I want to prevent a volume from mount in a minifilter driver, so I wrote a PREOP routine for IRP_MJ_VOLUME_MOUNT, if I modified the FLT_CALLBACK_DATA.IoStatus field and return FLT_PREOP_COMPLTE, it always crashes in IopMountInitializeVpb, seems I had already set the IoStatus.Status to a failed status, it shouldn’t go to IopMountInitializeVpb. Is there somthing else should be done before return FLT_PREOP_COMPLTE, or it is not possible to prevent volume mount in minifilter?
Try setting IoStatus.Status to be STATUS_UNRECOGNIZED_VOLUME.
I’ve tried already, what ever the status is, it crashes! I’ve also tried sfilter IRP_MN_MOUNT_VOLUME filtering with success. Don’t know the reason, probably a bug in minifilter framework?
Can you please post an !analyze -v ?
Thanks,
Alex.
Thx. I found that the same driver under win 2003 don’t crash when new volume being mounted.
Following are the crash dump under xp sp2:
Use !analyze -v to get detailed debugging information.
BugCheck A, {30, 2, 1, 804f4647}
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
Probably caused by : ntkrnlpa.exe ( nt!IopMountInitializeVpb+33 )
Followup: MachineOwner
nt!RtlpBreakWithStatusInstruction:
80527da8 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000030, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804f4647, address which referenced memory
Debugging Details:
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
WRITE_ADDRESS: 00000030
CURRENT_IRQL: 2
FAULTING_IP:
nt!IopMountInitializeVpb+33
804f4647 884130 mov byte ptr [ecx+30h],al
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: svchost.exe
TRAP_FRAME: f7e29944 – (.trap 0xfffffffff7e29944)
ErrCode = 00000002
eax=815e9c08 ebx=80551b60 ecx=00000000 edx=00000000 esi=8155dd80 edi=815e9c68
eip=804f4647 esp=f7e299b8 ebp=f7e299c0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!IopMountInitializeVpb+0x33:
804f4647 884130 mov byte ptr [ecx+30h],al ds:0023:00000030=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 804f880d to 80527da8
STACK_TEXT:
f7e294f8 804f880d 00000003 f7e29854 00000000 nt!RtlpBreakWithStatusInstruction
f7e29544 804f93fa 00000003 00000030 804f4647 nt!KiBugCheckDebugBreak+0x19
f7e29924 80540853 0000000a 00000030 00000002 nt!KeBugCheck2+0x574
f7e29924 804f4647 0000000a 00000030 00000002 nt!KiTrap0E+0x233
f7e299c0 80576df9 815e9c68 815e9c68 00000000 nt!IopMountInitializeVpb+0x33
f7e29a1c 804f5009 001c0001 812b1701 00000000 nt!IopMountVolume+0x20b
f7e29a4c 80577d2a 812b17b0 815e9c68 f7e29b80 nt!IopCheckVpbMounted+0x5b
f7e29b3c 805b465e 815e9c68 00000000 816e6898 nt!IopParseDevice+0x3c6
f7e29bc4 805b0b3f 00000000 f7e29c04 00000040 nt!ObpLookupObjectName+0x56a
f7e29c18 8056b133 00000000 00000000 e29d6401 nt!ObOpenObjectByName+0xeb
f7e29c94 8056baaa 00fcfd4c 80100080 00fcfcec nt!IopCreateFile+0x407
f7e29cf0 8056e17c 00fcfd4c 80100080 00fcfcec nt!IoCreateFile+0x8e
f7e29d30 8053d808 00fcfd4c 80100080 00fcfcec nt!NtCreateFile+0x30
f7e29d30 7c92eb94 00fcfd4c 80100080 00fcfcec nt!KiFastCallEntry+0xf8
00fcfca8 7c92d68e 7c810b2c 00fcfd4c 80100080 ntdll!KiFastSystemCallRet
00fcfcac 7c810b2c 00fcfd4c 80100080 00fcfcec ntdll!NtCreateFile+0xc
00fcfd44 76e1c1e1 00000000 80000000 00000003 kernel32!CreateFileW+0x35f
00fcfd68 76e1f524 00154db8 80000000 01929bd8 shsvcs!_GetDeviceHandle+0x1a
00fcfdb4 76e210a5 00fcfdd8 00000001 00000000 shsvcs!CVolume::_GetDeviceHandleSafe+0x31
00fcfdf0 76e21524 00139b30 005f3020 005f3020 shsvcs!CVolume::_InitHelper+0xab
00fcfe08 76e29753 00139b30 00000001 00fcfe5c shsvcs!CVolume::Init+0x5b
00fcfe20 76e29c20 00139b30 00fcfe5c 76e11ed4 shsvcs!CNamedElemList::_Add+0x22
00fcfe3c 76e25046 00139b30 00fcfe5c 00139b30 shsvcs!CNamedElemList::GetOrAdd+0x68
00fcfe54 76e25227 00000000 00139b30 00139b20 shsvcs!_ProcessInterfaceVolumeArrival+0x27
00fcfe70 76e23ad3 00139b20 00139b30 00008000 shsvcs!_ProcessInterfaceSpecialCased+0x65
00fcfe90 76e254f2 00000001 00008000 0000000b shsvcs!CHWEventDetectorImpl::_HandleInterfaceEvent+0x38
00fcff00 76e1bbca 005f2014 00008000 00139b14 shsvcs!CHWEventDetectorImpl::HandleDeviceEvent+0x97
00fcff20 76e1bd29 76e2f044 0000000b 00008000 shsvcs!CGenericServiceManager::_HandleServiceControls+0x60
00fcff4c 76e1be57 76e2f044 00000000 0009ae68 shsvcs!CGenericServiceManager::_ProcessServiceControlCodes+0x5c
00fcff6c 010011cc 00000001 000bea88 00000000 shsvcs!CGenericServiceManager::_ServiceMain+0xf4
00fcffa0 77dbb48b 00000001 000bea88 0007e898 svchost!ServiceStarter+0x9e
00fcffb4 7c80b50b 000bea80 00000000 0007e898 ADVAPI32!ScSvcctrlThreadA+0x12
00fcffec 00000000 77dbb479 000bea80 00000000 kernel32!BaseThreadStart+0x37
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!IopMountInitializeVpb+33
804f4647 884130 mov byte ptr [ecx+30h],al
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!IopMountInitializeVpb+33
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0c
FAILURE_BUCKET_ID: 0xA_W_nt!IopMountInitializeVpb+33
BUCKET_ID: 0xA_W_nt!IopMountInitializeVpb+33
Followup: MachineOwner
And my code is like this:
FLT_PREOP_CALLBACK_STATUS Result = FLT_PREOP_SUCCESS_NO_CALLBACK;
PDEVICE_OBJECT diskDevice;
ULONG dwReturnedLen;
if(STATUS_SUCCESS == FltGetDiskDeviceObject(FltObjects->Volume, &diskDevice) )
{
if(g_bEnableUSBStorage == FALSE) {
if(IsUsbStorage(diskDevice))
{
Data->IoStatus.Status = STATUS_DEVICE_NOT_READY;
Data->IoStatus.Information = 0;
Result = FLT_PREOP_COMPLETE; //crash under xp!!!*/
}
}
ObDereferenceObject(diskDevice);
}
You need to fix your symbols:
.symfix
.reload -f -n
Mm
On Feb 25, 2011 12:48 AM, wrote:
> And my code is like this:
>
> FLT_PREOP_CALLBACK_STATUS Result = FLT_PREOP_SUCCESS_NO_CALLBACK;
> PDEVICE_OBJECT diskDevice;
> ULONG dwReturnedLen;
>
> if(STATUS_SUCCESS == FltGetDiskDeviceObject(FltObjects->Volume,
&diskDevice) )
> {
> if(g_bEnableUSBStorage == FALSE) {
> if(IsUsbStorage(diskDevice))
> {
> Data->IoStatus.Status = STATUS_DEVICE_NOT_READY;
> Data->IoStatus.Information = 0;
>
> Result = FLT_PREOP_COMPLETE; //crash under xp!!!*/
> }
> }
>
> ObDereferenceObject(diskDevice);
> }
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thx everyone who replied. Finally I got the answer and hope to help those who encounter the problem: patch the xp sp2 with KB914882.