porting a filter-driverto x64

Hi,

I’m porting a filter-driver (no Mini-filter) to x64 platform and I am facing
a funny bugcheck. My filter is a part of a AV-product which
pends CREATE-Irps…just a passive filter. This “design” works ok for
NT/2k/XP/2k3…but not on x64…seems to have problems with WOW64.
The crash occurs randomly when a 32-bit application exits (In case below
“Wmplayer”).

Unfortunately the stack text doesn’t even mention the name of my driver,
although I am sure it is somehow causing the crash.

I do have:

  • WinDbg (latest version)
  • setup Symbol-Server proper
  • setup Symbols with my filter-driver proper

Perhaps someone may give me a short hint with that problem.

Here’s what the debugger says:

kd> !analyze -v

*******************************************************************************
* * * Bugcheck Analysis * * *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
Arguments: Arg1: 00000000c0000005
Arg2: fffff80001046625
Arg3: fffffadfe2c080e0
Arg4: 0000000000000000

Debugging Details:

OVERLAPPED_MODULE: ipnat CONTEXT: fffffadfe2c080e0 – (.cxr
fffffadfe2c080e0)
rax=fffff800012ddec0 rbx=0000000000000000 rcx=fffffadfe74ecd20
rdx=00410041004505bf rsi=fffffadfe2c089f0 rdi=0000000000000001
rip=fffff80001046625 rsp=fffffadfe2c088f0 rbp=fffffa80013f5cf0
r8=fffffadfe74ecd10 r9=fffffadfe73c7400 r10=0000000000000056
r11=0000000000000000 r12=000000000000010c
r13=fffffa8001eee3f8 r14=fffffa800161a60c r15=0000000000000001
iopl=0 nv up ei pl nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053
gs=002b efl=00010202

nt!KiInsertQueueApc+0x6b: fffff800`01046625 488b4208 mov rax,[rdx+0x8]

Resetting default scope DEFAULT_BUCKET_ID:
DRIVER_FAULT BUGCHECK_STR: 0x3B
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff80001063ba8 to fffff80001046625

STACK_TEXT:
…00000000 : nt!KiInsertQueueApc+0x6b
…016da530 : nt!KeInsertQueueApc+0x40
…0001d5c0 : nt!CmpPostNotify+0x350
…00000000 : nt!CmpReportNotifyHelper+0x130
…0015598c : nt!CmSetValueKey+0x893
…0006e5a0 : nt!NtSetValueKey+0x31a
…000003e4 : nt!KiSystemServiceCopyEnd+0x3
…00000004 : ntdll!ZwSetValueKey+0xa
…00000004 : wow64!Wow64NtSetValueKey+0x229
…7efdd000 : wow64!whNtSetValueKey+0x63
…7d61d0b0 : wow64!Wow64SystemServiceEx+0xd6
…7efdf000 : wow64cpu!ServiceNoTurbo+0x28
…00000000 : wow64!RunCpuSimulation+0xa
…00000003 : wow64!Wow64LdrpInitialize+0x2ed
…00000001 : ntdll!LdrpInitializeProcess+0x17d9
…0006f880 : 0x6f700
…00000000 : 0x0
…00000000 : 0x6fab0
…0208004e : 0x3
…000203f0 : 0x1
…00000000 : 0x6f880
…00000001 : 0x0
…00000000 : 0x0
…00000000 : 0x208004e
…0006fab0 : 0x203f0
…010000e0 : 0x0
…44ce5e72 : 0x1
…00720070 : 0x0
…00020780 : 0x0
…00000000 : 0x6fab0
…00000030 : wmplayer!_imp__RegQueryValueExA (wmplayer+0xe0)
…0000000c : 0x44ce5e72
…78f00120 : wmploc+0x70070
…00000040 : 0x20780
…00000000 : 0x0
…00000000 : 0x30
…00720070 : 0xc
…00020780 : ntdll!RtlFreeStringRoutine+0x28
…02080028 : 0x40
…78fa44f0 : 0x0
…010000e0 : 0x0
…00000014 : wmploc+0x70070
…00000000 : 0x20780
…00000000 : 0x2080028
…00020780 : ntdll!_PchSym+0x10
…00000000 : wmplayer!_imp__RegQueryValueExA (wmplayer+0xe0)
…00000000 : 0x14
…00000000 : 0x0
…008e008c : 0x0
…000207f4 : 0x20780

FOLLOWUP_IP: nt!KiInsertQueueApc+6b fffff800`01046625 488b4208 mov
rax,[rdx+0x8]

SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME:
MachineOwner SYMBOL_NAME:

nt!KiInsertQueueApc+6b
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42436096

STACK_COMMAND: .cxr fffffadfe2c080e0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_nt!KiInsertQueueApc+6b
BUCKET_ID: X64_0x3B_nt!KiInsertQueueApc+6b
Followup: MachineOwner

Thanks in advance
frank