NTFS_FILE_SYSTEM in FltReadFile ?

hi
i use FltReadFile in IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION pre operation
for all files it work good but for some file i get NTFS_FILE_SYSTEM

after i search for solution i find checking PagingIoResource but it dont work and i get BSOD for another file like :
accesspath is \Device\HarddiskVolume2\Windows\System32\LogFiles\Scm\9b75c702-ea13-406a-badb-6c588ee4375b

fcbHeader = (FSRTL_COMMON_FCB_HEADER *)FltObjects->FileObject->FsContext;
if ( fcbHeader->PagingIoResource == 0 )
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;

}

if(!GetFilePath(Data,&FilePath))
{
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
if(FilePath.Buffer!=NULL)
{
DbgPrintEx( DPFLTR_IHVVIDEO_ID, DPFLTR_ERROR_LEVEL,“accesspath %wZ\r\n”,&FilePath);
ExFreePoolWithTag(FilePath.Buffer,‘NA’);
}
//else return

pFileBuffer =(char*)ExAllocatePoolWithTag(NonPagedPool, 4096, ‘sha1’);

status =FltReadFile(FltObjects->Instance,FltObjects->FileObject,&offset,4096,pFileBuffer,0,&bytesRead,NULL,NULL);
…

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, 8a4306c4, 8a4302a0, 8944ea94}

Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonRead+6f4 )

Followup: MachineOwner

nt!RtlpBreakWithStatusInstruction:
816bc394 cc int 3
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904fb
Arg2: 8a4306c4
Arg3: 8a4302a0
Arg4: 8944ea94

Debugging Details:

EXCEPTION_RECORD: 8a4306c4 – (.exr 0xffffffff8a4306c4)
ExceptionAddress: 8944ea94 (Ntfs!NtfsCommonRead+0x000006f4)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004

CONTEXT: 8a4302a0 – (.cxr 0xffffffff8a4302a0)
eax=a646c0f8 ebx=00000001 ecx=00000000 edx=a646c228 esi=855a8c00 edi=00000000
eip=8944ea94 esp=8a43078c ebp=8a43083c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
Ntfs!NtfsCommonRead+0x6f4:
8944ea94 f7410400800000 test dword ptr [ecx+4],8000h ds:0023:00000004=???
Resetting default scope

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

PROCESS_NAME: System

CURRENT_IRQL: 2

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000004

READ_ADDRESS: 00000004

FOLLOWUP_IP:
Ntfs!NtfsCommonRead+6f4
8944ea94 f7410400800000 test dword ptr [ecx+4],8000h

FAULTING_IP:
Ntfs!NtfsCommonRead+6f4
8944ea94 f7410400800000 test dword ptr [ecx+4],8000h

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from 89452bae to 8944ea94

STACK_TEXT:
8a43083c 89452bae 855a8c00 8490b8f8 03048219 Ntfs!NtfsCommonRead+0x6f4
8a4308ac 8168d4bc 848b9020 8490b8f8 8490b8f8 Ntfs!NtfsFsdRead+0x279
8a4308c4 891ad20c 00000000 8490c400 00000000 nt!IofCallDriver+0x63
8a4308e8 891ae0bf 8a430908 84873e78 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
8a430920 891ae4e7 84b51648 8a430a6c 00000000 fltmgr!FltPerformSynchronousIo+0xb9
8a430990 8980b701 84b51648 84abe4f0 8a4309d0 fltmgr!FltReadFile+0x2ed
8a430a4c 891a9aeb 8490ce40 8a430a6c 8a430a98 Mydrv!PreSync+0xb9
8a430ab8 891acc77 8a430ad0 8a430b64 8a430b30 fltmgr!FltpPerformPreCallbacks+0x34d
8a430ae8 816e2464 8a430b30 8a430b6c 8424b818 fltmgr!FltpPreFsFilterOperation+0xab
8a430b0c 818b1de5 00000000 00000000 8a430c63 nt!FsFilterPerformCallbacks+0xa4
8a430c68 818b20d6 84abe4f0 00000000 84abe4f0 nt!FsRtlAcquireFileExclusiveCommon+0x10a
8a430c7c 816e9cfe 84abe4f0 855f57a8 00000000 nt!FsRtlAcquireFileExclusive+0x12
8a430ca8 816f1ed6 8a430cc4 b29e6a99 83974138 nt!CcWriteBehind+0x570
8a430d00 816bef2b 83974138 00000000 8396fd48 nt!CcWorkerThread+0x164
8a430d50 8185f66d 00000000 b29e6a09 00000000 nt!ExpWorkerThread+0x10d
8a430d90 817110d9 816bee1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsCommonRead+6f4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf45

STACK_COMMAND: .cxr 0xffffffff8a4302a0 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonRead+6f4

BUCKET_ID: 0x24_Ntfs!NtfsCommonRead+6f4

Followup: MachineOwner

0: kd> !fileobj 8980b701
8980b701 is not a file object
0: kd> !fileobj 84abe4f0

Device Object: 0x84786e20 \Driver\volmgr
Vpb: 0x84783878
Access: Read Write SharedRead SharedWrite SharedDelete

Flags: 0x40100
Stream File
Handle Created

FsContext: 0xa646c0f8 FsContext2: 0x00000000
CurrentByteOffset: 0
Cache Data:
Section Object Pointers: 8564aca0
Shared Cache Map: 848ef808 File Offset: 0 in VACB number 0
Vacb: 839443b0
Your data is at: a8ac0000
0: kd> dt nt!_FILE_OBJECT 84abe4f0
+0x000 Type : 5
+0x002 Size : 128
+0x004 DeviceObject : 0x84786e20 _DEVICE_OBJECT
+0x008 Vpb : 0x84783878 _VPB
+0x00c FsContext : 0xa646c0f8
+0x010 FsContext2 : (null)
+0x014 SectionObjectPointer : 0x8564aca0 _SECTION_OBJECT_POINTERS
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ‘’
+0x025 DeletePending : 0 ‘’
+0x026 ReadAccess : 0x1 ‘’
+0x027 WriteAccess : 0x1 ‘’
+0x028 DeleteAccess : 0 ‘’
+0x029 SharedRead : 0x1 ‘’
+0x02a SharedWrite : 0x1 ‘’
+0x02b SharedDelete : 0x1 ‘’
+0x02c Flags : 0x40100
+0x030 FileName : _UNICODE_STRING “”
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
+0x070 IrpListLock : 0
+0x074 IrpList : _LIST_ENTRY [0x84abe564 - 0x84abe564]
+0x07c FileObjectExtension : (null)
0: kd> dt nt!_FSRTL_ADVANCED_FCB_HEADER 0xa646c0f8
+0x000 NodeTypeCode : 1797
+0x002 NodeByteSize : 344
+0x004 Flags : 0x40 ‘@’
+0x005 IsFastIoPossible : 0x2 ‘’
+0x006 Flags2 : 0x3 ‘’
+0x007 Reserved : 0y0000
+0x007 Version : 0y0001
+0x008 Resource : 0x8564ac5c _ERESOURCE
+0x00c PagingIoResource : 0x8564acbc _ERESOURCE
+0x010 AllocationSize : _LARGE_INTEGER 0x10
+0x018 FileSize : _LARGE_INTEGER 0xc
+0x020 ValidDataLength : _LARGE_INTEGER 0xc
+0x028 FastMutex : 0x8564ac3c _FAST_MUTEX
+0x02c FilterContexts : _LIST_ENTRY [0x8564e2bc - 0x8564e2bc]
+0x034 PushLock : _EX_PUSH_LOCK
+0x038 FileContextSupportPointer : 0xa646c0f4 -> (null)

What do you think checking PagingIoResource == 0 in
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION is suppose to accomplish? It’s
a resource setup by the FSD to sync paging issues (lazywrites, ccflush) so
I don’t think it should ever be 0 anyway (I’m sure one of the real experts
will correct me if I’m wrong).

Anyway, why are you reading in SECTION_SYNC? If you are doing something
security related, it probably makes more sense to do it in pre-create.

On Mon, Dec 15, 2014 at 8:32 PM, wrote:
>
> hi
> i use FltReadFile in IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION pre
> operation
> for all files it work good but for some file i get NTFS_FILE_SYSTEM
>
> after i search for solution i find checking PagingIoResource but it dont
> work and i get BSOD for another file like :
> accesspath is
> \Device\HarddiskVolume2\Windows\System32\LogFiles\Scm\9b75c702-ea13-406a-badb-6c588ee4375b
>
>
> fcbHeader = (FSRTL_COMMON_FCB_HEADER )FltObjects->FileObject->FsContext;
> if ( fcbHeader->PagingIoResource == 0 )
> {
> return FLT_PREOP_SUCCESS_NO_CALLBACK;
>
> }
>
> if(!GetFilePath(Data,&FilePath))
> {
> return FLT_PREOP_SUCCESS_NO_CALLBACK;
> }
> if(FilePath.Buffer!=NULL)
> {
> DbgPrintEx( DPFLTR_IHVVIDEO_ID,
> DPFLTR_ERROR_LEVEL,“accesspath %wZ\r\n”,&FilePath);
> ExFreePoolWithTag(FilePath.Buffer,‘NA’);
> }
> //else return
>
> pFileBuffer =(char)ExAllocatePoolWithTag(NonPagedPool, 4096, ‘sha1’);
>
>
> status
> =FltReadFile(FltObjects->Instance,FltObjects->FileObject,&offset,4096,pFileBuffer,0,&bytesRead,NULL,NULL);
> …
>
>
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck 24, {1904fb, 8a4306c4, 8a4302a0, 8944ea94}
>
> Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonRead+6f4 )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 816bc394 cc int 3
> 0: kd> !analyze -v
>
> *****
>
>
> * Bugcheck Analysis
>
>
>
>
>
>
> NTFS_FILE_SYSTEM (24)
> If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
> parameters are the exception record and context record. Do a .cxr
> on the 3rd parameter and then kb to obtain a more informative stack
> trace.
> Arguments:
> Arg1: 001904fb
> Arg2: 8a4306c4
> Arg3: 8a4302a0
> Arg4: 8944ea94
>
> Debugging Details:
> ------------------
>
>
> EXCEPTION_RECORD: 8a4306c4 – (.exr 0xffffffff8a4306c4)
> ExceptionAddress: 8944ea94 (Ntfs!NtfsCommonRead+0x000006f4)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 00000004
> Attempt to read from address 00000004
>
> CONTEXT: 8a4302a0 – (.cxr 0xffffffff8a4302a0)
> eax=a646c0f8 ebx=00000001 ecx=00000000 edx=a646c228 esi=855a8c00
> edi=00000000
> eip=8944ea94 esp=8a43078c ebp=8a43083c iopl=0 nv up ei pl zr na pe
> nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010246
> Ntfs!NtfsCommonRead+0x6f4:
> 8944ea94 f7410400800000 test dword ptr [ecx+4],8000h
> ds:0023:00000004=???
> Resetting default scope
>
> DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
>
> PROCESS_NAME: System
>
> CURRENT_IRQL: 2
>
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
> memory at 0x%08lx. The memory could not be %s.
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
> referenced memory at 0x%08lx. The memory could not be %s.
>
> EXCEPTION_PARAMETER1: 00000000
>
> EXCEPTION_PARAMETER2: 00000004
>
> READ_ADDRESS: 00000004
>
> FOLLOWUP_IP:
> Ntfs!NtfsCommonRead+6f4
> 8944ea94 f7410400800000 test dword ptr [ecx+4],8000h
>
> FAULTING_IP:
> Ntfs!NtfsCommonRead+6f4
> 8944ea94 f7410400800000 test dword ptr [ecx+4],8000h
>
> BUGCHECK_STR: 0x24
>
> LAST_CONTROL_TRANSFER: from 89452bae to 8944ea94
>
> STACK_TEXT:
> 8a43083c 89452bae 855a8c00 8490b8f8 03048219 Ntfs!NtfsCommonRead+0x6f4
> 8a4308ac 8168d4bc 848b9020 8490b8f8 8490b8f8 Ntfs!NtfsFsdRead+0x279
> 8a4308c4 891ad20c 00000000 8490c400 00000000 nt!IofCallDriver+0x63
> 8a4308e8 891ae0bf 8a430908 84873e78 00000000
> fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
> 8a430920 891ae4e7 84b51648 8a430a6c 00000000
> fltmgr!FltPerformSynchronousIo+0xb9
> 8a430990 8980b701 84b51648 84abe4f0 8a4309d0 fltmgr!FltReadFile+0x2ed
> 8a430a4c 891a9aeb 8490ce40 8a430a6c 8a430a98 Mydrv!PreSync+0xb9
> 8a430ab8 891acc77 8a430ad0 8a430b64 8a430b30
> fltmgr!FltpPerformPreCallbacks+0x34d
> 8a430ae8 816e2464 8a430b30 8a430b6c 8424b818
> fltmgr!FltpPreFsFilterOperation+0xab
> 8a430b0c 818b1de5 00000000 00000000 8a430c63
> nt!FsFilterPerformCallbacks+0xa4
> 8a430c68 818b20d6 84abe4f0 00000000 84abe4f0
> nt!FsRtlAcquireFileExclusiveCommon+0x10a
> 8a430c7c 816e9cfe 84abe4f0 855f57a8 00000000
> nt!FsRtlAcquireFileExclusive+0x12
> 8a430ca8 816f1ed6 8a430cc4 b29e6a99 83974138 nt!CcWriteBehind+0x570
> 8a430d00 816bef2b 83974138 00000000 8396fd48 nt!CcWorkerThread+0x164
> 8a430d50 8185f66d 00000000 b29e6a09 00000000 nt!ExpWorkerThread+0x10d
> 8a430d90 817110d9 816bee1e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
>
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: Ntfs!NtfsCommonRead+6f4
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: Ntfs
>
> IMAGE_NAME: Ntfs.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf45
>
> STACK_COMMAND: .cxr 0xffffffff8a4302a0 ; kb
>
> FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonRead+6f4
>
> BUCKET_ID: 0x24_Ntfs!NtfsCommonRead+6f4
>
> Followup: MachineOwner
> ---------
>
> 0: kd> !fileobj 8980b701
> 8980b701 is not a file object
> 0: kd> !fileobj 84abe4f0
>
>
>
> Device Object: 0x84786e20 \Driver\volmgr
> Vpb: 0x84783878
> Access: Read Write SharedRead SharedWrite SharedDelete
>
> Flags: 0x40100
> Stream File
> Handle Created
>
> FsContext: 0xa646c0f8 FsContext2: 0x00000000
> CurrentByteOffset: 0
> Cache Data:
> Section Object Pointers: 8564aca0
> Shared Cache Map: 848ef808 File Offset: 0 in VACB number 0
> Vacb: 839443b0
> Your data is at: a8ac0000
> 0: kd> dt nt!_FILE_OBJECT 84abe4f0
> +0x000 Type : 5
> +0x002 Size : 128
> +0x004 DeviceObject : 0x84786e20 _DEVICE_OBJECT
> +0x008 Vpb : 0x84783878 _VPB
> +0x00c FsContext : 0xa646c0f8
> +0x010 FsContext2 : (null)
> +0x014 SectionObjectPointer : 0x8564aca0 _SECTION_OBJECT_POINTERS
> +0x018 PrivateCacheMap : (null)
> +0x01c FinalStatus : 0
> +0x020 RelatedFileObject : (null)
> +0x024 LockOperation : 0 ‘’
> +0x025 DeletePending : 0 ‘’
> +0x026 ReadAccess : 0x1 ‘’
> +0x027 WriteAccess : 0x1 ‘’
> +0x028 DeleteAccess : 0 ‘’
> +0x029 SharedRead : 0x1 ‘’
> +0x02a SharedWrite : 0x1 ‘’
> +0x02b SharedDelete : 0x1 ‘’
> +0x02c Flags : 0x40100
> +0x030 FileName : _UNICODE_STRING “”
> +0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
> +0x040 Waiters : 0
> +0x044 Busy : 0
> +0x048 LastLock : (null)
> +0x04c Lock : _KEVENT
> +0x05c Event : _KEVENT
> +0x06c CompletionContext : (null)
> +0x070 IrpListLock : 0
> +0x074 IrpList : _LIST_ENTRY [0x84abe564 - 0x84abe564]
> +0x07c FileObjectExtension : (null)
> 0: kd> dt nt!_FSRTL_ADVANCED_FCB_HEADER 0xa646c0f8
> +0x000 NodeTypeCode : 1797
> +0x002 NodeByteSize : 344
> +0x004 Flags : 0x40 ‘@’
> +0x005 IsFastIoPossible : 0x2 ‘’
> +0x006 Flags2 : 0x3 ‘’
> +0x007 Reserved : 0y0000
> +0x007 Version : 0y0001
> +0x008 Resource : 0x8564ac5c _ERESOURCE
> +0x00c PagingIoResource : 0x8564acbc _ERESOURCE
> +0x010 AllocationSize : _LARGE_INTEGER 0x10
> +0x018 FileSize : _LARGE_INTEGER 0xc
> +0x020 ValidDataLength : _LARGE_INTEGER 0xc
> +0x028 FastMutex : 0x8564ac3c _FAST_MUTEX
> +0x02c FilterContexts : _LIST_ENTRY [0x8564e2bc - 0x8564e2bc]
> +0x034 PushLock : _EX_PUSH_LOCK
> +0x038 FileContextSupportPointer : 0xa646c0f4 -> (null)
>
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

[quote] What do you think checking PagingIoResource == 0 in
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION is suppose to accomplish? It’s
a resource setup by the FSD to sync paging issues (lazywrites, ccflush) so
I don’t think it should ever be 0 anyway (I’m sure one of the real experts
will correct me if I’m wrong). [/quote]

this check is based on http://d.hatena.ne.jp/kaorun55/20080229/1204295090

Anyway, why are you reading in SECTION_SYNC? If you are doing something
security related, it probably makes more sense to do it in pre-create.

[/quote]


oh i forget this if in this code i think with this checking i don’t have BSOD