PM
>Subject: [ntfsd] Page Fault while Debugging an application in VC6
>
>
>> Hi, all.
>> I build a file system filter driver based on FILEMON. In IRP_MJ_CREATE
>dispatch, I want to
>> get the process full path name and the file full path name which is to be
>opened by the
>> process, the code like this:
>>
>>
>////////////////////////////////////////////////////////////////////////////
>////////
>> PIO_STACK_LOCATION currentIrpStack = IoGetCurrentIrpStackLocation(Irp);
>> PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
>> hookExt = HookDevice->DeviceExtension;
>>
>> case IRP_MJ_CREATE:
>> fileObject = currentIrpStack->FileObject;
>> fullPathName = ExAllocatePool(NonPagedPool, MAXPATHLEN );
>> if(fullPathName)
>> {
>> FilemonGetFullPath( fileObject, hookExt, fullPathName );
>> }
>> …
>> CurrentProcessName = GetCurrentProcessFileName( );
>> if ((CurrentProcessName != NULL))
>> {
>> //
>> …
>> RtlInitUnicodeString(&ProcessUnicodeName,
>CurrentProcessName); //Errors happened here!
>> }
>>
>////////////////////////////////////////////////////////////////////////////
>////////
>> PCWSTR GetCurrentProcessFileName()
>>
>> {
>> DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
>> if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
>> return NULL;
>>
>> dwAddress += 0x1B0; //PEPROCESS->Peb
>> if((dwAddress = (DWORD)dwAddress) == 0)
>> return NULL;
>>
>> dwAddress += 0x10;
>//Peb->ProcessParameters
>> if((dwAddress = (DWORD)dwAddress) == 0)
>> return NULL;
>>
>> dwAddress += 0x3C;
>//Peb->ProcessParameters.ImageFile
>> dwAddress = ((DWORD)dwAddress);
>> return (PCWSTR)dwAddress;
>> }
>>
>////////////////////////////////////////////////////////////////////////////
>//////////////////
>> All is work fine except some conditions. For example, we want to debugg an
>application in VC6(or BCB) and
>> set breakpoints at the fist line in winmain. When we press F5 to start
>debugging, before stop at the
>> breakpoint we set, a fage fault occurs
>> at the “RtlInitUnicodeString(&ProcessUnicodeName, CurrentProcessName)”.
>At this point, we get
>> the fullpathname:
>> fullpathname = “c:\dev\debug\test.exe” // the application
>we debugg.
>> CurrentProcessName != NULl, such as 0x8e8.
>> : dd 0x8e8
>> 0x8e8 ??? ??? ??? ???
>> it means NULL! That means at this time
>EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
>> initilized with proper value. And exam the process list of the system
>using SOFTICE proc command,
>> I see process “test.exe” is at RUNNING state with both USERTIME and
>KERNELTIME equal to Zero. Also,
>> I can get the IRP_MJ_CREATE dispatch’ process id using
>PsGetCurrentProcessId(). Ccompare this pid
>> with the process list we get from softice proc command, I find
>IRP_MJ_CREATE dispatch is running with
>> the context in process “test.exe”! It means process “test.exe” want to
>open “c:\dev\debug\test.exe”.
>> The IRQL is equal to PASSIVE_LEVEL.
>> It is strange!
>>
>> Please give me some advices.
>>
>>
>>
>>
>>
>> best regards
>> yours
>> brucie
>> xxxxx@sina.com
>> 2002-09-01
>
>
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sina.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>.

= = = = = = = = = = = = = = = = = = = =

best regards
yours
brucie
xxxxx@sina.com
2002-09-02

hi there.

GetFullpath() code was posted by me on this mailing list.
it’s wrong code. it works fine in normal condition. but sometimes BSOD.
i’m really sorry for wrong code posting.
please don’t use for commercial product.

i’ll give you a advice.
as i know, it’s best solution to getting fullpath.

search for these functions and maintain PID-fullpath data structure in
your driver code. and whenever you want to get fullpath, query by PID.

PsSetCreateProcessNotifyRoutine()
PsSetLoadImageNotifyRoutine()

hope this helps.

Terra.

Hi, terra. Thanks for advices.
The code in FinMonGetFullPath and GetCurrentProcessName is not important.
I really wonder why this happened.

=======================================

hi there.

GetFullpath() code was posted by me on this mailing list.
it’s wrong code. it works fine in normal condition. but sometimes BSOD.
i’m really sorry for wrong code posting.
please don’t use for commercial product.

i’ll give you a advice.
as i know, it’s best solution to getting fullpath.

search for these functions and maintain PID-fullpath data structure in
your driver code. and whenever you want to get fullpath, query by PID.

PsSetCreateProcessNotifyRoutine()
PsSetLoadImageNotifyRoutine()

hope this helps.

Terra.


You are currently subscribed to ntfsd as: xxxxx@sina.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

.

= = = = = = = = = = = = = = = = = = = =

best regards
yours
brucie
xxxxx@sina.com
2002-09-02

Is it an official Microsoft guide to programming drivers. Then why do you
calculate those offsets and do not use some structures from DDK/IFS? It is
not documented anyway.

-htfv

----- Original Message -----
From: “brucie”
To: “File Systems Developers”
Sent: Monday, September 02, 2002 12:00 AM
Subject: [ntfsd] Re: Page Fault while Debugging an application in VC6

> Hi, Alexey Logachyov
> ¡¡¡¡What is the undocumented structures? All the structure used here can
be find
> in the book Inside Win2k 3rd. I just want to discuss the phenomenon what
happened
> in the kernel when we debugg an application.
>
> =======================================
>
> >Want an advice? Forget about undocumented structures! Find another way to
> >solve your problem. That’s my advice.
> >
> >-htfv
> >
> >----- Original Message -----
> >From: “brucie”
> >To: “File Systems Developers”
> >Sent: Sunday, September 01, 2002 1:59 PM
> >Subject: [ntfsd] Page Fault while Debugging an application in VC6
> >
> >
> >> Hi, all.
> >> I build a file system filter driver based on FILEMON. In IRP_MJ_CREATE
> >dispatch, I want to
> >> get the process full path name and the file full path name which is to
be
> >opened by the
> >> process, the code like this:
> >>
> >>
>
>///////////////////////////////////////////////////////////////////////////
/
> >////////
> >> PIO_STACK_LOCATION currentIrpStack =
IoGetCurrentIrpStackLocation(Irp);
> >> PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
> >> hookExt = HookDevice->DeviceExtension;
> >>
> >> case IRP_MJ_CREATE:
> >> fileObject = currentIrpStack->FileObject;
> >> fullPathName = ExAllocatePool(NonPagedPool, MAXPATHLEN );
> >> if(fullPathName)
> >> {
> >> FilemonGetFullPath( fileObject, hookExt, fullPathName );
> >> }
> >> …
> >> CurrentProcessName = GetCurrentProcessFileName( );
> >> if ((CurrentProcessName != NULL))
> >> {
> >> //
> >> …
> >> RtlInitUnicodeString(&ProcessUnicodeName,
> >CurrentProcessName); //Errors happened here!
> >> }
> >>
>
>///////////////////////////////////////////////////////////////////////////
/
> >////////
> >> PCWSTR GetCurrentProcessFileName()
> >>
> >> {
> >> DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
> >> if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
> >> return NULL;
> >>
> >> dwAddress += 0x1B0; //PEPROCESS->Peb
> >> if((dwAddress = (DWORD)dwAddress) == 0)
> >> return NULL;
> >>
> >> dwAddress += 0x10;
> >//Peb->ProcessParameters
> >> if((dwAddress = (DWORD)dwAddress) == 0)
> >> return NULL;
> >>
> >> dwAddress += 0x3C;
> >//Peb->ProcessParameters.ImageFile
> >> dwAddress = ((DWORD)dwAddress);
> >> return (PCWSTR)dwAddress;
> >> }
> >>
>
>///////////////////////////////////////////////////////////////////////////
/
> >//////////////////
> >> All is work fine except some conditions. For example, we want to debugg
an
> >application in VC6(or BCB) and
> >> set breakpoints at the fist line in winmain. When we press F5 to start
> >debugging, before stop at the
> >> breakpoint we set, a fage fault occurs
> >> at the “RtlInitUnicodeString(&ProcessUnicodeName,
CurrentProcessName)”.
> >At this point, we get
> >> the fullpathname:
> >> fullpathname = “c:\dev\debug\test.exe” // the
application
> >we debugg.
> >> CurrentProcessName != NULl, such as 0x8e8.
> >> : dd 0x8e8
> >> 0x8e8 ??? ??? ??? ???
> >> it means NULL! That means at this time
> >EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
> >> initilized with proper value. And exam the process list of the system
> >using SOFTICE proc command,
> >> I see process “test.exe” is at RUNNING state with both USERTIME and
> >KERNELTIME equal to Zero. Also,
> >> I can get the IRP_MJ_CREATE dispatch’ process id using
> >PsGetCurrentProcessId(). Ccompare this pid
> >> with the process list we get from softice proc command, I find
> >IRP_MJ_CREATE dispatch is running with
> >> the context in process “test.exe”! It means process “test.exe” want to
> >open “c:\dev\debug\test.exe”.
> >> The IRQL is equal to PASSIVE_LEVEL.
> >> It is strange!
> >>
> >> Please give me some advices.
> >>
> >>
> >>
> >>
> >>
> >> best regards
> >> yours
> >> brucie
> >> xxxxx@sina.com
> >> 2002-09-01
> >
> >
> >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@sina.com
> >To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >.
>
> = = = = = = = = = = = = = = = = = = = =
>
> best regards
> yours
> brucie
> xxxxx@sina.com
> 2002-09-02

Hi, Alexey Logachyov
???I have to say the code to get full path name of process image is not important
here. It is easy to solve this problem by using SEH here. I want to understand
the phenomenon happened at this time and the mechanism of debugging an application.

=======================================

Is it an official Microsoft guide to programming drivers. Then why do you
calculate those offsets and do not use some structures from DDK/IFS? It is
not documented anyway.

-htfv

----- Original Message -----
From: “brucie”
>To: “File Systems Developers”
>Sent: Monday, September 02, 2002 12:00 AM
>Subject: [ntfsd] Re: Page Fault while Debugging an application in VC6
>
>
>> Hi, Alexey Logachyov
>> ???What is the undocumented structures? All the structure used here can
>be find
>> in the book Inside Win2k 3rd. I just want to discuss the phenomenon what
>happened
>> in the kernel when we debugg an application.
>>
>> =======================================
>>
>> >Want an advice? Forget about undocumented structures! Find another way to
>> >solve your problem. That’s my advice.
>> >
>> >-htfv
>> >
>> >----- Original Message -----
>> >From: “brucie”
>> >To: “File Systems Developers”
>> >Sent: Sunday, September 01, 2002 1:59 PM
>> >Subject: [ntfsd] Page Fault while Debugging an application in VC6
>> >
>> >
>> >> Hi, all.
>> >> I build a file system filter driver based on FILEMON. In IRP_MJ_CREATE
>> >dispatch, I want to
>> >> get the process full path name and the file full path name which is to
>be
>> >opened by the
>> >> process, the code like this:
>> >>
>> >>
>>
>>///////////////////////////////////////////////////////////////////////////
>/
>> >////////
>> >> PIO_STACK_LOCATION currentIrpStack =
>IoGetCurrentIrpStackLocation(Irp);
>> >> PIO_STACK_LOCATION nextIrpStack = IoGetNextIrpStackLocation(Irp);
>> >> hookExt = HookDevice->DeviceExtension;
>> >>
>> >> case IRP_MJ_CREATE:
>> >> fileObject = currentIrpStack->FileObject;
>> >> fullPathName = ExAllocatePool(NonPagedPool, MAXPATHLEN );
>> >> if(fullPathName)
>> >> {
>> >> FilemonGetFullPath( fileObject, hookExt, fullPathName );
>> >> }
>> >> …
>> >> CurrentProcessName = GetCurrentProcessFileName( );
>> >> if ((CurrentProcessName != NULL))
>> >> {
>> >> //
>> >> …
>> >> RtlInitUnicodeString(&ProcessUnicodeName,
>> >CurrentProcessName); //Errors happened here!
>> >> }
>> >>
>>
>>///////////////////////////////////////////////////////////////////////////
>/
>> >////////
>> >> PCWSTR GetCurrentProcessFileName()
>> >>
>> >> {
>> >> DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
>> >> if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
>> >> return NULL;
>> >>
>> >> dwAddress += 0x1B0; //PEPROCESS->Peb
>> >> if((dwAddress = (DWORD)dwAddress) == 0)
>> >> return NULL;
>> >>
>> >> dwAddress += 0x10;
>> >//Peb->ProcessParameters
>> >> if((dwAddress = (DWORD)dwAddress) == 0)
>> >> return NULL;
>> >>
>> >> dwAddress += 0x3C;
>> >//Peb->ProcessParameters.ImageFile
>> >> dwAddress = ((DWORD)dwAddress);
>> >> return (PCWSTR)dwAddress;
>> >> }
>> >>
>>
>>///////////////////////////////////////////////////////////////////////////
>/
>> >//////////////////
>> >> All is work fine except some conditions. For example, we want to debugg
>an
>> >application in VC6(or BCB) and
>> >> set breakpoints at the fist line in winmain. When we press F5 to start
>> >debugging, before stop at the
>> >> breakpoint we set, a fage fault occurs
>> >> at the “RtlInitUnicodeString(&ProcessUnicodeName,
>CurrentProcessName)”.
>> >At this point, we get
>> >> the fullpathname:
>> >> fullpathname = “c:\dev\debug\test.exe” // the
>application
>> >we debugg.
>> >> CurrentProcessName != NULl, such as 0x8e8.
>> >> : dd 0x8e8
>> >> 0x8e8 ??? ??? ??? ???
>> >> it means NULL! That means at this time
>> >EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
>> >> initilized with proper value. And exam the process list of the system
>> >using SOFTICE proc command,
>> >> I see process “test.exe” is at RUNNING state with both USERTIME and
>> >KERNELTIME equal to Zero. Also,
>> >> I can get the IRP_MJ_CREATE dispatch’ process id using
>> >PsGetCurrentProcessId(). Ccompare this pid
>> >> with the process list we get from softice proc command, I find
>> >IRP_MJ_CREATE dispatch is running with
>> >> the context in process “test.exe”! It means process “test.exe” want to
>> >open “c:\dev\debug\test.exe”.
>> >> The IRQL is equal to PASSIVE_LEVEL.
>> >> It is strange!
>> >>
>> >> Please give me some advices.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> best regards
>> >> yours
>> >> brucie
>> >> xxxxx@sina.com
>> >> 2002-09-01
>> >
>> >
>> >
>> >
>> >
>> >—
>> >You are currently subscribed to ntfsd as: xxxxx@sina.com
>> >To unsubscribe send a blank email to %email.unsub%
>> >
>> >
>> >.
>>
>> = = = = = = = = = = = = = = = = = = = =
>>
>> best regards
>> yours
>> brucie
>> xxxxx@sina.com
>> 2002-09-02
>
>
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@sina.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>.

= = = = = = = = = = = = = = = = = = = =

best regards
yours
brucie
xxxxx@sina.com
2002-09-03

Why you call it a phenomenon? If you don’t know the right behavior how could
you say it’s wrong? You can’t know why you have a problem. Try to find out
how VC loads images though I think it uses standard debugging API.

-htfv

----- Original Message -----
From: “brucie”
To: “File Systems Developers”
Sent: Tuesday, September 03, 2002 3:48 AM
Subject: [ntfsd] Re: Page Fault while Debugging an application in VC6

> Hi, Alexey Logachyov
> ¡¡¡¡I have to say the code to get full path name of process image is not
important
> here. It is easy to solve this problem by using SEH here. I want to
understand
> the phenomenon happened at this time and the mechanism of debugging an
application.
>
>
> =======================================
>
> >Is it an official Microsoft guide to programming drivers. Then why do you
> >calculate those offsets and do not use some structures from DDK/IFS? It
is
> >not documented anyway.
> >
> >-htfv
> >
> >
> >----- Original Message -----
> >From: “brucie”
> >To: “File Systems Developers”
> >Sent: Monday, September 02, 2002 12:00 AM
> >Subject: [ntfsd] Re: Page Fault while Debugging an application in VC6
> >
> >
> >> Hi, Alexey Logachyov
> >> ¡¡¡¡What is the undocumented structures? All the structure used here
can
> >be find
> >> in the book Inside Win2k 3rd. I just want to discuss the phenomenon
what
> >happened
> >> in the kernel when we debugg an application.
> >>
> >> =======================================
> >>
> >> >Want an advice? Forget about undocumented structures! Find another way
to
> >> >solve your problem. That’s my advice.
> >> >
> >> >-htfv
> >> >
> >> >----- Original Message -----
> >> >From: “brucie”
> >> >To: “File Systems Developers”
> >> >Sent: Sunday, September 01, 2002 1:59 PM
> >> >Subject: [ntfsd] Page Fault while Debugging an application in VC6
> >> >
> >> >
> >> >> Hi, all.
> >> >> I build a file system filter driver based on FILEMON. In
IRP_MJ_CREATE
> >> >dispatch, I want to
> >> >> get the process full path name and the file full path name which is
to
> >be
> >> >opened by the
> >> >> process, the code like this:
> >> >>
> >> >>
> >>
>
>>//////////////////////////////////////////////////////////////////////////
/
> >/
> >> >////////
> >> >> PIO_STACK_LOCATION currentIrpStack =
> >IoGetCurrentIrpStackLocation(Irp);
> >> >> PIO_STACK_LOCATION nextIrpStack =
IoGetNextIrpStackLocation(Irp);
> >> >> hookExt = HookDevice->DeviceExtension;
> >> >>
> >> >> case IRP_MJ_CREATE:
> >> >> fileObject = currentIrpStack->FileObject;
> >> >> fullPathName = ExAllocatePool(NonPagedPool,
MAXPATHLEN );
> >> >> if(fullPathName)
> >> >> {
> >> >> FilemonGetFullPath( fileObject, hookExt, fullPathName );
> >> >> }
> >> >> …
> >> >> CurrentProcessName = GetCurrentProcessFileName( );
> >> >> if ((CurrentProcessName != NULL))
> >> >> {
> >> >> //
> >> >> …
> >> >> RtlInitUnicodeString(&ProcessUnicodeName,
> >> >CurrentProcessName); //Errors happened here!
> >> >> }
> >> >>
> >>
>
>>//////////////////////////////////////////////////////////////////////////
/
> >/
> >> >////////
> >> >> PCWSTR GetCurrentProcessFileName()
> >> >>
> >> >> {
> >> >> DWORD dwAddress = (DWORD)PsGetCurrentProcess(); //PEPROCESS
> >> >> if((dwAddress == 0) || (dwAddress == 0xFFFFFFFF))
> >> >> return NULL;
> >> >>
> >> >> dwAddress += 0x1B0;
//PEPROCESS->Peb
> >> >> if((dwAddress = (DWORD)dwAddress) == 0)
> >> >> return NULL;
> >> >>
> >> >> dwAddress += 0x10;
> >> >//Peb->ProcessParameters
> >> >> if((dwAddress = (DWORD)dwAddress) == 0)
> >> >> return NULL;
> >> >>
> >> >> dwAddress += 0x3C;
> >> >//Peb->ProcessParameters.ImageFile
> >> >> dwAddress = ((DWORD)dwAddress);
> >> >> return (PCWSTR)dwAddress;
> >> >> }
> >> >>
> >>
>
>>//////////////////////////////////////////////////////////////////////////
/
> >/
> >> >//////////////////
> >> >> All is work fine except some conditions. For example, we want to
debugg
> >an
> >> >application in VC6(or BCB) and
> >> >> set breakpoints at the fist line in winmain. When we press F5 to
start
> >> >debugging, before stop at the
> >> >> breakpoint we set, a fage fault occurs
> >> >> at the “RtlInitUnicodeString(&ProcessUnicodeName,
> >CurrentProcessName)”.
> >> >At this point, we get
> >> >> the fullpathname:
> >> >> fullpathname = “c:\dev\debug\test.exe” // the
> >application
> >> >we debugg.
> >> >> CurrentProcessName != NULl, such as 0x8e8.
> >> >> : dd 0x8e8
> >> >> 0x8e8 ??? ??? ??? ???
> >> >> it means NULL! That means at this time
> >> >EPROCESS->PEB->PROCESSPARAMETERS->IMAGEFILENAME still not be
> >> >> initilized with proper value. And exam the process list of the
system
> >> >using SOFTICE proc command,
> >> >> I see process “test.exe” is at RUNNING state with both USERTIME and
> >> >KERNELTIME equal to Zero. Also,
> >> >> I can get the IRP_MJ_CREATE dispatch’ process id using
> >> >PsGetCurrentProcessId(). Ccompare this pid
> >> >> with the process list we get from softice proc command, I find
> >> >IRP_MJ_CREATE dispatch is running with
> >> >> the context in process “test.exe”! It means process “test.exe” want
to
> >> >open “c:\dev\debug\test.exe”.
> >> >> The IRQL is equal to PASSIVE_LEVEL.
> >> >> It is strange!
> >> >>
> >> >> Please give me some advices.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> best regards
> >> >> yours
> >> >> brucie
> >> >> xxxxx@sina.com
> >> >> 2002-09-01
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >—
> >> >You are currently subscribed to ntfsd as: xxxxx@sina.com
> >> >To unsubscribe send a blank email to %email.unsub%
> >> >
> >> >
> >> >.
> >>
> >> = = = = = = = = = = = = = = = = = = = =
> >>
> >> best regards
> >> yours
> >> brucie
> >> xxxxx@sina.com
> >> 2002-09-02
> >
> >
> >
> >
> >—
> >You are currently subscribed to ntfsd as: xxxxx@sina.com
> >To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >.
>
> = = = = = = = = = = = = = = = = = = = =
>
> best regards
> yours
> brucie
> xxxxx@sina.com
> 2002-09-03
> b‹š­ç.®·§¶\¬¹??Þv?µûjÈm~ûÛi?o$èº{.n?‰·¬zwZnV§‘隊[h•æ¯z{_±Þ¹÷r¥ŠËl¢Ê