From PDEVICE_OBJECT can I work back to get the function name?

NTDEV
1

Hello,

I have 2 questions.

  1. When I run my program without WinDbg running it runs fine. When I have WinDbg running the debugger breaks and it says it as Debug Stop. Meaning if I hit “go” it continues and system does not crash. What do we call these kind of benign breaks? So all breaks are not crashes some are minor enough for system to recover and continue I guess.
  2. Questions:
    When it breaks I get the following error:
    “The caller is corrupting the system by mapping an unowned page 0000000000000600, type 0.”
    !analyze -v gave this:
    FAULTING_SOURCE_CODE:
    34: POINTER_CHECK(aDestAddress);
    35:
    36: PhysicalAddress = (PPHYSICAL_ADDRESS)&Val64;
    37:

38: VirtAddr = MmMapIoSpace(*PhysicalAddress, aSize, MmCached);
39: if (VirtAddr != 0)
40: {
41:
42: if (aSize == 4)
43: {
I can see that when ever it breaks Val64 = 600000
CallStack gives me the device Object. My question is using pDo can I work back and dig out the function name which called this function with a wrong address?
NTSTATUS
driverDispatch(
IN PDEVICE_OBJECT pDO,
IN PIRP pIrp
)
{

2

I meant I wan to find out the application function name which called the kernel function using pointer to the device object. Or is there any other way?

3

xxxxx@gmail.com wrote:

I meant I wan to find out the application function name which called the kernel function using pointer to the device object. Or is there any other way?

An application cannot call a kernel function. You need to use the “kb”
command to get a traceback to see how you got where you are. That
should show you whether you are handling an ioctl or some other request.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

Sorry I meant a Driver function. I have driver function called
ReadPhysicalMemory()
The application has a similar function(I dont know its name) which sends in the physical memory address and the driver reads it and sends back the content. Once in a while this function fails with the above error. YEs I have the full stack:
nt!CcTestControl+0x3ff20
nt!MmMapVideoDisplay+0xc
xxxx!ReadMemory+0x100 [d:\work\bkc\sst3.0\packages\pcilib\sources\winsupport.c @ 38]
xxxx!driverDispatch+0xfe7 [d:\work\bkc\sst3.0\products\hwapidriver\sources\winhwapidrv.c @ 423]
nt!ObReferenceObjectByHandleWithTag+0xe92
nt!NtDeviceIoControlFile+0x56
nt!setjmpex+0x34b3
I was hoping to get the name of the function name.

5

>The application has a similar function(I dont know its name) which sends in the
physical memory address and the driver reads it and sends back the content.

Uh oh. Very very VERY VERY bad idea. Why do you do that? You’re not supposed to touch memory you don’t own or not told you can touch.

6

xxxxx@gmail.com wrote:

Sorry I meant a Driver function. I have driver function called
ReadPhysicalMemory()
The application has a similar function(I dont know its name) which sends in the physical memory address and the driver reads it and sends back the content. Once in a while this function fails with the above error. YEs I have the full stack:

I’m guessing that your kernel symbols are not accurate. You weren’t
calling MmMapVideoDisplay.

If you are getting a request from user mode, the onus is entirely on
your driver to validate that the address is one that the application is
entitled to access. The app is not entitled to access address 60000.
You don’t have any idea whether that address is already mapped in to
memory, and if you try to map it with a different cache attribute than
the previous mapping, that’s a blue screen.

xxxx!ReadMemory+0x100 [d:\work\bkc\sst3.0\packages\pcilib\sources\winsupport.c @ 38]
xxxx!driverDispatch+0xfe7 [d:\work\bkc\sst3.0\products\hwapidriver\sources\winhwapidrv.c @ 423]
nt!ObReferenceObjectByHandleWithTag+0xe92
nt!NtDeviceIoControlFile+0x56
nt!setjmpex+0x34b3
I was hoping to get the name of the function name.

Do you mean the user-mode function name? Because this is telling you
exactly which line of code made the bad call, and exactly which line of
code called ReadMemory. Hard to be more helpful than that.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

7

In the context of the app

.reload /u
Kb

Will give you the UM callstack as well, assuming you have the symbols for the UM components.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, March 30, 2015 2:57 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] From PDEVICE_OBJECT can I work back to get the function name?

Sorry I meant a Driver function. I have driver function called
ReadPhysicalMemory()
The application has a similar function(I dont know its name) which sends in the physical memory address and the driver reads it and sends back the content. Once in a while this function fails with the above error. YEs I have the full stack:
nt!CcTestControl+0x3ff20
nt!MmMapVideoDisplay+0xc
xxxx!ReadMemory+0x100 [d:\work\bkc\sst3.0\packages\pcilib\sources\winsupport.c @ 38]
xxxx!driverDispatch+0xfe7 [d:\work\bkc\sst3.0\products\hwapidriver\sources\winhwapidrv.c @ 423]
nt!ObReferenceObjectByHandleWithTag+0xe92
nt!NtDeviceIoControlFile+0x56
nt!setjmpex+0x34b3
I was hoping to get the name of the function name.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

Thank you folks. I think I get the picture. I will try the .reload /u that might be the answer to my question. There is lot of baggage and history to the issue I am running and I dont want to bore you folks. Once I figure out the solution I shall update this report. Thank you again