When System load KERNEL.dll my create dispatch routine intercept IRP_MJ_CREATE request,but impletmen

NTFSD
1

I want to printing all filename,when i intercept IRP_MJ_CREATE request in
my MySfCreate routine.
It’s work well,but when the current file is KERNEL.DLL the system crash.Who
can tell me this is why?

My MySfCreate routine code is below:

RtlInitUnicodeString( &sourceName, L"KERNEL32.DLL"); // For example
KERNEL.DLL or other system file
sprintf( chSourcePathName, “%ws”, sourceName.Buffer);

if ( savedFileObject->FileName.Buffer && !(savedFileObject->Flags &
FO_DIRECT_DEVICE_OPEN ) )
{
RtlCopyUnicodeString( &name, &savedFileObject->FileName);
sprintf(chDestPathName, “%ws”, (&name)->Buffer );
if ( strstr(chDestPathName, chSourcePathName) != NULL )
{
sprintf(pszTmp, “sfilter - SfCreate: File Name: %ws\n”, (&name)
->Buffer );
WriteToLine(pszTmp, strlen(pszTmp)); // print the current
filename to log file.

}
//
// Print all Creating or Openning filename
//
sprintf(pszTmp, “File Name: %ws\n”, (&name)->Buffer );
WriteToLine(pszTmp, strlen(pszTmp));
}

WriteToLine use ZwCreateFile,ZwWriteFile function to Create,Write log file.

When impletment ZwCreateFile,the system crash.

BugCheck code is UNEXPECTED_HERNEL_MODE_TRAP(0x00000008,
0x00000000,0x00000000,0x00000000)

Who can help me ?

Best Regards

Ken Wang

2

Make PDB file for your driver,
do the system crash with crash dump set to on,
and run Windbg on the “memory.dmp”.
It will show you exact source code
and line number where the crash occurred.

After that, you will probably know more …

L.

3

I want to printing all filename,when i intercept IRP_MJ_CREATE request in
my MySfCreate routine.
It’s work well,but when the current file is KERNEL.DLL the system crash.Who
can tell me this is why?

My MySfCreate routine code is below:

RtlInitUnicodeString( &sourceName, L"KERNEL32.DLL"); // For example
KERNEL.DLL or other system file
sprintf( chSourcePathName, “%ws”, sourceName.Buffer);

if ( savedFileObject->FileName.Buffer && !(savedFileObject->Flags &
FO_DIRECT_DEVICE_OPEN ) )
{
RtlCopyUnicodeString( &name, &savedFileObject->FileName);
sprintf(chDestPathName, “%ws”, (&name)->Buffer );
if ( strstr(chDestPathName, chSourcePathName) != NULL )
{
sprintf(pszTmp, “sfilter - SfCreate: File Name: %ws\n”, (&name)
->Buffer );
WriteToLine(pszTmp, strlen(pszTmp)); // print the current
filename to log file.

}
//
// Print all Creating or Openning filename
//
sprintf(pszTmp, “File Name: %ws\n”, (&name)->Buffer );
WriteToLine(pszTmp, strlen(pszTmp));
}

WriteToLine use ZwCreateFile,ZwWriteFile function to Create,Write log file.

When impletment ZwCreateFile,the system crash.

BugCheck code is UNEXPECTED_HERNEL_MODE_TRAP(0x00000008,
0x00000000,0x00000000,0x00000000)

Who can help me ?

Best Regards

Ken Wang

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

Make PDB file for your driver,
do the system crash with crash dump set to on,
and run Windbg on the “memory.dmp”.
It will show you exact source code
and line number where the crash occurred.

After that, you will probably know more …

L.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Make PDB file for your driver,
do the system crash with crash dump set to on,
and run Windbg on the “memory.dmp”.
It will show you exact source code
and line number where the crash occurred.

After that, you will probably know more …

L.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

I want to printing all filename,when i intercept IRP_MJ_CREATE request in
my MySfCreate routine.
It’s work well,but when the current file is KERNEL.DLL the system crash.Who
can tell me this is why?

My MySfCreate routine code is below:

RtlInitUnicodeString( &sourceName, L"KERNEL32.DLL"); // For example
KERNEL.DLL or other system file
sprintf( chSourcePathName, “%ws”, sourceName.Buffer);

if ( savedFileObject->FileName.Buffer && !(savedFileObject->Flags &
FO_DIRECT_DEVICE_OPEN ) )
{
RtlCopyUnicodeString( &name, &savedFileObject->FileName);
sprintf(chDestPathName, “%ws”, (&name)->Buffer );
if ( strstr(chDestPathName, chSourcePathName) != NULL )
{
sprintf(pszTmp, “sfilter - SfCreate: File Name: %ws\n”, (&name)
->Buffer );
WriteToLine(pszTmp, strlen(pszTmp)); // print the current
filename to log file.

}
//
// Print all Creating or Openning filename
//
sprintf(pszTmp, “File Name: %ws\n”, (&name)->Buffer );
WriteToLine(pszTmp, strlen(pszTmp));
}

WriteToLine use ZwCreateFile,ZwWriteFile function to Create,Write log file.

When impletment ZwCreateFile,the system crash.

BugCheck code is UNEXPECTED_HERNEL_MODE_TRAP(0x00000008,
0x00000000,0x00000000,0x00000000)

Who can help me ?

Best Regards

Ken Wang

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

7

Make PDB file for your driver,
do the system crash with crash dump set to on,
and run Windbg on the “memory.dmp”.
It will show you exact source code
and line number where the crash occurred.

After that, you will probably know more …

L.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

8

I want to printing all filename,when i intercept IRP_MJ_CREATE request in
my MySfCreate routine.
It’s work well,but when the current file is KERNEL.DLL the system crash.Who
can tell me this is why?

My MySfCreate routine code is below:

RtlInitUnicodeString( &sourceName, L"KERNEL32.DLL"); // For example
KERNEL.DLL or other system file
sprintf( chSourcePathName, “%ws”, sourceName.Buffer);

if ( savedFileObject->FileName.Buffer && !(savedFileObject->Flags &
FO_DIRECT_DEVICE_OPEN ) )
{
RtlCopyUnicodeString( &name, &savedFileObject->FileName);
sprintf(chDestPathName, “%ws”, (&name)->Buffer );
if ( strstr(chDestPathName, chSourcePathName) != NULL )
{
sprintf(pszTmp, “sfilter - SfCreate: File Name: %ws\n”, (&name)
->Buffer );
WriteToLine(pszTmp, strlen(pszTmp)); // print the current
filename to log file.

}
//
// Print all Creating or Openning filename
//
sprintf(pszTmp, “File Name: %ws\n”, (&name)->Buffer );
WriteToLine(pszTmp, strlen(pszTmp));
}

WriteToLine use ZwCreateFile,ZwWriteFile function to Create,Write log file.

When impletment ZwCreateFile,the system crash.

BugCheck code is UNEXPECTED_HERNEL_MODE_TRAP(0x00000008,
0x00000000,0x00000000,0x00000000)

Who can help me ?

Best Regards

Ken Wang

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

9

Make PDB file for your driver,
do the system crash with crash dump set to on,
and run Windbg on the “memory.dmp”.
It will show you exact source code
and line number where the crash occurred.

After that, you will probably know more …

L.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

10

I want to printing all filename,when i intercept IRP_MJ_CREATE request in
my MySfCreate routine.
It’s work well,but when the current file is KERNEL.DLL the system crash.Who
can tell me this is why?

My MySfCreate routine code is below:

RtlInitUnicodeString( &sourceName, L"KERNEL32.DLL"); // For example
KERNEL.DLL or other system file
sprintf( chSourcePathName, “%ws”, sourceName.Buffer);

if ( savedFileObject->FileName.Buffer && !(savedFileObject->Flags &
FO_DIRECT_DEVICE_OPEN ) )
{
RtlCopyUnicodeString( &name, &savedFileObject->FileName);
sprintf(chDestPathName, “%ws”, (&name)->Buffer );
if ( strstr(chDestPathName, chSourcePathName) != NULL )
{
sprintf(pszTmp, “sfilter - SfCreate: File Name: %ws\n”, (&name)
->Buffer );
WriteToLine(pszTmp, strlen(pszTmp)); // print the current
filename to log file.

}
//
// Print all Creating or Openning filename
//
sprintf(pszTmp, “File Name: %ws\n”, (&name)->Buffer );
WriteToLine(pszTmp, strlen(pszTmp));
}

WriteToLine use ZwCreateFile,ZwWriteFile function to Create,Write log file.

When impletment ZwCreateFile,the system crash.

BugCheck code is UNEXPECTED_HERNEL_MODE_TRAP(0x00000008,
0x00000000,0x00000000,0x00000000)

Who can help me ?

Best Regards

Ken Wang

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

11

Make PDB file for your driver,
do the system crash with crash dump set to on,
and run Windbg on the “memory.dmp”.
It will show you exact source code
and line number where the crash occurred.

After that, you will probably know more …

L.

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@helpco.kiev.ua
To unsubscribe send a blank email to xxxxx@lists.osr.com

12

Most likely the reason you are crashing is that you
are not handling the reentrancy into your driver that
happens when you call ZwCreateFile. You can look at
the archives of this list for many complete
discussions of this issue. Read the FAQ about shadow
devices and search the archives for
IoCreateFileSpecifyDeviceObjectHint or sometimes
CreateWithHint as Neal refers to it.

Also, unicode strings are not always NULL terminated,
so sprintf’ing them is not safe. Things will appear
to work for a while and then it will blow up at weird
times.

xxxxx@lenovo.com wrote:

I want to printing all filename,when i intercept
IRP_MJ_CREATE request in
my MySfCreate routine.
It’s work well,but when the current file is
KERNEL.DLL the system crash.Who
can tell me this is why?

My MySfCreate routine code is below:

RtlInitUnicodeString( &sourceName, L"KERNEL32.DLL");
// For example
KERNEL.DLL or other system file
sprintf( chSourcePathName, “%ws”,
sourceName.Buffer);

if ( savedFileObject->FileName.Buffer &&
!(savedFileObject->Flags &
FO_DIRECT_DEVICE_OPEN ) )
{
RtlCopyUnicodeString( &name,
&savedFileObject->FileName);
sprintf(chDestPathName, “%ws”, (&name)->Buffer
);
if ( strstr(chDestPathName, chSourcePathName)
!= NULL )
{
sprintf(pszTmp, “sfilter - SfCreate: File
Name: %ws\n”, (&name)
->Buffer );
WriteToLine(pszTmp, strlen(pszTmp)); //
print the current
filename to log file.

}
//
// Print all Creating or Openning filename
//
sprintf(pszTmp, “File Name: %ws\n”,
(&name)->Buffer );
WriteToLine(pszTmp, strlen(pszTmp));
}

WriteToLine use ZwCreateFile,ZwWriteFile function to
Create,Write log file.

When impletment ZwCreateFile,the system crash.

BugCheck code is
UNEXPECTED_HERNEL_MODE_TRAP(0x00000008,
0x00000000,0x00000000,0x00000000)

Who can help me ?

Best Regards

Ken Wang

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as:
xxxxx@yahoo.com
To unsubscribe send a blank email to
xxxxx@lists.osr.com