STOP 0x0000007f , compatibilty issue.

Dear All,

I am working on a security application specifically for Windows 2000 NTFS
file system and have developed a “file system filter driver” to implement
the same. The driver is on similar patterns on what filespy is made (FileSpy
is a sample file system filter driver provided in IFS kit)

The application works fine when installed on a fresh Windows 2000 machine
and functions properly. But when it is installed on machine having Symantec
Norton Antivirus installed in it, the system crashes with a stop code

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)

UNEXPECTED_KERNEL_MODE_TRAP

//////////////////////

According to my research:

The issue of incompatibility occurs because there is a limited amount of
kernel space available for kernel drivers. For Windows 2000, this limit is
12 KB. If the operating system runs out of kernel space, then the computer
displays a blue screen error message.

Most anti-virus software uses filter drivers (device drivers) that work in
conjunction with a service to scan for viruses. These filter drivers are
still loaded after the service is deactivated. These filter drivers scan
files as they are opened and closed on a hard disk. And the Symantec filter
driver is called “symevent.sys”.

In my case, when my application is installed on a machine having Norton
Antivirus installed in it, the driver allocates its kernel space and at same
time Norton loads SymEvent.sys filter driver. So this kernel-mode scanning
driver (SymEvent.sys) is unable to allocate buffer space when it calls the
file system to map a portion of a disk file in memory. And when a system has
insufficient

Kernel mode memory, NTFS can’t allocate the requested buffer and sometimes
can’t allocate enough memory to indicate the buffer request failed. In this
situation, the system crashes with the 0x07F Stop message.

//////////////////////

So is there any way out to run Norton Antivirus and my application at same
time? Is there any way to place our driver on top of the Norton Symevent.sys
driver? Or, is there any alternative way?

Please send your valuable suggestions. Also, feel free to contact me for
further clarifications in this regard.

Waiting for your reply,

Thanks

Regards,

Rohit

> and functions properly. But when it is installed on machine having Symantec

Norton Antivirus installed in it, the system crashes with a stop code

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)

UNEXPECTED_KERNEL_MODE_TRAP

Kernel stack overflow.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Try reading the rest of his message, he figured that much
I believe the OSR’s IFS FAQ has an answer to this specific question (kernel stack
overflow).

“Maxim S. Shatskih” wrote:

> > and functions properly. But when it is installed on machine having Symantec
> > Norton Antivirus installed in it, the system crashes with a stop code
> > STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
> >
> > UNEXPECTED_KERNEL_MODE_TRAP
>
> Kernel stack overflow.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

Exactly!, this error is coming. “NTFS…Buffer overflow error” is generated
as soon as I run my application along with Norton antivirus.

But my application works fine without Norton antivirus. Its the SymEvent.sys
filter driver of Norton that creates the imcompaitibilty. (since I
temporarily disable this driver and my application run fine!!)

So is there any way out to solve this problem ??? I need my application to
run on NAV also.
Please suggest.

Rohit

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
> > and functions properly. But when it is installed on machine having
Symantec
> > Norton Antivirus installed in it, the system crashes with a stop code
> >
> >
> >
> > STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
> >
> > UNEXPECTED_KERNEL_MODE_TRAP
>
> Kernel stack overflow.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>

> But my application works fine without Norton antivirus. Its the
SymEvent.sys

filter driver of Norton that creates the imcompaitibilty. (since I
temporarily disable this driver and my application run fine!!)

No, symevent.sys is probably not guilty by the problem.
If you add next filter to the device stack, it may come that the stack
overflow occurs. Don’t you have some large stack structures
in some of your IRP dispatch routines ?

e.g WCHAR FileName[400] etc.

L.

Blaming NAV for stack overflows in situations like this is
inappropriate. Have you tried your software with OTHER filters? Other
AV products? How about with FileMon? Turn on Verifier as well - each
of these will consume additional stack space. Do you blame each of them
in turn as you begin to see stack overflows?

The way to solve this problem is to decrease your own utilization of
stack space. Here’s a simple strategy to follow:

In your driver’s dispatch entry point, take all of your local variables
and put them in a structure. On entry to your dispatch routine,
allocate (from non-paged pool) one of those structures. On exit from
your dispatch routine, free the structure. That will decrease your
stack utiliziation. You can do the same thing in your completion
routine(s).

You can also add stack size detection code and POST (when safe)
operations that have used “too much” stack.

Symevent uses a strategy of switching into its own stack area. That’s a
complex strategy that allows them to minimize THEIR use of stack space -
which is one reason that I seriously doubt this is an NAV problem.

We’ve been able to successfully work in environments in which multiple
filters are installed and working, but it does take some work to
minimize stack utilization…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Wednesday, March 31, 2004 4:35 AM
To: ntfsd redirect
Subject: Re:[ntfsd] STOP 0x0000007f , compatibilty issue.

Exactly!, this error is coming. “NTFS…Buffer overflow error” is
generated
as soon as I run my application along with Norton antivirus.

But my application works fine without Norton antivirus. Its the
SymEvent.sys
filter driver of Norton that creates the imcompaitibilty. (since I
temporarily disable this driver and my application run fine!!)

So is there any way out to solve this problem ??? I need my application
to
run on NAV also.
Please suggest.

Rohit

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntfsd…
> > and functions properly. But when it is installed on machine having
Symantec
> > Norton Antivirus installed in it, the system crashes with a stop
code
> >
> >
> >
> > STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
> >
> > UNEXPECTED_KERNEL_MODE_TRAP
>
> Kernel stack overflow.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

While the OP most likely is being injudicious in his use of stack space,
there is another possibility here. Symevent calls ZwCreateFile in it’s
create dispatch routine If the OP is doing the same, without recognizing
the recursion, then the stack will be recursed to death.

He should look at the stack, and see WHY it is being exhausted. (Use dds
to tear apart the stack after the symevent stack switch).

Also, in addition to Tony’s good advice regarding frugality in stack usage,
I recommend calling IoCallDriver as high as possible in your call
structure. That is, try to do it from your dispatch routine if at all
possible, not six calls deep.

• Dan.

At 08:34 AM 3/31/2004 -0500, you wrote:

Blaming NAV for stack overflows in situations like this is
inappropriate. Have you tried your software with OTHER filters? Other
AV products? How about with FileMon? Turn on Verifier as well - each
of these will consume additional stack space. Do you blame each of them
in turn as you begin to see stack overflows?

The way to solve this problem is to decrease your own utilization of
stack space. Here’s a simple strategy to follow:

In your driver’s dispatch entry point, take all of your local variables
and put them in a structure. On entry to your dispatch routine,
allocate (from non-paged pool) one of those structures. On exit from
your dispatch routine, free the structure. That will decrease your
stack utiliziation. You can do the same thing in your completion
routine(s).

You can also add stack size detection code and POST (when safe)
operations that have used “too much” stack.

Symevent uses a strategy of switching into its own stack area. That’s a
complex strategy that allows them to minimize THEIR use of stack space -
which is one reason that I seriously doubt this is an NAV problem.

We’ve been able to successfully work in environments in which multiple
filters are installed and working, but it does take some work to
minimize stack utilization…

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rohit Dhamija
Sent: Wednesday, March 31, 2004 4:35 AM
To: ntfsd redirect
Subject: Re:[ntfsd] STOP 0x0000007f , compatibilty issue.

Exactly!, this error is coming. “NTFS…Buffer overflow error” is
generated
as soon as I run my application along with Norton antivirus.

But my application works fine without Norton antivirus. Its the
SymEvent.sys
filter driver of Norton that creates the imcompaitibilty. (since I
temporarily disable this driver and my application run fine!!)

So is there any way out to solve this problem ??? I need my application
to
run on NAV also.
Please suggest.

Rohit

“Maxim S. Shatskih” wrote in message
>news:xxxxx@ntfsd…
> > > and functions properly. But when it is installed on machine having
>Symantec
> > > Norton Antivirus installed in it, the system crashes with a stop
>code
> > >
> > >
> > >
> > > STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
> > >
> > > UNEXPECTED_KERNEL_MODE_TRAP
> >
> > Kernel stack overflow.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@osr.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@privtek.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com

Dear Mr Zezula,

You are very correct that I have used lot of WCHAR filename[200] in my
dispatch routines. So will this problem be solved, if i make these memory
allocated and deallocated dynamically ?

Since , I required to locate first occurrence of substring within a string
in my application, I used a function wcsstr()
//wchar_t *wcsstr(wchar_t *ws1, wchar_t *ws2);

Here is a small piece of code I haved repeatedly written in my application:
////////////////////////////////
WCHAR whetherInBuffer[200];
PUNICODE_STRING fileName; // I get the filename in this string

if(fileName->Length < (2*200)) {

int i=0;
for(i=0; i < fileName->Length/2; i++) {

whetherInBuffer[i] = fileName->Buffer[i];
}

whetherInBuffer[i] = L’\0’;
_wcsupr(whetherInBuffer);

}
//And then I am accomplishing my task to locate first occurrence of
substring within a string using wcsstr()

if( wcsstr(whetherInBuffer, “SUBSTR”)){
…
}
////////////////////////////////

Is there any wcsstr equivalent provided in DDK /IFS , so as to avoid WCHAR’s
and free some stack space. Please suggest.

Regards,
Rohit

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > But my application works fine without Norton antivirus. Its the
> SymEvent.sys
> > filter driver of Norton that creates the imcompaitibilty. (since I
> > temporarily disable this driver and my application run fine!!)
>
> No, symevent.sys is probably not guilty by the problem.
> If you add next filter to the device stack, it may come that the stack
> overflow occurs. Don’t you have some large stack structures
> in some of your IRP dispatch routines ?
>
> e.g WCHAR FileName[400] etc.
>
> L.
>
>

> So will this problem be solved, if i make these memory

allocated and deallocated dynamically ?

Yes, it should. You have to remember that
one “WCHAR filename[200]” occupies 400 bytes
on the stack. The kernel stack is, AFAIK, 16 KB.
You better allocate the memory from nonpaged
pool, then you decrease stack usage to 4 bytes
(size of one pointer). Or you can follow te advices
that Tony gave you

And also, try to use lookaside lists instead of
ExAllocatePool, especially in your dispatch routines.
You will prevent fragmentation of paged pool,
whch can lead to memory exhaustion after
some time of work.

L.

Thanks a lot for the quick and valuable suggestion.

Is there any API equivalent to wcsstr in kernel mode (in which we don’t
require wchars)?

I analysed the dump using DbgView application and got the following debug
print
“NTFS: Stack space low. Posting Create Request.”

Also, this error came during the Create routine.

Is this error the confirmation to what you suggested in previous mails ?

Regards,
Rohit

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > So will this problem be solved, if i make these memory
> > allocated and deallocated dynamically ?
>
> Yes, it should. You have to remember that
> one “WCHAR filename[200]” occupies 400 bytes
> on the stack. The kernel stack is, AFAIK, 16 KB.
> You better allocate the memory from nonpaged
> pool, then you decrease stack usage to 4 bytes
> (size of one pointer). Or you can follow te advices
> that Tony gave you
>
> And also, try to use lookaside lists instead of
> ExAllocatePool, especially in your dispatch routines.
> You will prevent fragmentation of paged pool,
> whch can lead to memory exhaustion after
> some time of work.
>
> L.
>
>

> Is there any API equivalent to wcsstr in kernel mode (in which we don’t

require wchars)?

I think you should use WCHARs. The whole kernel is built
on Unicode, why to break the philosophy ?
The problem is not in WCHAR
vs. CHAR, but in the in-stack variables. You can use wcsstr
(and strstr) in kernel mode as well (exported by NTOSKRNL.exe
since NT4).

“NTFS: Stack space low. Posting Create Request.”
Is this error the confirmation to what you suggested in previous mails ?

Yes. The error says “Ooops, there is not too much space
in the stack because someon has eaten it,
so I will have do complete create request another way”

L.

Thanks a lot! I would do the same and would revert back soon.

“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
> > Is there any API equivalent to wcsstr in kernel mode (in which we don’t
> > require wchars)?
>
> I think you should use WCHARs. The whole kernel is built
> on Unicode, why to break the philosophy ?
> The problem is not in WCHAR
> vs. CHAR, but in the in-stack variables. You can use wcsstr
> (and strstr) in kernel mode as well (exported by NTOSKRNL.exe
> since NT4).
>
> > “NTFS: Stack space low. Posting Create Request.”
> > Is this error the confirmation to what you suggested in previous mails ?
>
> Yes. The error says “Ooops, there is not too much space
> in the stack because someon has eaten it,
> so I will have do complete create request another way”
>
> L.
>
>