Pool corruption in Driver

Helllo respected members,
i am having problems with the Scanner samples given in the DDK documentation.

what i am doing is that instead of allocating the buffer for File contents in the Driver …

i let User application to do this task…

for that i did like this …

in the Driver at the function :

FLT_PREOP_CALLBACK_STATUS
ScannerPreCreate (
__inout PFLT_CALLBACK_DATA Data,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID *CompletionContext
)

{
PSCANNER_NOTIFICATION notification = NULL;
FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK;
ULONG replyLength;
ULONG Size= 0;
PFLT_FILE_NAME_INFORMATION nameInfo;
BOOLEAN safeToOpen = TRUE, scanFile;
NTSTATUS status;
ANSI_STRING FileName;

UNREFERENCED_PARAMETER( FltObjects );
UNREFERENCED_PARAMETER( CompletionContext );

PAGED_CODE();

// See if this create is being done by our user process.
if (IoThreadToProcess( Data->Thread ) == ScannerData.UserProcess) {
DbgPrint( “!!! scanner.sys – allowing create for trusted process \n” );
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

// i get the file information
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );

if (!NT_SUCCESS( status )) {

return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

// parse the Information
FltParseFileNameInformation( nameInfo );
scanFile = ScannerpCheckExtension( &nameInfo->Extension );
FltReleaseFileNameInformation( nameInfo );
if (!scanFile) {

return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
else
{
//Got it
// we need to check this file
RtlUnicodeStringToAnsiString(&FileName,&nameInfo->Name,TRUE);
/// this out puts the File Name
DbgPrint( “!!! scanner.sys:File Name %s\n”, FileName.Buffer);
/// this out puts the File Name

// now i call this function for sending the message to the Client application
status = ScannerpScanFileInUserModeEx( FltObjects->Instance,
FltObjects->FileObject,
&safeToOpen,FileName.Length,&FileName);
if(safeToOpen)
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;

}
else
{
FltCancelFileOpen( FltObjects->Instance, FltObjects->FileObject );
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
return FLT_PREOP_COMPLETE;
}
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

Now here is the reset of the Code

NTSTATUS
ScannerpScanFileInUserModeEx (
__in PFLT_INSTANCE Instance,
__in PFILE_OBJECT FileObject,
__out PBOOLEAN SafeToOpen,
__in ULONG FileNameLength,
__in PANSI_STRING pFileName
)

{
NTSTATUS status;
PVOID buffer = NULL;
ULONG bytesRead;
PSCANNER_NOTIFICATION notification = NULL;
FLT_VOLUME_PROPERTIES volumeProps;
LARGE_INTEGER offset;
ULONG replyLength, length;
ULONG Size = 0;
PFLT_VOLUME volume = NULL;
NTSTATUS returnStatus = STATUS_SUCCESS;
*SafeToOpen = TRUE;

if (ScannerData.ClientPort == NULL) {
return STATUS_SUCCESS;
}
_asm
{
int 3
}
try {

Size = sizeof( SCANNER_NOTIFICATION )+ FileNameLength;
notification = ExAllocatePoolWithTag( NonPagedPool,
Size/*sizeof( SCANNER_NOTIFICATION )*/,
‘xES’ );
if (notification == NULL)
{
status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
else
{
notification->BytesToScan = (ULONG) 0;
notification->FileLength = FileNameLength;
RtlCopyMemory( &notification->FileName,
pFileName->Buffer,
FileNameLength);
replyLength = sizeof( SCANNER_REPLY );
status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
&notification,
sizeof(notification),
&notification,
&replyLength,
NULL );
if (STATUS_SUCCESS == status)
{
*SafeToOpen = ((PSCANNER_REPLY) &notification)->SafeToOpen;
}
else
{
DbgPrint( “!!! scanner.sys — couldn’t send message to user-mode to scan file, status 0x%X\n”, status );
}
}

}
finally
{
if (notification != NULL)
{
ExFreePoolWithTag( notification, ‘xES’ );
}
}

return status;
}

now it got stuck at the this

ExFreePoolWithTag( notification, ‘xES’ );

and here is the Stack trace

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00ffffff, Memory contents of the pool block
Arg4: 821d8101, Address of the block of pool being deallocated

Debugging Details:

BUGCHECK_STR: 0xc2_7

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

PROCESS_NAME: explorer.exe

LAST_CONTROL_TRANSFER: from 805398e7 to 804eab25

STACK_TEXT:
f6d35428 805398e7 00000003 f6d35784 00000000 nt!RtlpBreakWithStatusInstruction
f6d35474 8053a3be 00000003 8221b14c 821d80f9 nt!KiBugCheckDebugBreak+0x19
f6d35854 8053a9ae 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f6d35874 80552e41 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f6d358c4 f69f6dc9 821d8101 00784553 f69f6db2 nt!ExFreePoolWithTag+0x2be
f6d358d0 f69f6db2 f625bc6d 8221b14c 8221b008 scanner!ScannerpScanFileInUserModeEx+0x149 [c:\winddk\6000\ss\filter\scanner.c @ 1468]
f6d3595c f69f7ae5 8221b008 822659d0 f6d3597b scanner!ScannerpScanFileInUserModeEx+0x132 [c:\winddk\6000\ss\filter\scanner.c @ 1464]
f6d359a0 f845d944 81fa7ecc f6d359c0 f6d359f0 scanner!ScannerPreCreate+0x115 [c:\winddk\6000\ss\filter\scanner.c @ 584]
f6d35a00 f845f352 00d35a44 81fa7e70 00000000 fltMgr!FltpPerformPreCallbacks+0x2d4
f6d35a14 f846bccb f6d35a44 f846a094 00000000 fltMgr!FltpPassThroughInternal+0x32
f6d35a2c f846c142 f6d35a44 8219b6b0 82389918 fltMgr!FltpCreateInternal+0x63
f6d35a60 804ead77 82217ea8 8219b830 8219b6a0 fltMgr!FltpCreate+0x1d2
f6d35a70 80577f9c 823868e8 822adfd4 f6d35c18 nt!IopfCallDriver+0x31
f6d35b50 8056a86c 82386900 00000000 822adf30 nt!IopParseDevice+0xa58
f6d35bd8 8056ec63 00000000 f6d35c18 00000040 nt!ObpLookupObjectName+0x56a
f6d35c2c 80578477 00000000 00000000 00000101 nt!ObOpenObjectByName+0xeb
f6d35ca8 80578546 00ead668 001000a1 00ead514 nt!IopCreateFile+0x407
f6d35d04 8057860e 00ead668 001000a1 00ead514 nt!IoCreateFile+0x8e
f6d35d44 804e606b 00ead668 001000a1 00ead514 nt!NtOpenFile+0x27
f6d35d44 7c90eb94 00ead668 001000a1 00ead514 nt!KiFastCallEntry+0xf8
00ead298 7c90dd09 7c818c14 00ead668 001000a1 ntdll!KiFastSystemCallRet
00ead29c 7c818c14 00ead668 001000a1 00ead514 ntdll!NtOpenFile+0xc
00eadce0 7c80235e 00000000 015c44f4 015c225c kernel32!CreateProcessInternalW+0x892
00eadd18 7ca0def4 015c44f4 015c225c 00000000 kernel32!CreateProcessW+0x2c
00eae79c 7ca0dd5e 00040088 00000000 015c4904 SHELL32!_SHCreateProcess+0x387
00eae7f0 7ca0dc95 015c1008 00eae810 7ca0d797 SHELL32!CShellExecute::_DoExecCommand+0xb4
00eae7fc 7ca0d797 00000001 00000009 015c1008 SHELL32!CShellExecute::_TryInvokeApplication+0x49
00eae810 7ca0d6c9 00000000 00000009 00eae84c SHELL32!CShellExecute::ExecuteNormal+0xb1
00eae824 7ca0d665 00eae84c 00000000 00000009 SHELL32!ShellExecuteNormal+0x30
00eae840 7ca37a49 00eae84c 0000003c 04000b00 SHELL32!ShellExecuteExW+0x8d
00eaeca0 7ca37749 00040088 00eaecd4 00eaf834 SHELL32!ShellExecCmdLine+0x143
00eaf16c 7ca375ff 00eaf1e4 7ca36f01 00eaf1a8 SHELL32!CRunDlg::OKPushed+0x179
00eaf17c 77d48709 000800bc 00000111 00000001 SHELL32!RunDlgProc+0x121
00eaf1a8 77d54ca6 7ca36f01 000800bc 00000111 USER32!InternalCallWinProc+0x28
00eaf214 77d54af2 00094860 7ca36f01 000800bc USER32!UserCallDlgProcCheckWow+0x146
00eaf25c 77d6bf51 00000000 00000111 00000001 USER32!DefDlgProcWorker+0xa8
00eaf28c 77d4b7ab 00534038 00535fd0 00000001 USER32!SendMessageWorker+0x384
00eaf2ac 77d56c26 000800bc 00000111 00000001 USER32!SendMessageW+0x7f
00eaf2dc 77d6e956 000800bc 0054fec8 00040088 USER32!IsDialogMessageW+0x41f
00eaf318 77d5688a 000800bc 00040088 00000001 USER32!DialogBox2+0x144
00eaf340 77d568cc 7c9c0000 7cc23d30 00040088 USER32!InternalDialogBox+0xd0
00eaf360 77d56741 7c9c0000 7cc23d30 00040088 USER32!DialogBoxIndirectParamAorW+0x37
00eaf384 7ca371fc 7c9c0000 000003eb 00040088 USER32!DialogBoxParamW+0x3f
00eaf3cc 7ca37139 7c9c0000 000003eb 00040088 SHELL32!SHFusionDialogBoxParam+0x3b
00eaf400 0101f867 00040088 00000000 00eaf834 SHELL32!RunFileDlg+0xc4
00eafa40 0101f6bf 00040088 00000000 000c3598 Explorer!_RunFileDlg+0x12f
00eafee0 77f68ea5 0000059c 000f0368 77f68e88 Explorer!CTray::_RunDlgThreadProc+0x29a
00eafef8 7c927545 000f0368 7c97c3a0 00123d00 SHLWAPI!ExecuteWorkItem+0x1d
00eaff40 7c927583 77f68e88 000f0368 0009f5f0 ntdll!RtlpWorkerCallout+0x70
00eaff60 7c927645 00000000 000f0368 00123d00 ntdll!RtlpExecuteWorkerRequest+0x1a
00eaff74 7c92761c 7c927569 00000000 000f0368 ntdll!RtlpApcCallout+0x11
00eaffb4 7c80b50b 00000000 00e2fce4 00e2fce8 ntdll!RtlpWorkerThread+0x87
00eaffec 00000000 7c910760 00000000 00000000 kernel32!BaseThreadStart+0x37

STACK_COMMAND: kb

FOLLOWUP_IP:
scanner!ScannerpScanFileInUserModeEx+149 [c:\winddk\6000\ss\filter\scanner.c @ 1468]
f69f6dc9 c3 ret

FAULTING_SOURCE_CODE:
1464: DbgPrint( “!!! scanner.sys — couldn’t send message to user-mode to scan file, status 0x%X\n”, status );
1465: }
1466: }
1467:

1468: } finally {
1469:
1470: if (notification != NULL) {
1471:
1472: ExFreePoolWithTag( notification, ‘nacS’ );
1473: }

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: scanner

IMAGE_NAME: scanner.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48774fe4

SYMBOL_NAME: scanner!ScannerpScanFileInUserModeEx+149

FAILURE_BUCKET_ID: 0xc2_7_scanner!ScannerpScanFileInUserModeEx+149

BUCKET_ID: 0xc2_7_scanner!ScannerpScanFileInUserModeEx+149

Followup: MachineOwner

could any body tell me why ?
before stepping to the
"ExFreePoolWithTag "line

i run the following commands to see it that pool is alive or freed
and here is the output

kd> !pool 0x821d8190 0
Pool page 821d8190 region is Nonpaged pool
821d8000 size: 30 previous size: 0 (Allocated) Vad
821d8030 size: 8 previous size: 30 (Free) …
821d8038 size: 40 previous size: 8 (Allocated) Ntfr
821d8078 size: 28 previous size: 40 (Allocated) NtFs
821d80a0 size: 30 previous size: 28 (Free ) Vad
821d80d0 size: 30 previous size: 30 (Allocated) Vad
821d8100 size: 48 previous size: 30 (Allocated) WanS
821d8148 size: 40 previous size: 48 (Free) CPnp
*821d8188 size: 448 previous size: 40 (Allocated) *SEx.
Owning component : Unknown (update pooltag.txt)
821d85d0 size: 50 previous size: 448 (Allocated) Gsem
821d8620 size: 30 previous size: 50 (Free) HGKS
821d8650 size: 18 previous size: 30 (Allocated) Qprz
821d8668 size: 120 previous size: 18 (Allocated) Dnod
821d8788 size: 298 previous size: 120 (Free) Irp
821d8a20 size: 28 previous size: 298 (Allocated) FLli
821d8a48 size: 8 previous size: 28 (Free) NtfI
821d8a50 size: 30 previous size: 8 (Allocated) Vad
821d8a80 size: 158 previous size: 30 (Allocated) PXd.
821d8bd8 size: 428 previous size: 158 (Free) Irp
kd> p

it shows that “*SEx” but failed

confused !

Regards

You are calling FltSendMessage with a pointer to your buffer pointer both as
the send and reply buffer. This means the base address of your allocated
buffer (notification) is going to be changed by the user application. So if
you then call ExFreePool you are freeing a buffer which doesn’t exist.

PSCANNER_NOTIFICATION notification = NULL;

notification = ExAllocatePoolWithTag …

status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
&notification, // <-----------
sizeof(notification),
&notification, // <------
&replyLength,
NULL );

//Daniel

wrote in message news:xxxxx@ntfsd…
> Helllo respected members,
> i am having problems with the Scanner samples given in the DDK
> documentation.
>

Shouldn’t that be

FltSendMessage (…, notification, …, notification, …)

and not

FltSendMessage (…, &notification, …, &notification, …)

You’re giving it a pointer to a pointer holding an allocated buffer

Also the sizeof (pointer) is telling it that your buffer is
8/16 bytes long.

Mickey.

xxxxx@resplendence.com wrote:

You are calling FltSendMessage with a pointer to your buffer pointer
both as the send and reply buffer. This means the base address of your
allocated buffer (notification) is going to be changed by the user
application. So if you then call ExFreePool you are freeing a buffer
which doesn’t exist.

PSCANNER_NOTIFICATION notification = NULL;

notification = ExAllocatePoolWithTag …

status = FltSendMessage( ScannerData.Filter,
&ScannerData.ClientPort,
&notification, // <-----------
sizeof(notification),
&notification, // <------
&replyLength,
NULL );

//Daniel

wrote in message news:xxxxx@ntfsd…
>> Helllo respected members,
>> i am having problems with the Scanner samples given in the DDK
>> documentation.
>>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@earthlink.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>