how to get file name safetly and compare it in windows minifilter driver -


hello i'm new @ filterdriver writing i'm apologizing basic question , try file name pre read function , check if it's equal file name , logic according info.

this function:

 flt_preop_callback_status swapprereadbuffers(    _inout_ pflt_callback_data data,    _in_ pcflt_related_objects fltobjects,    _flt_completioncontext_outptr_ pvoid *completioncontext   ) {     pflt_io_parameter_block iopb = data->iopb;     flt_preop_callback_status retvalue = flt_preop_success_no_callback;     pvoid newbuf = null;     pmdl newmdl = null;     pvolume_context volctx = null;     ppre_2_post_context p2pctx;     ntstatus status;     ulong readlen = iopb->parameters.read.length;     pflt_file_name_information nameinfo = null;     unicode_string file_name;   //  //  skip irp_paging_io, irp_synchronous_paging_io ,  //  toplevelirp.  //      if ((data->iopb->irpflags & irp_paging_io) ||     (data->iopb->irpflags & irp_synchronous_paging_io) ||      iogettoplevelirp())     {          return flt_preop_success_no_callback;     }      rtlinitunicodestring( & file_name, l"my_file.txt" );      status = fltgetfilenameinformation( data,  flt_file_name_normalized |      flt_file_name_query_default, &nameinfo );     if (!nt_success( status ))      {          dbgprint("[-] swapprereadbuffers couldn't extract %wz info\n",  data->iopb->targetfileobject->filename);     }        status = fltparsefilenameinformation( nameinfo );     if (!nt_success( status ))       {         dbgprint("[-] swapprereadbuffers couldn't pars %wz info\n",  data->iopb->targetfileobject->filename);                  }        dbgprint("[+] pars gets me name: %wz extention:  %wz  perentdir: %wz volume: %wz \n",  nameinfo->name, nameinfo->extension, nameinfo->parentdir, nameinfo->volume);       if (rtlprefixunicodestring( &file_name, &nameinfo->name, true ))        /* here i'm getting blue screen*/      {          dbgprint("[***] swapprereadbuffers @ calles thats related our file %wz \n",  data->iopb->targetfileobject->filename);                      }     /* continue of code*/  } 

my problem getting blue screen when try check if file name equal wanted file name. why driver here blue screen?

thank pit

edit:

i updated code this:

 flt_preop_callback_status swapprereadbuffers(    _inout_ pflt_callback_data data,    _in_ pcflt_related_objects fltobjects,    _flt_completioncontext_outptr_ pvoid *completioncontext   ) {     pflt_io_parameter_block iopb = data->iopb;     flt_preop_callback_status retvalue = flt_preop_success_no_callback;     pvoid newbuf = null;     pmdl newmdl = null;     pvolume_context volctx = null;     ntstatus cbstatus = flt_preop_success_no_callback;     ppre_2_post_context p2pctx;     ntstatus status;     ulong readlen = iopb->parameters.read.length;     pflt_file_name_information nameinfo = null;     unicode_string file_name;   //  //  skip irp_paging_io, irp_synchronous_paging_io ,  //  toplevelirp.  //       if ((data->iopb->irpflags & irp_paging_io) ||     (data->iopb->irpflags & irp_synchronous_paging_io) ||     iogettoplevelirp()) {      dbgprint("[-] swapprereadbuffers out , call not us\n");     return flt_preop_success_no_callback; }   status = fltgetfilenameinformation( data,                                     flt_file_name_normalized                                       | flt_file_name_query_default,                                     &nameinfo ); if (!nt_success( status ))  {     dbgprint("[-] swapprereadbuffers couldn't extract info\n");      goto prereadcleanup; }  status = fltparsefilenameinformation( nameinfo ); if (!nt_success( status ))  {     dbgprint("[-] swapprereadbuffers couldn't pars info\n");      goto prereadcleanup; }   if (null == nameinfo) {     dbgprint("[---] name info actally 0\n"); } else {     dbgprint("[*] address of name %x:%x , address of extansion %x:%x  -> buffers are: name %x  , extension: %x \nsize of info %d size of extension %d\n",nameinfo->extension , &nameinfo->extension, extention, &extention, nameinfo->extension.buffer , extention.buffer ,nameinfo->extension.length , extention.length); }  if ((0 == rtlcompareunicodestring( &extention, &nameinfo->extension, true ))) {      dbgprint("[***] swapprereadbuffers @ calles thats related our file %wz \n",  &data->iopb->targetfileobject->filename);       dbgprint("[+] pass parse\n");      dbgprint("[+] pars gets me name: %wz\n extention:  %wz\n  perentdir: %wz\n volume: %wz\n",  &nameinfo->name, &nameinfo->extension, &nameinfo->parentdir, &nameinfo->volume); } else{      dbgprint("[*] pass compration check\n");       goto prereadcleanup; }  //  //  clean  //  prereadcleanup:     if (nameinfo) {          fltreleasefilenameinformation( nameinfo );     }     return retvalue; } 

and again got blue screen , analized core dump:

    kd>  !analyze -v     *******************************************************************************     *                                                                             *     *                        bugcheck analysis                                    *     *                                                                             *     *******************************************************************************      page_fault_in_nonpaged_area (50)     invalid system memory referenced.  cannot protected try-except,     must protected probe.  typically address plain bad or     pointing @ freed memory.     arguments:     arg1: 994af2a4, memory referenced.     arg2: 00000000, value 0 = read operation, 1 = write operation.     arg3: 82a72a17, if non-zero, instruction address referenced bad memory         address.     arg4: 00000000, (reserved)      debugging details:     ------------------       read_address: getpointerfromaddress: unable read 829a5718     unable read misystemvatype memory @ 829851a0      994af2a4       faulting_ip:      nt!rtlcompareunicodestrings+3c     82a72a17 0fb706          movzx   eax,word ptr [esi]      mm_internal_code:  0      customer_crash_count:  1      default_bucket_id:  win7_driver_fault      bugcheck_str:  0x50      process_name:  cmd.exe      current_irql:  0      trap_frame:  a72b7974 -- (.trap 0xffffffffa72b7974)     errcode = 00000000     eax=00000003 ebx=994af2aa ecx=8da2064c edx=000000bf esi=994af2a4 edi=137f5b5e     eip=82a72a17 esp=a72b79e8 ebp=a72b79f4 iopl=0         nv ei pl nz ac po nc     cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212     nt!rtlcompareunicodestrings+0x3c:     82a72a17 0fb706          movzx   eax,word ptr [esi]       ds:0023:994af2a4=????     resetting default scope      last_control_transfer:  8287c3d8 828c941b      stack_text:       a72b795c 8287c3d8 00000000 994af2a4 00000000 nt!mmaccessfault+0x106     a72b795c 82a72a17 00000000 994af2a4 00000000 nt!kitrap0e+0xdc     a72b79f4 82a72b0f 994af2aa 00000003 acca4e02 nt!rtlcompareunicodestrings+0x3c     a72b7a10 994a9105 994ad090 acca4d6c 00000001 nt!rtlcompareunicodestring+0x25     warning: stack unwind information not available. following frames may wrong.     a72b7a6c 8b756aeb 87587068 a72b7a8c a72b7ab8 mydriver2+0x1105     a72b7ad8 8b7599f0 a72b7b2c 87435e48 00000000 fltmgr!fltpperformprecallbacks+0x34d     a72b7af0 8b759f01 a72b7b2c 00000000 862ff240 fltmgr!fltppassthroughinternal+0x40     a72b7b14 8b75a3ba 032b7b00 862ff240 00000000 fltmgr!fltppassthrough+0x203     a72b7b44 82872593 862ff240 87435e48 87435e48 fltmgr!fltpdispatch+0xb4     a72b7b5c 82a6699f 87435e48 87435fd8 87590d98 nt!iofcalldriver+0x63     a72b7b7c 82a9f2da 862ff240 87590d98 00000001 nt!iopsynchronousservicetail+0x1f8     a72b7c08 828791ea 862ff240 87435e48 00000000 nt!ntreadfile+0x644     a72b7c08 773e70b4 862ff240 87435e48 00000000 nt!kifastcallentry+0x12a     0013f014 00000000 00000000 00000000 00000000 0x773e70b4       stack_command:  kb      followup_ip:      mydriver2+1105     994a9105 ??              ???      symbol_stack_index:  4      symbol_name:  mydriver2+1105      followup_name:  machineowner      module_name: mydriver2      image_name:  mydriver2.sys      debug_flr_image_timestamp:  597b0358      failure_bucket_id:  0x50_mydriver2+1105      bucket_id:  0x50_mydriver2+1105      followup: machineowner     --------- 

so crush indead in rtlcompareunicodestring function (or in prefix version before) have no idea why it's crush there, it's did every thing o.k.

your bug not in call rtlprefixunicodestring( &file_name, &nameinfo->name, true )) - here ok. bug in previous line:

dbgprint("[+] pars gets me name: %wz extention:  %wz  perentdir: %wz volume: %wz \n",   nameinfo->name,  nameinfo->extension,  nameinfo->parentdir,  nameinfo->volume); 

the %wz format require pointer unicode_string - must be

dbgprint("[+] pars gets me name: %wz extention:  %wz  perentdir: %wz volume: %wz \n",   &nameinfo->name,  &nameinfo->extension,  &nameinfo->parentdir,  &nameinfo->volume); 

also if fltgetfilenameinformation fail - must not use nameinfo after (it 0 or undefined). not in code

and swap buffers need when , when data->iopb->irpflags & irp_nocache - when data readed or writed storage


Comments

Popular posts from this blog

php - Vagrant up error - Uncaught Reflection Exception: Class DOMDocument does not exist -

vue.js - Create hooks for automated testing -

Add new key value to json node in java -