3 Replies Latest reply on Oct 2, 2011 1:24 AM by tpurtell

    mfehidk.sys BSODs when "shadow file object" mini-filter drivers are present

      I have a simple minifilter which attaches at a very low altitude and creates virtual file objects which are passed back up the filter driver stack.  The driver uses the FsContext2 pointer to store a piece of data.  McAfee's mfehidk.sys driver which is part of total protection appears to pass the virtual file object directly to the NTFS driver which causes a crash.  This is incorrect behavior because it should be passing the request to the owner of the file object, which in this case would be the filter manager.  If I modify this component to put a NULL value into the FsContext2 pointer, then McAfee does not crash.  Presumably, this means that it is checking for a valid value in the FsContext2 field and assuming that a non-null value implies that it is a real FILE_OBJECT from NTFS.

       

      In any case, I attached a minidump showing the crash.

       

      0: kd> !analyze -v

      *******************************************************************************

      *                                                                             *

      *                        Bugcheck Analysis                                    *

      *                                                                             *

      *******************************************************************************

       

      PAGE_FAULT_IN_NONPAGED_AREA (50)

      Invalid system memory was referenced.  This cannot be protected by try-except,

      it must be protected by a Probe.  Typically the address is just plain bad or it

      is pointing at freed memory.

      Arguments:

      Arg1: cab1e034, memory referenced.  (this is a special dummy address (0xcab1e000) placed in FsContext2 of a shadow file object created by a mini-filter to detect components which violate the filter driver stacking rules)

      Arg2: 00000000, value 0 = read operation, 1 = write operation(

      Arg3: 86c3e82b, If non-zero, the instruction address which referenced the bad memory

                address.

      Arg4: 00000002, (reserved)

       

      Debugging Details:

      ------------------

      READ_ADDRESS:  cab1e034

       

      FAULTING_IP:

      Ntfs!NtfsDecodeFileObject+6e

      86c3e82b 0fb64034        movzx   eax,byte ptr [eax+34h]

       

      MM_INTERNAL_CODE:  2

      IMAGE_NAME:  mfeavfk.sys

      DEBUG_FLR_IMAGE_TIMESTAMP:  4e3ae819

      MODULE_NAME: mfeavfk

      FAULTING_MODULE: 86c31000 Ntfs

      DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

      BUGCHECK_STR:  0x50

       

      PROCESS_NAME:  mfevtps.exe

       

      CURRENT_IRQL:  2

       

      TRAP_FRAME:  9136f3f4 -- (.trap 0xffffffff9136f3f4)

      ErrCode = 00000000

      eax=cab1e000 ebx=00000000 ecx=84d7b0d8 edx=102a1001 esi=925ec000 edi=00000000

      eip=86c3e82b esp=9136f468 ebp=9136f46c iopl=0         nv up ei ng nz na pe nc

      cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210286

      Ntfs!NtfsDecodeFileObject+0x6e:

      86c3e82b 0fb64034        movzx   eax,byte ptr [eax+34h]     ds:0023:cab1e034=??

      Resetting default scope

       

      LAST_CONTROL_TRANSFER:  from 828efe71 to 8287e394

       

      STACK_TEXT: 

      9136ef3c 828efe71 00000003 9ec821aa 00000065 nt!RtlpBreakWithStatusInstruction

      9136ef8c 828f096d 00000003 00003ff8 cab1e034 nt!KiBugCheckDebugBreak+0x1c

      9136f350 828988e3 00000050 cab1e034 00000000 nt!KeBugCheck2+0x68b

      9136f3dc 828595f8 00000000 cab1e034 00000000 nt!MmAccessFault+0x106

      9136f3dc 86c3e82b 00000000 cab1e034 00000000 nt!KiTrap0E+0xdc

      9136f46c 86cc8ef1 9136f55c 8209ea30 9136f4ac Ntfs!NtfsDecodeFileObject+0x6e

      9136f4e4 86ccea4d 9136f55c 820ad008 17f00c77 Ntfs!NtfsCommonQueryInformation+0x56

      9136f548 86cdcd53 9136f55c 820ad008 00000001 Ntfs!NtfsFsdDispatchSwitch+0x17b

      9136f67c 8284f4bc 84d7b020 820ad008 925ec000 Ntfs!NtfsFsdDispatchWait+0x1c

      9136f694 8dba1365 820f0938 00000000 836f9154 nt!IofCallDriver+0x63

      WARNING: Stack unwind information not available. Following frames may be wrong.

      9136f6c4 8dba1a8b 84d7b020 820ad198 9136f710 mfeavfk+0x17365

      9136f8c4 836cefa9 f0000001 0000006a 820daed8 mfeavfk+0x17a8b

      9136f9d0 836d4b6a 820daed8 820d94f0 00000001 mfehidk+0x2ffa9

      9136f9f0 836c38e9 820daed8 820d94f0 00000001 mfehidk+0x35b6a

      9136fa30 836d3a6f 00000001 820d937c 84cede00 mfehidk+0x248e9

      9136fa7c 836a64eb 820d937c 00000000 00000000 mfehidk+0x34a6f

      9136fa9c 836a6c8d 00000200 00000000 0000077c mfehidk+0x74eb

      9136fbc0 836ec700 820f3e00 00000001 00000000 mfehidk+0x7c8d

      9136fc28 82a6d8f7 000f3e00 00000001 00000000 mfehidk+0x4d700

      9136fcd0 82a704ac 84ced030 00000000 00000000 nt!IopXxxControlFile+0x2d0

      9136fd04 8285642a 00000084 00000000 00000000 nt!NtDeviceIoControlFile+0x2a

      9136fd04 777d64f4 00000084 00000000 00000000 nt!KiFastCallEntry+0x12a

      0031f97c 777d4cac 75b9a08f 00000084 00000000 ntdll!KiFastSystemCallRet

      0031f980 75b9a08f 00000084 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc

      0031f9e0 7755ec25 00000084 00422800 00000000 KERNELBASE!DeviceIoControl+0xf6

      0031fa0c 001e23c4 00000084 00422800 00000000 kernel32!DeviceIoControlImplementation+0x80

      0031fa44 001e272a 00000001 0058ce20 0031fa70 mfevtps+0x23c4

      0031fa64 762e75a8 00000001 0058ce20 00000000 mfevtps+0x272a

      0031fa78 77561174 0058ce10 0031fac4 777eb3f5 sechost!ScSvcctrlThreadA+0x21

      0031fa84 777eb3f5 0058ce10 77b7d10a 00000000 kernel32!BaseThreadInitThunk+0xe

      0031fac4 777eb3c8 762e7587 0058ce10 00000000 ntdll!__RtlUserThreadStart+0x70

      0031fadc 00000000 762e7587 0058ce10 00000000 ntdll!_RtlUserThreadStart+0x1b

       

      STACK_COMMAND:  kb

       

      FOLLOWUP_IP:

      mfeavfk+17365

      8dba1365 3d03010000      cmp     eax,103h

       

      SYMBOL_STACK_INDEX:  a

      SYMBOL_NAME:  mfeavfk+17365

      FOLLOWUP_NAME:  MachineOwner

      FAILURE_BUCKET_ID:  0x50_mfeavfk+17365

      BUCKET_ID:  0x50_mfeavfk+17365