Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
25 Dec 17 01:43
t4e
xxxxxx@gmail.com
Join Date: 03 Nov 2017
Posts To This List: 2
Change IRP Registration in CancelSafe Occurs BSOD

Since there is no such PsSetCreateProcessNotifyRoutineEx, according to Microsoft a mini filter driver need to be developed. My design was to register on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for executable created section in order to spot a loaded module. On every loaded module I want to pend the IRP and insert it into a queue and in simultaneously a thread worker will poll the IRP and send the information to a user mode application that will allow/disallow execution(STATUS_ACCESS_DENIED) of the module. So I took the CancelSafe sample and change it that it will register on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION but I got a BSOD. The problem seems to be in the handler of FltCbdqInsertIo - I tried to find something that it's unique for IRP_MJ_READ in order to change it and make it compatible with the new registered IRP. This is my analyze -v: Unknown bugcheck code (0) Unknown bugcheck description Arguments: Arg1: 00000000 Arg2: 00000000 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ *** No owner thread found for resource 80551160 *** No owner thread found for resource 80551160 *** No owner thread found for resource 80551160 *** No owner thread found for resource 80551160 *** No owner thread found for resource 80551160 DUMP_CLASS: 1 DUMP_QUALIFIER: 0 BUILD_VERSION_STRING: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) DUMP_TYPE: 0 BUGCHECK_P1: 0 BUGCHECK_P2: 0 BUGCHECK_P3: 0 BUGCHECK_P4: 0 PROCESS_NAME: System FAULTING_IP: fltMgr!FltpInsertIrp+24 f84ccee4 80490301 or byte ptr [ecx+3],1 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 00000003 FOLLOWUP_IP: KProcessMonitor!PreRead+1a5 [c:\projects\arim\kprocessmonitor\kprocessmonitor\kprocessmonitor.c @ 1570] f89eb1b5 8945fc mov dword ptr [ebp-4],eax BUGCHECK_STR: ACCESS_VIOLATION WRITE_ADDRESS: Target machine operating system not supported 00000003 DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE CPU_COUNT: 1 CPU_MHZ: af7 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 5e CPU_STEPPING: 3 CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 49'00000000 (cache) 49'00000000 (init) ANALYSIS_SESSION_TIME: 12-25-2017 08:34:56.0625 ANALYSIS_VERSION: 10.0.16299.91 x86fre LOCK_ADDRESS: 805511e0 -- (!locks 805511e0) Resource @ nt!IopDeviceTreeLock (0x805511e0) Shared 1 owning threads Threads: 823c63c8-01<*> 1 total locks PNP_TRIAGE: Lock address : 0x805511e0 Thread Count : 1 Thread address: 0x823c63c8 Thread wait : 0x8b5b LAST_CONTROL_TRANSFER: from f84cd85b to f84ccee4 STACK_TEXT: f8af5188 f84cd85b 820dc6d4 f8af52d8 00000000 fltMgr!FltpInsertIrp+0x24 f8af51ac f84ccfca 820dc6d4 f8af5200 81f9e718 fltMgr!FltpIoCsqInsertIrpEx+0x49 f8af51cc f89eb1b5 820dc6d4 822d32fc 81f9e718 fltMgr!FltCbdqInsertIo+0x2c BTW nothing to do with this problem, there are number of BSODS around FltStartFiltering(Globals.FilterHandle); and FltUnregisterFilter(Globals.FilterHandle); it's always PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: e1e13470, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: f84d6d9d, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000001, (reserved) --
  Message 2 of 7  
25 Dec 17 03:01
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11742
Change IRP Registration in CancelSafe Occurs BSOD

On Dec 24, 2017, at 10:43 PM, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > > Since there is no such PsSetCreateProcessNotifyRoutineEx, according to Microsoft a mini filter driver need to be developed. Of course there is, but it was added in Vista SP1, and for some reason you're using the antique XP SP2. > My design was to register on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and check for executable created section in order to spot a loaded module. > On every loaded module I want to pend the IRP and insert it into a queue and in simultaneously a thread worker will poll the IRP and send the information to a user mode application that will allow/disallow execution(STATUS_ACCESS_DENIED) of the module. You're not allowed to return that. The return values for these filter callbacks are very limited, and described in the documentation. > So I took the CancelSafe sample and change it that it will register on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION but I got a BSOD. > > The problem seems to be in the handler of FltCbdqInsertIo - I tried to find something that it's unique for IRP_MJ_READ in order to change it and make it compatible with the new registered IRP. It looks like you tried to queue a null IRP. ??? Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc. --
  Message 3 of 7  
25 Dec 17 12:16
Gabriel Bercea
xxxxxx@gmail.com
Join Date: 03 Mar 2008
Posts To This List: 131
Change IRP Registration in CancelSafe Occurs BSOD

Regarding you 2nd random BSODs you need to know that FltUnregisterFilter will call the cleanup callbacak for all your registered contexts and also the instance teardown callbacks. You did not show the dump text for more details. Gabriel. www.kasardia.com
  Message 4 of 7  
02 Jan 18 13:53
Scott Noone
xxxxxx@osr.com
Join Date:
Posts To This List: 1349
List Moderator
Change IRP Registration in CancelSafe Occurs BSOD

<QUOTE> So I took the CancelSafe sample and change it that it will register on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION but I got a BSOD. </QUOTE> IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION isn’t really an IRP operation, it’s a FltMgr “pseudo IRPâ€쳌 operation. See the FltCbdqInsertIo remarks section: "The FltCbdqXxx routines can only be used for IRP-based I/O operations. To determine whether a given callback data structure represents an IRP-based I/O operation, use the FLT_IS_IRP_OPERATION macro. " -scott OSR @OSRDrivers
  Message 5 of 7  
02 Jan 18 15:42
Iolanda Milani
xxxxxx@gmail.com
Join Date: 31 Dec 2017
Posts To This List: 17
Change IRP Registration in CancelSafe Occurs BSOD

Develop for a modern OS environment and use PsSetCreateProcessNotifyRoutineEx. It's secure, stable and reliable. A lot less-hassle to do what you need to do as well. You also have the guarantee that it'll be triggered for a Portable Executable being executed, unlike with the mini-filter method where you have to execute more instructions which provides more overhead on performance for each execution (and non-process start-up related activities) to ensure it is indeed an executable for a process-startup request.
  Message 6 of 7  
03 Jan 18 05:26
t4e
xxxxxx@gmail.com
Join Date: 03 Nov 2017
Posts To This List: 2
Change IRP Registration in CancelSafe Occurs BSOD

I need to support Windows XP SP2 as well 2018-01-02 22:41 GMT+02:00 xxxxx@gmail.com <xxxxx@lists.osr.com>: > Develop for a modern OS environment and use PsSetCreateProcessNotifyRoutineEx. > It's secure, stable and reliable. A lot less-hassle to do what you need to > do as well. You also have the guarantee that it'll be triggered for a > Portable Executable being executed, unlike with the mini-filter method > where you have to execute more instructions which provides more overhead on > performance for each execution (and non-process start-up related > activities) to ensure it is indeed an executable for a process-startup > request. > > --- <...excess quoted lines suppressed...> --
  Message 7 of 7  
03 Jan 18 12:08
Iolanda Milani
xxxxxx@gmail.com
Join Date: 31 Dec 2017
Posts To This List: 17
Change IRP Registration in CancelSafe Occurs BSOD

> I need to support Windows XP SP2 as well But why? All you will be doing is developing software for an insecure Operation System which is no longer officially supported, while encouraging people to keep using it. It doesn't matter what product you develop, the OS is going to be vulnerable. Did no one learn from the WannaCry attack which used the stolen NSA exploit, EternalBlue? The EternalBlue exploit worked by exploiting the SRV.sys device driver, a component part of SMB networking on Windows; the vulnerability had been fixed except for Windows XP prior to the attack. If people on XP who were affected had been using an up-to-date, secure OS, they wouldn't have been affected by the damage they had been. I know you aren't asking about what OS to target for your software target market but seriously you may wish to re-consider this. XP is full of bugs, its not officially supported anymore and it is very limited in comparison to the modern Windows Kernel. As well as this, if you're supporting newer OS versions, don't execute the same code as you are for XP because you can use better documented and stable techniques which are also likely more secure on updated versions of Windows. If you insist on developing for XP, only go the XP support route for a system which actually has it loaded, and use updated and more efficient interfaces/techniques for the modern versions when a modern system is being used.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 11:35.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license