Hello everybody
Iam having problem in my upper volume filter driver code in opening
handle of a file in NTFS VOLUME using
zwcreatefile in file system filter driver’s notification routine .
The same code is running properly for FAT32
VOLUME.
******************************************************************************************
Please Tell me Whether this is the problem of the driver code or some
thing else.
********************************************************************************************
Also i checked the irql at which the Zwcreatefile function is called
and it comes to be irql=0; in the dbgprint before the zwcreatefile
function.
The program crashes when zwcreatefile function is called in case when
the OS is on NTFS VOLUME and the file is also present on the OS
Drive.
I am also sending the kind of error i am getting .
VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject,
IN BOOLEAN FsActive
)
{
NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2;
IO_STATUS_BLOCK IoStatusBlock2;
UNICODE_STRING uStr;
UNICODE_STRING uStr2;
KIRQL oldirql;
PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;
PWCHAR ExportKeyPrefix = L"\??\D:\tempdata.txt";
ULONG ExportKeyPrefixSize = sizeof(L"\??\D:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);
PAGED_CODE();
gpFileBuffer=ExAllocatePool(NonPagedPool,1024);
RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);
RtlInitUnicodeString(&uStr2, pFullPath);
DbgBreakPoint();
InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITIVE
| OBJ_KERNEL_HANDLE,NULL,NULL);
oldirql=KeGetCurrentIrql();
DbgPrint(“BEFORE ZwCreateFile IRQL:%d \n”, oldirql);
Status2 = ZwCreateFile( &FileHandle2,
SYNCHRONIZE|FILE_READ_DATA,
&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);
if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);
return Status2;
}
else
{
DbgPrint(“file opened successfully\n”);
}
Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);
if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;
ZwClose(FileHandle2);
}
ExFreePool (pFullPath);
}
Error I am getting
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8042d5b4, address which referenced memory
Debugging Details:
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 8042c068 to 80452e70
STACK_TEXT:
ed4335b0 8042c068 00000003 00000000 8042d5b4
nt!MmMapLockedPagesSpecifyCache+0x48
ed433938 80464b1f 00000000 00000000 00000002 nt!IopWriteDriverList+0xa6
ed433954 8188aee8 ed4339e0 bff19f82 818896c8 nt!MiFlushRelease+0x3e5
WARNING: Frame IP not in any known module. Following frames may be wrong.
bff19fff 530cec83 56085d8b 144b8b57 a7bc15ff 0x8188aee8
ec8b55c3 00000000 00000000 00000000 00000000 0x530cec83
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!IopCreateSummaryDump+cf
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17
BUCKET_ID: 0xA_W_VRF_nt!IopCreateSummaryDump+cf
Followup: MachineOwner
I am really stuck at this point.
Thanking in advance
santosh k