ZwLoadDriver/ZwUnloadDriver Question

I am debugging a driver stressed condition under win7. I have a kernel mode driver “Mydriver” which I am loading from another driver. “MyDriver” I am loading and unloading via ZwLoad/UnloadDriver. ZwLoad/Unload is a serialized processes. After I call ZwUnloadDriver I wait atleast 2 secs and then again callup ZwLoadDriver. This multiple times load/unload at some point causes me a page fault. And I have narrowed down that page fault happens when ZwLoadDriver tries to load driver image to already used address by a load which happened early on and that is couple of loads back…

So my question is how can I find out that memory is properly being cleaned up…after ZwUnLoad driver happens.
Or Am I missing something very obvious under Win7. My driver is being build using new 7600 WDK under winXP build env. not sure if that shall matter any… I even tried win7 env still the same behavior…

Thanks in advance…

xxxxx@yahoo.com wrote:

I am debugging a driver stressed condition under win7. I have a kernel mode driver “Mydriver” which I am loading from another driver. “MyDriver” I am loading and unloading via ZwLoad/UnloadDriver. ZwLoad/Unload is a serialized processes. After I call ZwUnloadDriver I wait atleast 2 secs and then again callup ZwLoadDriver. This multiple times load/unload at some point causes me a page fault. And I have narrowed down that page fault happens when ZwLoadDriver tries to load driver image to already used address by a load which happened early on and that is couple of loads back…

Is this strictly a load/unload test, or are you actually using the
driver in between? Remember that ZwUnloadDriver is an “unfriendly” API
that can force the driver to be unloaded even if it is still in use. If
you have outstanding callbacks, or outstanding pointers into the driver,
this is eventually going to cause problems.

Is there a reason you can’t just use an import driver? That way, the
system manages its lifetime.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Is your driver UnLoad routine called? If it is not, your driver has opened references to Device Objects.

Igor Sharovar

Tim, Much appreciated your response…
Yes I am using the driver in between and as part of process of finish using driver my ZwUnloadDriver gets called.

Importing driver model shall not work with my architecture…Since there could be multiple loads unloads of different instances of “MyDriver” happening at the same time…And Each instance of “MyDriver” could perform different activities…

You do have a point of outstanding call backs and outstanding pointers remaining stray I did quickly make sure that is not the case as well…

For a sec I also thought it sounds like a caching problem !!! But I did a flush cache upon exit by writing up Cr0 register and executing other intel documented assembly code…Still the page fault happens…

Is windows 7 kernel smart enough to detect that same code is loaded into kernel space and it tries to remember atleast the segment registers and not flush them and next time that image is loaded much faster since the leg work needed is already remembered by kernel…A quick guess. !!!

xxxxx@yahoo.com wrote:

For a sec I also thought it sounds like a caching problem !!! But I did a flush cache upon exit by writing up Cr0 register and executing other intel documented assembly code…Still the page fault happens…

No, that’s impossible.

Is windows 7 kernel smart enough to detect that same code is loaded into kernel space and it tries to remember atleast the segment registers and not flush them and next time that image is loaded much faster since the leg work needed is already remembered by kernel…A quick guess. !!!

No, none of that is relevant. All kernel code runs with the same flat
segment registers in globally available address space. You’re looking
for obscure, magical causes, when you should be digging in to your
drivers and your dumps to find the issue.

We’re not going to be able to make any more educated guesses without
seeing !analyze from a crash dump.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> Importing driver model shall not work with my architecture…Since there could be multiple loads

unloads of different instances of “MyDriver” happening at the same time…And Each instance of
“MyDriver” could perform different activities…

If you have several SC database entries for the same .sys file - then this will not work properly.

The PsLoadedModuleList entry is per .sys file, not per SC database entry.

So, if there are 2 drivers both loaded, you have 2 driver objects referencing the same image and the same PsLoadedModuleList entry.

Unloading one of the drivers will unload the image and destroy the PsLoadedModuleList entry, after which, any work from the second driver object is a crash.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

I do make sure previous driver is unloaded before I kick off my new ZwLoadDriver. I also wait atleast 5 seconds…
Is it normal that ZwLoadDriver loads module at the next available address or does it start looking for an empty slot starting at 0x8000000 address…what is the logic there in finding out what addresses are available…Curious to know since looking at the kernel debug output of the module loaded first line and last line address matchup and thats when I get a page fault…As long as module load addresses are unique in other words never used before by ZwLoadDriver I am fine I do not get any page faults…

kd> g
ModLoad: 8421d000 8421d5a0 sampledrv.sys
ModLoad: 8421e000 8421e5a0 sampledrv.sys
ModLoad: 8421f000 8421f5a0 sampledrv.sys
ModLoad: 84220000 842205a0 sampledrv.sys
ModLoad: 84221000 842215a0 sampledrv.sys
ModLoad: 84222000 842225a0 sampledrv.sys
ModLoad: 84223000 842235a0 sampledrv.sys
ModLoad: 84224000 842245a0 sampledrv.sys
ModLoad: 84225000 842255a0 sampledrv.sys
ModLoad: 84226000 842265a0 sampledrv.sys
ModLoad: 84227000 842275a0 sampledrv.sys
ModLoad: 84228000 842285a0 sampledrv.sys
ModLoad: 84229000 842295a0 sampledrv.sys
ModLoad: 8422a000 8422a5a0 sampledrv.sys
ModLoad: 8422b000 8422b5a0 sampledrv.sys
ModLoad: 8422c000 8422c5a0 sampledrv.sys
ModLoad: 8422d000 8422d5a0 sampledrv.sys
ModLoad: 8422e000 8422e5a0 sampledrv.sys
ModLoad: 8422f000 8422f5a0 sampledrv.sys
ModLoad: 84230000 842305a0 sampledrv.sys
ModLoad: 84231000 842315a0 sampledrv.sys
ModLoad: 8421d000 8421d5a0 sampledrv.sys

xxxxx@yahoo.com wrote:

I do make sure previous driver is unloaded before I kick off my new ZwLoadDriver. I also wait atleast 5 seconds…
Is it normal that ZwLoadDriver loads module at the next available address or does it start looking for an empty slot starting at 0x8000000 address…what is the logic there in finding out what addresses are available…

If you’re cleaning up properly, this should be irrelevant –
implementation detail.

Curious to know since looking at the kernel debug output of the module loaded first line and last line address matchup and thats when I get a page fault…As long as module load addresses are unique in other words never used before by ZwLoadDriver I am fine I do not get any page faults…

That doesn’t make much sense. However, you never have posted an
“!analyze -v” listing from the blue screen; without that, we’re all just
poking around in the dark.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Here it is…Let me know if this helps…

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000006
Arg2: 876672e8
Arg3: 99f16f20
Arg4: 99f16eb8

Debugging Details:

ERROR: Could Not Find Target OS Version. Please Update GetFunctionForOSVer to include target OS Version

PROCESS_NAME: System

FAULTING_IP:
nt!KeBugCheckEx+1e
828e6d10 cc int 3

EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 828e6d10 (nt!KeBugCheckEx+0x0000001e)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000001
NumberParameters: 0

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x0

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from 823afff9 to 828e6d10

STACK_TEXT:
8d71cc0c 823afff9 00000000 00000006 876672e8 nt!KeBugCheckEx+0x1e
8d71cc0c 8fbd25d6 00000000 00000006 876672e8 SampleDrv!DriverEntry+0x115
8d71cc98 8288f695 872f8100 8d705800 8d700000 intelppm!C1Halt+0x4
8d71cd20 8287200d 00000000 0000000e 00000000 nt!PoIdle+0x538
8d71cd24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
828e6cd3-828e6cd7 5 bytes - nt!KeBugCheck
[8b ff 55 8b ec:e8 e8 dd ad ff]
828e6cf2-828e6cf6 5 bytes - nt!KeBugCheckEx (+0x1f)
[8b ff 55 8b ec:e8 21 dd ad ff]
10 errors : !nt (828e6cd3-828e6cf6)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption

xxxxx@yahoo.com wrote:

Here it is…Let me know if this helps…

Almost entirely useless.

Debugging Details:

ERROR: Could Not Find Target OS Version. Please Update GetFunctionForOSVer to include target OS Version

That’s odd. What operating system are you running, exactly?

STACK_TEXT:
8d71cc0c 823afff9 00000000 00000006 876672e8 nt!KeBugCheckEx+0x1e
8d71cc0c 8fbd25d6 00000000 00000006 876672e8 SampleDrv!DriverEntry+0x115
8d71cc98 8288f695 872f8100 8d705800 8d700000 intelppm!C1Halt+0x4
8d71cd20 8287200d 00000000 0000000e 00000000 nt!PoIdle+0x538
8d71cd24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd

There’s nothing useful here. Can you show us the code for SampleDrv?
I’m guessing it’s just a dummy driver, since it’s so small.

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
828e6cd3-828e6cd7 5 bytes - nt!KeBugCheck
[8b ff 55 8b ec:e8 e8 dd ad ff]
828e6cf2-828e6cf6 5 bytes - nt!KeBugCheckEx (+0x1f)
[8b ff 55 8b ec:e8 21 dd ad ff]
10 errors : !nt (828e6cd3-828e6cf6)

KeBugCheck has been patched. Are you doing that? Do you have some kind
of automatic crash analysis tools installed?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Re: " ERROR: Could Not Find Target OS Version. Please Update GetFunctionForOSVer to include target OS Version", this is a known issue with old debugger builds and Win7.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, December 09, 2009 4:46 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] ZwLoadDriver/ZwUnloadDriver Question

xxxxx@yahoo.com wrote:

Here it is…Let me know if this helps…

Almost entirely useless.

Debugging Details:

ERROR: Could Not Find Target OS Version. Please Update GetFunctionForOSVer to include target OS Version

That’s odd. What operating system are you running, exactly?

STACK_TEXT:
8d71cc0c 823afff9 00000000 00000006 876672e8 nt!KeBugCheckEx+0x1e
8d71cc0c 8fbd25d6 00000000 00000006 876672e8 SampleDrv!DriverEntry+0x115
8d71cc98 8288f695 872f8100 8d705800 8d700000 intelppm!C1Halt+0x4
8d71cd20 8287200d 00000000 0000000e 00000000 nt!PoIdle+0x538
8d71cd24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd

There’s nothing useful here. Can you show us the code for SampleDrv?
I’m guessing it’s just a dummy driver, since it’s so small.

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
828e6cd3-828e6cd7 5 bytes - nt!KeBugCheck
[8b ff 55 8b ec:e8 e8 dd ad ff]
828e6cf2-828e6cf6 5 bytes - nt!KeBugCheckEx (+0x1f)
[8b ff 55 8b ec:e8 21 dd ad ff]
10 errors : !nt (828e6cd3-828e6cf6)

KeBugCheck has been patched. Are you doing that? Do you have some kind
of automatic crash analysis tools installed?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tim Roberts wrote:

xxxxx@yahoo.com wrote:

> STACK_TEXT:
> 8d71cc0c 823afff9 00000000 00000006 876672e8 nt!KeBugCheckEx+0x1e
> 8d71cc0c 8fbd25d6 00000000 00000006 876672e8 SampleDrv!DriverEntry+0x115
> 8d71cc98 8288f695 872f8100 8d705800 8d700000 intelppm!C1Halt+0x4
> 8d71cd20 8287200d 00000000 0000000e 00000000 nt!PoIdle+0x538
> 8d71cd24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd
>
>

There’s nothing useful here. Can you show us the code for SampleDrv?
I’m guessing it’s just a dummy driver, since it’s so small.

In addition, you should enable Driver Verifier on this driver, to see if
it identifies anything unusual.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Nothing unusual in regards to driver verifier seen…
But a quick question on my same ZwLoad/Unload… Is this normal anyone had seen that under windows 7 with new WDK 7000.xxxx this ZwLoadDriver would jump thro hoops to get the load address…Still I am bit unclear in regards to first line and the last line…
Is this address space randomization in win7 kernel which I am seeing…or something which should never happen…

kd> g
ModLoad: 8421d000 8421d5a0 sampledrv.sys
ModLoad: 8421e000 8421e5a0 sampledrv.sys
ModLoad: 8421f000 8421f5a0 sampledrv.sys
ModLoad: 84220000 842205a0 sampledrv.sys
ModLoad: 84221000 842215a0 sampledrv.sys
ModLoad: 84222000 842225a0 sampledrv.sys
ModLoad: 84223000 842235a0 sampledrv.sys
ModLoad: 84224000 842245a0 sampledrv.sys
ModLoad: 84225000 842255a0 sampledrv.sys
ModLoad: 84226000 842265a0 sampledrv.sys
ModLoad: 84227000 842275a0 sampledrv.sys
ModLoad: 84228000 842285a0 sampledrv.sys
ModLoad: 84229000 842295a0 sampledrv.sys
ModLoad: 8422a000 8422a5a0 sampledrv.sys
ModLoad: 8422b000 8422b5a0 sampledrv.sys
ModLoad: 8422c000 8422c5a0 sampledrv.sys
ModLoad: 8422d000 8422d5a0 sampledrv.sys
ModLoad: 8422e000 8422e5a0 sampledrv.sys
ModLoad: 8422f000 8422f5a0 sampledrv.sys
ModLoad: 84230000 842305a0 sampledrv.sys
ModLoad: 84231000 842315a0 sampledrv.sys
ModLoad: 8421d000 8421d5a0 sampledrv.sys