how to get file name safetly and compare it in windows minifilter driver -
hello i'm new @ filterdriver writing i'm apologizing basic question , try file name pre read function , check if it's equal file name , logic according info.
this function:
flt_preop_callback_status swapprereadbuffers( _inout_ pflt_callback_data data, _in_ pcflt_related_objects fltobjects, _flt_completioncontext_outptr_ pvoid *completioncontext ) { pflt_io_parameter_block iopb = data->iopb; flt_preop_callback_status retvalue = flt_preop_success_no_callback; pvoid newbuf = null; pmdl newmdl = null; pvolume_context volctx = null; ppre_2_post_context p2pctx; ntstatus status; ulong readlen = iopb->parameters.read.length; pflt_file_name_information nameinfo = null; unicode_string file_name; // // skip irp_paging_io, irp_synchronous_paging_io , // toplevelirp. // if ((data->iopb->irpflags & irp_paging_io) || (data->iopb->irpflags & irp_synchronous_paging_io) || iogettoplevelirp()) { return flt_preop_success_no_callback; } rtlinitunicodestring( & file_name, l"my_file.txt" ); status = fltgetfilenameinformation( data, flt_file_name_normalized | flt_file_name_query_default, &nameinfo ); if (!nt_success( status )) { dbgprint("[-] swapprereadbuffers couldn't extract %wz info\n", data->iopb->targetfileobject->filename); } status = fltparsefilenameinformation( nameinfo ); if (!nt_success( status )) { dbgprint("[-] swapprereadbuffers couldn't pars %wz info\n", data->iopb->targetfileobject->filename); } dbgprint("[+] pars gets me name: %wz extention: %wz perentdir: %wz volume: %wz \n", nameinfo->name, nameinfo->extension, nameinfo->parentdir, nameinfo->volume); if (rtlprefixunicodestring( &file_name, &nameinfo->name, true )) /* here i'm getting blue screen*/ { dbgprint("[***] swapprereadbuffers @ calles thats related our file %wz \n", data->iopb->targetfileobject->filename); } /* continue of code*/ }
my problem getting blue screen when try check if file name equal wanted file name. why driver here blue screen?
thank pit
edit:
i updated code this:
flt_preop_callback_status swapprereadbuffers( _inout_ pflt_callback_data data, _in_ pcflt_related_objects fltobjects, _flt_completioncontext_outptr_ pvoid *completioncontext ) { pflt_io_parameter_block iopb = data->iopb; flt_preop_callback_status retvalue = flt_preop_success_no_callback; pvoid newbuf = null; pmdl newmdl = null; pvolume_context volctx = null; ntstatus cbstatus = flt_preop_success_no_callback; ppre_2_post_context p2pctx; ntstatus status; ulong readlen = iopb->parameters.read.length; pflt_file_name_information nameinfo = null; unicode_string file_name; // // skip irp_paging_io, irp_synchronous_paging_io , // toplevelirp. // if ((data->iopb->irpflags & irp_paging_io) || (data->iopb->irpflags & irp_synchronous_paging_io) || iogettoplevelirp()) { dbgprint("[-] swapprereadbuffers out , call not us\n"); return flt_preop_success_no_callback; } status = fltgetfilenameinformation( data, flt_file_name_normalized | flt_file_name_query_default, &nameinfo ); if (!nt_success( status )) { dbgprint("[-] swapprereadbuffers couldn't extract info\n"); goto prereadcleanup; } status = fltparsefilenameinformation( nameinfo ); if (!nt_success( status )) { dbgprint("[-] swapprereadbuffers couldn't pars info\n"); goto prereadcleanup; } if (null == nameinfo) { dbgprint("[---] name info actally 0\n"); } else { dbgprint("[*] address of name %x:%x , address of extansion %x:%x -> buffers are: name %x , extension: %x \nsize of info %d size of extension %d\n",nameinfo->extension , &nameinfo->extension, extention, &extention, nameinfo->extension.buffer , extention.buffer ,nameinfo->extension.length , extention.length); } if ((0 == rtlcompareunicodestring( &extention, &nameinfo->extension, true ))) { dbgprint("[***] swapprereadbuffers @ calles thats related our file %wz \n", &data->iopb->targetfileobject->filename); dbgprint("[+] pass parse\n"); dbgprint("[+] pars gets me name: %wz\n extention: %wz\n perentdir: %wz\n volume: %wz\n", &nameinfo->name, &nameinfo->extension, &nameinfo->parentdir, &nameinfo->volume); } else{ dbgprint("[*] pass compration check\n"); goto prereadcleanup; } // // clean // prereadcleanup: if (nameinfo) { fltreleasefilenameinformation( nameinfo ); } return retvalue; }
and again got blue screen , analized core dump:
kd> !analyze -v ******************************************************************************* * * * bugcheck analysis * * * ******************************************************************************* page_fault_in_nonpaged_area (50) invalid system memory referenced. cannot protected try-except, must protected probe. typically address plain bad or pointing @ freed memory. arguments: arg1: 994af2a4, memory referenced. arg2: 00000000, value 0 = read operation, 1 = write operation. arg3: 82a72a17, if non-zero, instruction address referenced bad memory address. arg4: 00000000, (reserved) debugging details: ------------------ read_address: getpointerfromaddress: unable read 829a5718 unable read misystemvatype memory @ 829851a0 994af2a4 faulting_ip: nt!rtlcompareunicodestrings+3c 82a72a17 0fb706 movzx eax,word ptr [esi] mm_internal_code: 0 customer_crash_count: 1 default_bucket_id: win7_driver_fault bugcheck_str: 0x50 process_name: cmd.exe current_irql: 0 trap_frame: a72b7974 -- (.trap 0xffffffffa72b7974) errcode = 00000000 eax=00000003 ebx=994af2aa ecx=8da2064c edx=000000bf esi=994af2a4 edi=137f5b5e eip=82a72a17 esp=a72b79e8 ebp=a72b79f4 iopl=0 nv ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!rtlcompareunicodestrings+0x3c: 82a72a17 0fb706 movzx eax,word ptr [esi] ds:0023:994af2a4=???? resetting default scope last_control_transfer: 8287c3d8 828c941b stack_text: a72b795c 8287c3d8 00000000 994af2a4 00000000 nt!mmaccessfault+0x106 a72b795c 82a72a17 00000000 994af2a4 00000000 nt!kitrap0e+0xdc a72b79f4 82a72b0f 994af2aa 00000003 acca4e02 nt!rtlcompareunicodestrings+0x3c a72b7a10 994a9105 994ad090 acca4d6c 00000001 nt!rtlcompareunicodestring+0x25 warning: stack unwind information not available. following frames may wrong. a72b7a6c 8b756aeb 87587068 a72b7a8c a72b7ab8 mydriver2+0x1105 a72b7ad8 8b7599f0 a72b7b2c 87435e48 00000000 fltmgr!fltpperformprecallbacks+0x34d a72b7af0 8b759f01 a72b7b2c 00000000 862ff240 fltmgr!fltppassthroughinternal+0x40 a72b7b14 8b75a3ba 032b7b00 862ff240 00000000 fltmgr!fltppassthrough+0x203 a72b7b44 82872593 862ff240 87435e48 87435e48 fltmgr!fltpdispatch+0xb4 a72b7b5c 82a6699f 87435e48 87435fd8 87590d98 nt!iofcalldriver+0x63 a72b7b7c 82a9f2da 862ff240 87590d98 00000001 nt!iopsynchronousservicetail+0x1f8 a72b7c08 828791ea 862ff240 87435e48 00000000 nt!ntreadfile+0x644 a72b7c08 773e70b4 862ff240 87435e48 00000000 nt!kifastcallentry+0x12a 0013f014 00000000 00000000 00000000 00000000 0x773e70b4 stack_command: kb followup_ip: mydriver2+1105 994a9105 ?? ??? symbol_stack_index: 4 symbol_name: mydriver2+1105 followup_name: machineowner module_name: mydriver2 image_name: mydriver2.sys debug_flr_image_timestamp: 597b0358 failure_bucket_id: 0x50_mydriver2+1105 bucket_id: 0x50_mydriver2+1105 followup: machineowner ---------
so crush indead in rtlcompareunicodestring function (or in prefix version before) have no idea why it's crush there, it's did every thing o.k.
your bug not in call rtlprefixunicodestring( &file_name, &nameinfo->name, true ))
- here ok. bug in previous line:
dbgprint("[+] pars gets me name: %wz extention: %wz perentdir: %wz volume: %wz \n", nameinfo->name, nameinfo->extension, nameinfo->parentdir, nameinfo->volume);
the %wz
format require pointer unicode_string
- must be
dbgprint("[+] pars gets me name: %wz extention: %wz perentdir: %wz volume: %wz \n", &nameinfo->name, &nameinfo->extension, &nameinfo->parentdir, &nameinfo->volume);
also if fltgetfilenameinformation
fail - must not use nameinfo
after (it 0 or undefined). not in code
and swap buffers need when , when data->iopb->irpflags & irp_nocache
- when data readed or writed storage
Comments
Post a Comment