Hello everybody
Iam having problem in opening handle of a file in NTFS VOLUME using
zwcreatefile in DriverNotificationFunction which is called everytime
a file system is loaded . The same code is running properly for FAT32
VOLUME.
The program crashes when zwcreatefile function is called in case of NTFS VOLUME.
I am also sending the kind of error i am getting .
VOID DriverNotificationFunction (
IN struct _DEVICE_OBJECT *DeviceObject,
IN BOOLEAN FsActive
)
{
NTSTATUS Status2 ;
NTSTATUS Status ;
HANDLE FileHandle2;
OBJECT_ATTRIBUTES InitializedAttributes2;
IO_STATUS_BLOCK IoStatusBlock2;
UNICODE_STRING uStr;
UNICODE_STRING uStr2;
PDEVICE_EXTENSION deviceExtension;
PIRP pIrp=NULL;
PWCHAR ExportKeyPrefix = L"\??\D:\tempdata.txt";
ULONG ExportKeyPrefixSize = sizeof(L"\??\D:\tempdata.txt");
PWCHAR pFullPath = (PWCHAR) ExAllocatePoolWithTag(PagedPool, 4096, ‘0PWA’);
PAGED_CODE();
gpFileBuffer=ExAllocatePool(NonPagedPool,1024);
RtlCopyMemory(pFullPath,
ExportKeyPrefix,
ExportKeyPrefixSize);
RtlInitUnicodeString(&uStr2, pFullPath);
DbgBreakPoint();
InitializeObjectAttributes(&InitializedAttributes2,&uStr2,OBJ_CASE_INSENSITIVE
| OBJ_KERNEL_HANDLE,NULL,NULL);
Status2 = ZwCreateFile( &FileHandle2,
SYNCHRONIZE|FILE_READ_DATA,
&InitializedAttributes2,
&IoStatusBlock2,
NULL,
0,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_NON_DIRECTORY_FILE,
NULL,
0);
if (Status2!=STATUS_SUCCESS)
{
DbgPrint(“Error in opening file \n”);
return Status2;
}
else
{
DbgPrint(“file opened successfully\n”);
}
Status= ZwReadFile(
FileHandle2,
NULL,
NULL,
NULL,
&IoStatusBlock2,
gpFileBuffer,
1024,
0,
NULL
);
if(NT_SUCCESS(Status2))
{
gFileOpenFlag=1;
gFileHandle=FileHandle2;
ZwClose(FileHandle2);
}
ExFreePool (pFullPath);
}
Error I am getting
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8042d5b4, address which referenced memory
Debugging Details:
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 8042c068 to 80452e70
STACK_TEXT:
ed4335b0 8042c068 00000003 00000000 8042d5b4
nt!MmMapLockedPagesSpecifyCache+0x48
ed433938 80464b1f 00000000 00000000 00000002 nt!IopWriteDriverList+0xa6
ed433954 8188aee8 ed4339e0 bff19f82 818896c8 nt!MiFlushRelease+0x3e5
WARNING: Frame IP not in any known module. Following frames may be wrong.
bff19fff 530cec83 56085d8b 144b8b57 a7bc15ff 0x8188aee8
ec8b55c3 00000000 00000000 00000000 00000000 0x530cec83
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!IopCreateSummaryDump+cf
8042d5b4 8939 mov [ecx],edi
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!IopCreateSummaryDump+cf
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 384d9b17
BUCKET_ID: 0xA_W_VRF_nt!IopCreateSummaryDump+cf
Followup: MachineOwner
I am really stuck at this point.
Thanking in advance
santosh k