Bellow are the relevant code snippets:
FLT_PREOP_CALLBACK_STATUS
naGuardPreOperation(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID *CompletionContext
)
{
…
PNAGUARD_FMESSAGE msg = ExAllocatePoolWithTag(NonPagedPool, sizeof(NAGUARD_FMESSAGE), ‘tfaN’);
…
msg->preop_entropy = calculateEntropy(FltObjects, volumeProps.SectorSize);
…
}
float calculateEntropy(PCFLT_RELATED_OBJECTS FltObjects, USHORT SectorSize)
{
NTSTATUS status;
LARGE_INTEGER offset;
ULONG bytesRead = 0;
offset.QuadPart = bytesRead = 0;
ULONG file_size = max(SectorSize, FltObjects->FileObject->Size);
PVOID buffer = FltAllocatePoolAlignedWithTag(FltObjects->Instance, NonPagedPool, file_size, ‘teaN’);
if (buffer == NULL)
return 0;
status = FltReadFile(FltObjects->Instance, FltObjects->FileObject, &offset, file_size, buffer,
FLTFL_IO_OPERATION_NON_CACHED |
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
&bytesRead,
NULL,
NULL);
float entropy = 0;
float p = 0;
ULONG i;
ULONG hist[256] = { 0 };
for (i = 0; i < file_size; i++)
{
hist[((CHAR*)buffer)[i]]++;
}
for (i = 0; i < 256; i++) {
p = (float)(hist[i]) / (float)(file_size);
if (p > 0)
entropy = entropy - p * logf(p);
}
ExFreePoolWithTag(buffer, ‘teaN’);
return entropy / 8;
}
Getting BSOD [BAD POOL CALLER]
Bellow is !analyze -v from WinDbg
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000099, Attempt to free pool with invalid address (or corruption in pool header)
Arg2: ffff988918800ba1, Address being freed
Arg3: 0000000000000000, 0
Arg4: 0000000000000000, 0
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834
DUMP_TYPE: 0
BUGCHECK_P1: 99
BUGCHECK_P2: ffff988918800ba1
BUGCHECK_P3: 0
BUGCHECK_P4: 0
FAULTING_IP:
naGuard!calculateEntropy+21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
fffff800`b5f4121b f30f10442460 movss xmm0,dword ptr [rsp+60h]
BUGCHECK_STR: 0xc2_99
CPU_COUNT: 4
CPU_MHZ: a98
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BA’00000000 (cache) BA’00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: MsMpEng.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: NAFTALY-M5510
ANALYSIS_SESSION_TIME: 12-11-2017 20:36:01.0163
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
LAST_CONTROL_TRANSFER: from fffff800b6a79262 to fffff800b69edff0
STACK_TEXT:
ffffe68092992788 fffff800
b6a79262 : 0000000000000099 00000000
000000c2 ffffe680929928f0 fffff800
b694f6c0 : nt!DbgBreakPointWithStatus
ffffe68092992790 fffff800
b6a78b12 : 0000000000000003 ffffe680
929928f0 fffff800b6b2a610 00000000
000000c2 : nt!KiBugCheckDebugBreak+0x12
ffffe680929927f0 fffff800
b69e8687 : ffffe68092993001 ffff9889
175c8850 ffff988918800ba1 fffff80f
1aa6dea7 : nt!KeBugCheck2+0x922
ffffe68092992f00 fffff800
b6fe803f : 00000000000000c2 00000000
00000099 ffff988918800ba1 00000000
00000000 : nt!KeBugCheckEx+0x107
ffffe68092992f40 fffff800
b6a93b5d : ffffe6808e842a05 fffff800
b6afb4b0 0000000000000001 fffff800
00000200 : nt!VerifierBugCheckIfAppropriate+0x6b
ffffe68092992f80 fffff800
b6afd035 : 0000000000000020 ffffe680
92993059 ffff988918800b91 00000000
000007ff : nt!VerifierFreeTrackedPool+0x41
ffffe68092992fc0 fffff800
b5f4121b : ffff9889176a2c00 3fe00000
00000000 0000000000000000 ffff988a
00000000 : nt!ExFreePoolWithTag+0x1015
ffffe680929930c0 fffff800
b5f415d3 : ffffe680929936b0 ffffe680
92990200 ffff9889176a2b80 ffff9889
1707aa70 : naGuard!calculateEntropy+0x21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
ffffe68092993560 fffff80f
1aa64b4c : ffff9889176a2c60 ffffe680
929936b0 ffffe68092993690 ffff9889
176a2b80 : naGuard!naGuardPreOperation+0x223 [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 111]
ffffe68092993620 fffff80f
1aa646ec : ffffe68092993810 ffff9889
148f3900 0000000000000000 ffff9889
17792003 : FLTMGR!FltpPerformPreCallbacks+0x2ec
ffffe68092993740 fffff80f
1aa636d8 : 0000000000000000 ffffe680
92993810 ffff988917792010 ffffe680
92993820 : FLTMGR!FltpPassThroughInternal+0x8c
ffffe68092993770 fffff80f
1aa634be : ffff9889176a2b80 ffff9889
15e27c00 ffffe680929938a0 fffff80f
1aa6333f : FLTMGR!FltpPassThrough+0x168
ffffe680929937f0 fffff800
b6d119af : ffff988915e27c30 ffff9889
17792010 ffff988917792440 ffffe680
92993b00 : FLTMGR!FltpDispatch+0x9e
ffffe68092993850 fffff800
b6d10719 : ffff988900000001 ffff9889
15e27c04 ffff988915e27c80 ffffe680
92993b00 : nt!IopSynchronousServiceTail+0x1af
ffffe68092993910 fffff800
b69f3413 : 0000000000000b68 00000000
00000000 0000000000000000 00000000
00000000 : nt!NtReadFile+0x6a9
ffffe68092993a10 00007ffb
471f5464 : 00007ffb437dec66 000000c3
078ff1b0 0000000000000001 00000000
0000000e : nt!KiSystemServiceCopyEnd+0x13
000000c3078ff0a8 00007ffb
437dec66 : 000000c3078ff1b0 00000000
00000001 000000000000000e 00000000
00000028 : ntdll!NtReadFile+0x14
000000c3078ff0b0 00007ffb
33307283 : 0000000000000000 00000000
00000000 ffffffffffffffff 000000c3
078ff1e8 : KERNELBASE!ReadFile+0x76
000000c3078ff130 00000000
00000000 : 0000000000000000 ffffffff
ffffffff 000000c3078ff1e8 00000000
00000000 : mpengine!GetSigFiles+0x29913
THREAD_SHA1_HASH_MOD_FUNC: be871fd0a7f7d1e582e97747678f92c144eb81fb
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 26d74e95b55e3167b7aa9ed920d02c28405c093a
THREAD_SHA1_HASH_MOD: 559f42971c8b885fad7940b4cb5a8d07a0d44740
FOLLOWUP_IP:
naGuard!calculateEntropy+21b [c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c @ 51]
fffff800`b5f4121b f30f10442460 movss xmm0,dword ptr [rsp+60h]
FAULT_INSTR_CODE: 44100ff3
FAULTING_SOURCE_LINE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c
FAULTING_SOURCE_FILE: c:\users\naftaly avadiaev\source\repos\naguard\naguard\callbacks.c
FAULTING_SOURCE_LINE_NUMBER: 51
FAULTING_SOURCE_CODE:
47: entropy = entropy - p * logf(p);
48: }
49:
50: ExFreePoolWithTag(buffer, ‘teaN’);
51: return entropy / 8;
52: }
53:
54:
55: /*************************************************************************
56: MiniFilter callback routines.
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: naGuard!calculateEntropy+21b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: naGuard
IMAGE_NAME: naGuard.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5a2ecddd
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 21b
FAILURE_BUCKET_ID: 0xc2_99_naGuard!calculateEntropy
BUCKET_ID: 0xc2_99_naGuard!calculateEntropy
PRIMARY_PROBLEM_CLASS: 0xc2_99_naGuard!calculateEntropy
TARGET_TIME: 2017-12-11T18:33:56.000Z
OSBUILD: 15063
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-11-01 20:21:12
BUILDDATESTAMP_STR: 170317-1834
BUILDLAB_STR: rs2_release
BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834
ANALYSIS_SESSION_ELAPSED_TIME: e59
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xc2_99_naguard!calculateentropy
FAILURE_ID_HASH: {b4ca49f3-9785-1e01-fbc7-7d51102f2580}