Re: Getting handle from object pointer in ObjectPreCallback routine

I have got a same BSOD. the ObOpenObjectByPointer will call into
ObjectPreProcessCallback.
and the !analze -v result is:

83d32c14 83ceca59 nt!KiBugCheckDebugBreak+0x1c
83d32fdc 83c5461c nt!KeBugCheck2+0x68b
83d32fdc 83c4c391 nt!KiTrap08+0x75
8d032ffc 83e8a43d nt!ObReferenceObjectByPointerWithTag+0x2
8d033168 83e8a523 nt!ObOpenObjectByPointerWithTag+0x40
8d033190 8f5c88a3 nt!ObOpenObjectByPointer+0x24
8d0331c0 83ee2dc0 xxxxxx!PreProcCreateRoutine+0x43
8d033208 83ee2fad nt!ObpCallPreOperationCallbacks+0x163
8d033250 83e31c4a nt!ObpPreInterceptHandleCreate+0x6f
8d0332b0 83e8a4be nt!ObpCreateHandle+0x219
8d033430 83e8a523 nt!ObOpenObjectByPointerWithTag+0xc1
8d033458 8f5c88a3 nt!ObOpenObjectByPointer+0x24
8d033488 83ee2dc0 xxxxxx!PreProcCreateRoutine+0x43
8d0334d0 83ee2fad nt!ObpCallPreOperationCallbacks+0x163
8d033518 83e31c4a nt!ObpPreInterceptHandleCreate+0x6f
8d033578 83e8a4be nt!ObpCreateHandle+0x219
8d0336f8 83e8a523 nt!ObOpenObjectByPointerWithTag+0xc1
8d033720 8f5c88a3 nt!ObOpenObjectByPointer+0x24
8d033750 83ee2dc0 xxxxxx!PreProcCreateRoutine+0x43

On Mon, Mar 23, 2009 at 10:26 AM, wrote:

> I tried specifying *IoFileObjectType but I got an error status C0000024
> (STATUS_OBJECT_TYPE_MISMATCH).
>
> I guess that’s because the pointer is a pointer to a process or thread
> object. So I specify *PsProcessType instead and I get the bugcheck.
>
> 7F, {8, 8014C000, 0, 0}
>
> Maybe I’ll just show you what my code for the object looks like:
>
> OB_PREOP_CALLBACK_STATUS ObjectPreProcessCallback(
> IN PVOID RegistrationContext,
> IN POB_PRE_OPERATION_INFORMATION OperationInformation
> ){
>
> NTSTATUS status;
> HANDLE handle;
> PUNICODE_STRING puszTargetImageName;
> ULONG ulReturnedLength;
>
> HANDLE hPID = PsGetCurrentProcessId();
>
> KdPrint((“In ObjectPreProcessCallback()…\n”));
>
> if(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
> {
> // Try and identify the target process of the handle open
> // CRASH AND BURN RIGHT HERE…
> if(!NT_SUCCESS(status =
> ObOpenObjectByPointer(OperationInformation->Object, OBJ_KERNEL_HANDLE, NULL,
> 0, *PsProcessType, KernelMode, &handle)))
> {
> KdPrint((“ObOpenObjectByPointer failed. status:
> %08x\n”, status));
> goto SkipTargetProcessLookup;
> }
>
> // step one - get the size of the string we need
> status = ZwQueryInformationProcess(handle,
> ProcessImageFileName, NULL, 0, &ulReturnedLength);
> if(status != STATUS_INFO_LENGTH_MISMATCH)
> {
> KdPrint((“Status status info length mismatch\n”));
> goto SkipTargetProcessLookup;
> }
> KdPrint((“Buffer length required: %d\n”, ulReturnedLength));
> if(!(puszTargetImageName =
> (PUNICODE_STRING)ExAllocatePoolWithTag(
> NonPagedPool,
> ulReturnedLength,
> ‘PROC’)))
> {
> KdPrint((“Failed to allocate memory for
> UNICODE_STRING\n”));
> goto SkipTargetProcessLookup;
> }
> puszTargetImageName->Length =0;
> puszTargetImageName->MaximumLength =
> (USHORT)ulReturnedLength - sizeof(UNICODE_STRING);
>
> // step two - get the image path name
> status = ZwQueryInformationProcess(handle
> ,ProcessImageFileName, (PVOID)puszTargetImageName, ulReturnedLength,
> &ulReturnedLength);
> if(!NT_SUCCESS(status))
> {
> KdPrint((“Failed to obtain process name.
> Status=%08x\n”, status));
> ExFreePool(puszTargetImageName);
> goto SkipTargetProcessLookup;
> }
> // Print the process name - for testing…
> KdPrint((“Obtained the full process name: %wZ\n”,
> puszTargetImageName));
>
> SkipTargetProcessLookup:
> // close the handle
> if(handle) ZwClose(handle);
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

do you see that recursive loop?

I don’t know how others, but I convert process object to peprocess and then
I lookup it in my hash table (maintained in PsSetCreateProcessNotifyRoutine
callback)

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of wu dong
Sent: Monday, March 21, 2011 10:19 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Getting handle from object pointer in ObjectPreCallback
routine

I have got a same BSOD. the ObOpenObjectByPointer will call into
ObjectPreProcessCallback.

and the !analze -v result is:

83d32c14 83ceca59 nt!KiBugCheckDebugBreak+0x1c

83d32fdc 83c5461c nt!KeBugCheck2+0x68b

83d32fdc 83c4c391 nt!KiTrap08+0x75

8d032ffc 83e8a43d nt!ObReferenceObjectByPointerWithTag+0x2

8d033168 83e8a523 nt!ObOpenObjectByPointerWithTag+0x40

8d033190 8f5c88a3 nt!ObOpenObjectByPointer+0x24

8d0331c0 83ee2dc0 xxxxxx!PreProcCreateRoutine+0x43

8d033208 83ee2fad nt!ObpCallPreOperationCallbacks+0x163

8d033250 83e31c4a nt!ObpPreInterceptHandleCreate+0x6f

8d0332b0 83e8a4be nt!ObpCreateHandle+0x219

8d033430 83e8a523 nt!ObOpenObjectByPointerWithTag+0xc1

8d033458 8f5c88a3 nt!ObOpenObjectByPointer+0x24

8d033488 83ee2dc0 xxxxxx!PreProcCreateRoutine+0x43

8d0334d0 83ee2fad nt!ObpCallPreOperationCallbacks+0x163

8d033518 83e31c4a nt!ObpPreInterceptHandleCreate+0x6f

8d033578 83e8a4be nt!ObpCreateHandle+0x219

8d0336f8 83e8a523 nt!ObOpenObjectByPointerWithTag+0xc1

8d033720 8f5c88a3 nt!ObOpenObjectByPointer+0x24

8d033750 83ee2dc0 xxxxxx!PreProcCreateRoutine+0x43

On Mon, Mar 23, 2009 at 10:26 AM, wrote:

I tried specifying *IoFileObjectType but I got an error status C0000024
(STATUS_OBJECT_TYPE_MISMATCH).

I guess that’s because the pointer is a pointer to a process or thread
object. So I specify *PsProcessType instead and I get the bugcheck.

7F, {8, 8014C000, 0, 0}

Maybe I’ll just show you what my code for the object looks like:

OB_PREOP_CALLBACK_STATUS ObjectPreProcessCallback(
IN PVOID RegistrationContext,
IN POB_PRE_OPERATION_INFORMATION OperationInformation
){

NTSTATUS status;
HANDLE handle;
PUNICODE_STRING puszTargetImageName;
ULONG ulReturnedLength;

HANDLE hPID = PsGetCurrentProcessId();

KdPrint((“In ObjectPreProcessCallback()…\n”));

if(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
// Try and identify the target process of the handle open
// CRASH AND BURN RIGHT HERE…
if(!NT_SUCCESS(status =
ObOpenObjectByPointer(OperationInformation->Object, OBJ_KERNEL_HANDLE, NULL,
0, *PsProcessType, KernelMode, &handle)))
{
KdPrint((“ObOpenObjectByPointer failed. status:
%08x\n”, status));
goto SkipTargetProcessLookup;
}

// step one - get the size of the string we need
status = ZwQueryInformationProcess(handle,
ProcessImageFileName, NULL, 0, &ulReturnedLength);
if(status != STATUS_INFO_LENGTH_MISMATCH)
{
KdPrint((“Status status info length mismatch\n”));
goto SkipTargetProcessLookup;
}
KdPrint((“Buffer length required: %d\n”, ulReturnedLength));
if(!(puszTargetImageName =
(PUNICODE_STRING)ExAllocatePoolWithTag(
NonPagedPool,
ulReturnedLength,
‘PROC’)))
{
KdPrint((“Failed to allocate memory for
UNICODE_STRING\n”));
goto SkipTargetProcessLookup;
}
puszTargetImageName->Length =0;
puszTargetImageName->MaximumLength = (USHORT)ulReturnedLength
- sizeof(UNICODE_STRING);

// step two - get the image path name
status = ZwQueryInformationProcess(handle
,ProcessImageFileName, (PVOID)puszTargetImageName, ulReturnedLength,
&ulReturnedLength);
if(!NT_SUCCESS(status))
{
KdPrint((“Failed to obtain process name.
Status=%08x\n”, status));
ExFreePool(puszTargetImageName);
goto SkipTargetProcessLookup;
}
// Print the process name - for testing…
KdPrint((“Obtained the full process name: %wZ\n”,
puszTargetImageName));

SkipTargetProcessLookup:
// close the handle
if(handle) ZwClose(handle);

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer