Problem with CreateFile from User Mode

Hello,

I have a user mode command line program, and my driver crashes when I call CreateFile to open the driver to send a DeviceIOControl to it.

It crashes at the CreateFile.

I have narrowed it down to my creating a worked thread, if I do not create the thread all works fine. I do not even have the thread scheduled to run yet. It is waiting on an unsignaled object.

The stack at the point of crash shows:

WARNING: Frame IP not in any known module. Following frames may be wrong.
0x836a4422
nt!IofCallDriver+0x64
nt!SeExamineSacl+0x127e
nt!CcUnpinData+0x89f
nt!ObOpenObjectByName+0x13c
nt!SeSetAccessStateGenericMapping+0x674
nt!NtCreateFile+0x34
nt!ZwQueryLicenseValue+0xbd2
0x77399a94
0xbadb0d00
0x2ae790

The CreateFile call is:

g_device = CreateFileW( DRIVER_DOS_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );

I have looked at numerous examples and have not found a reason why this is happening. I thought it could be a lock but the background thread is not even being fired.

Any help or a pointer would be greatly appreciated.

Thanks,
Rob Rightmyer

Driver technology? WDM, WDF?? Device type?

A little bit of information about the crash might help here. Like a !analyze -v with the proper symbols?

Also, I assume you’ve set a breakpoint at the entrance to your create dispatch entry point, and stepped into your code in the debugger. Does this not tell you the exact statement on which your driver crashes?

Peter
OSR

Judging from your call stack, the whole thing happens in IRP_MJ_CREATE_HANDLER. Please show us what you do in it so that we may be able to help you - for the time being we just haven’t got any info…

Anton Bassov

Thanks for your quick response.

My IRP_MJ_CREATE_HANDLER is: - right from a WFP Microsoft sample

{
NTSTATUS status = STATUS_SUCCESS;

UNREFERENCED_PARAMETER(deviceObject);

IoCompleteRequest(irp, IO_NO_INCREMENT);

return status;
}

This is a WFP driver to answer Peter.

Analyze -v returns

BUGCHECK_STR: ACCESS_VIOLATION

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 818561ad to 835a6380

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
9a0dfa98 818561ad 835a6580 85501bb8 835f933c 0x835a6380
9a0dfab0 81a099dc 1ffaafae 833d23b4 835a6568 nt!IofCallDriver+0x64
9a0dfb80 81a035cc 835a6580 00000000 833d2310 nt!SeExamineSacl+0x127e
9a0dfc10 81a03b5c 00000000 9a0dfc68 00000040 nt!CcUnpinData+0x89f
9a0dfc70 81a0a927 0022e874 00000000 9a0dfd01 nt!ObOpenObjectByName+0x13c
9a0dfce4 81a23fac 0022e8d8 c0100080 0022e874 nt!SeSetAccessStateGenericMapping+0x674
9a0dfd30 818679aa 0022e8d8 c0100080 0022e874 nt!NtCreateFile+0x34
9a0dfd64 779d9a94 badb0d00 0022e83c 00000000 nt!ZwQueryLicenseValue+0xbd2
9a0dfd68 badb0d00 0022e83c 00000000 00000000 ntdll+0x59a94
9a0dfd6c 0022e83c 00000000 00000000 00000000 0xbadb0d00
9a0dfd70 00000000 00000000 00000000 00000000 0x22e83c

STACK_COMMAND: kb

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!IofCallDriver+64

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlmp.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Breakpoint was never hit in MJ CREATE

I will further look into symbols but I did point to the symbol server and was able to set breakpoints locally

Thanks again for your quick reply.

Rob

xxxxx@comcast.net wrote:

Thanks for your quick response.

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
9a0dfa98 818561ad 835a6580 85501bb8 835f933c 0x835a6380
9a0dfab0 81a099dc 1ffaafae 833d23b4 835a6568 nt!IofCallDriver+0x64
9a0dfb80 81a035cc 835a6580 00000000 833d2310 nt!SeExamineSacl+0x127e
9a0dfc10 81a03b5c 00000000 9a0dfc68 00000040 nt!CcUnpinData+0x89f
9a0dfc70 81a0a927 0022e874 00000000 9a0dfd01 nt!ObOpenObjectByName+0x13c
9a0dfce4 81a23fac 0022e8d8 c0100080 0022e874 nt!SeSetAccessStateGenericMapping+0x674
9a0dfd30 818679aa 0022e8d8 c0100080 0022e874 nt!NtCreateFile+0x34
9a0dfd64 779d9a94 badb0d00 0022e83c 00000000 nt!ZwQueryLicenseValue+0xbd2
9a0dfd68 badb0d00 0022e83c 00000000 00000000 ntdll+0x59a94
9a0dfd6c 0022e83c 00000000 00000000 00000000 0xbadb0d00
9a0dfd70 00000000 00000000 00000000 00000000 0x22e83c

Breakpoint was never hit in MJ CREATE

I will further look into symbols but I did point to the symbol server and was able to set breakpoints locally

You wouldn’t see a breakpoint, because this has not jumped into your
driver – it has jumped into empty space. It looks like your
DRIVER_OBJECT contains a bad address in the IRP_MJ_CREATE spot. Have
you modified DriverEntry or one of the routines it calls, such that you
might be interfering with the setup of the callbacks? Have you set a
breakpoint in DriverEntry to check all of the pointers?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Easier: You have the crash… look at the first entry in the MajorFunction vector in the Device Object… what does it contain/point to?

Peter
OSR

Thanks for all your help. By checking the pointer and doing an ASSERT I was able to find exactly where I passed the wrong object in and wacked the pointer.

Your help saved me days.

Regards,
Rob