This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
Hello everyone! I am trying to develope a commubication between a minifilter-driver and application. In order to make them communicate, I try to use the fonctions fltsendmessages.
I am building my driver on a visual studio and I test my driver and application on a Hyper-V VM wich runs an image of windows 11.
Here u can see the part of my driver code that i Use to call fltsendmessages (flthandle and test_port are well created in an other part and connect value is equal to 1 when the application connects to the driver)
#include "miniflt.h"
#include <windef.h>
#include <wdm.h>
#include <stdio.h>
#include <string.h>
#include <locale.h>
#include <ntstrsafe.h>
#include <stdlib.h>
#include <sys/stat.h>PFLT_FILTER flt_handle;
FLT_OPERATION_REGISTRATION operations[] = {
{
IRP_MJ_CREATE,
0,
MinifltExampleCreatePreRoutine,
MinifltExampleCreatePostRoutine,
NULL
},
{
IRP_MJ_OPERATION_END
}
};FLT_PREOP_CALLBACK_STATUS
MinifltExampleCreatePreRoutine(
Inout PFLT_CALLBACK_DATA data,
In PCFLT_RELATED_OBJECTS flt_object,
Out PVOID* completion_context
)
{
UNREFERENCED_PARAMETER(flt_object);
UNREFERENCED_PARAMETER(completion_context);NTSTATUS status = STATUS_SUCCESS;
PFLT_FILE_NAME_INFORMATION name_info = NULL;status = FltGetFileNameInformation(data,
FLT_FILE_NAME_NORMALIZED
| FLT_FILE_NAME_QUERY_DEFAULT,
&name_info);
if (!NT_SUCCESS(status)) {
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
status = FltParseFileNameInformation(name_info);
if (!NT_SUCCESS(status)) {
FltReleaseFileNameInformation(name_info);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
UNICODE_STRING a;
RtlUnicodeStringInit(&a,L"exe");
BOOLEAN is_exe = RtlEqualUnicodeString(&a, &name_info->Extension, FALSE);
if ((int)is_exe == 1) {
KdPrint(("[miniflt] " FUNCTION " [%u] Start to creat/open a file (%wZ)\n",
PtrToUint(PsGetCurrentProcessId()),
&name_info->FinalComponent));
LARGE_INTEGER Timeout;
Timeout.QuadPart = (LONGLONG)101001000;
char coucou[4] = "abc";
if (connect==1){
status = FltSendMessage(flt_handle, &test_port, &coucou, sizeof(coucou), NULL, 0, &Timeout);
if (!NT_SUCCESS(status)) {
KdPrint(("erreur sending message"));
}
}
}
FltReleaseFileNameInformation(name_info);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
When i launch my minifilter on my VM (and the service), everythings work well until i launch my application, when i launch it everything freeze and i get this error when i debug it with windbg
*** Fatal System Error: 0x00000050
(0xFFFFFFFF800034F0,0x0000000000000000,0xFFFFF8064936B227,0x0000000000000002)Driver at fault:
*** FLTMGR.SYS - Address FFFFF8064936B227 base at FFFFF80649360000, DateStamp 5d6776e4
.
Break instruction exception - code 80000003 (first chance)A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff806`47c203d0 cc int 3
0: kd> !analyze -v
Connected to Windows 10 22000 x64 target at (Wed Aug 3 17:20:26.099 2022 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
.............................................
Loading User Symbols
................................................................
................................................................
................................................................
................................................................
.....................................................
Loading unloaded module list
................
*Bugcheck Analysis **
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffffff800034f0, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8064936b227, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)Debugging Details:
KEY_VALUES_STRING: 1
Key : AV.Type Value: Read Key : Analysis.CPU.mSec Value: 11515 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 556487 Key : Analysis.Init.CPU.mSec Value: 16702 Key : Analysis.Init.Elapsed.mSec Value: 375706 Key : Analysis.Memory.CommitPeak.Mb Value: 151 Key : WER.OS.Branch Value: co_release Key : WER.OS.Timestamp Value: 2021-06-04T16:28:00Z Key : WER.OS.Version Value: 10.0.22000.1BUGCHECK_CODE: 50
BUGCHECK_P1: ffffffff800034f0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8064936b227
BUGCHECK_P4: 2
READ_ADDRESS: ffffffff800034f0
MM_INTERNAL_CODE: 2
FAULTING_MODULE: fffff80649360000 FLTMGR
PROCESS_NAME: explorer.exe
TRAP_FRAME: ffffd18b7ef16de0 -- (.trap 0xffffd18b7ef16de0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffae0ac0306f5b rbx=0000000000000000 rcx=ffffffff800034e8
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8064936b227 rsp=ffffd18b7ef16f70 rbp=ffffd18b7ef171f9
r8=0000000000000002 r9=0000000000000000 r10=fffff80647aee860
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
FLTMGR!FltSendMessage+0xc7:
fffff8064936b227 488b7108 mov rsi,qword ptr [rcx+8] ds:ffffffff800034f0=????????????????
Resetting default scopeSTACK_TEXT:
ffffd18b7ef16328 fffff80647d63462 : ffffd18b7ef16490 fffff80647b5c710 fffff8064324e180 0000000000000000 : nt!DbgBreakPointWithStatus
ffffd18b7ef16330 fffff80647d62ca1 : fffff80600000003 ffffd18b7ef16490 fffff80647c2d960 ffffd18b7ef16a40 : nt!KiBugCheckDebugBreak+0x12
ffffd18b7ef16390 fffff80647c17e07 : 0000000000000000 0000000000000000 ffffffff800034f0 0000000000000000 : nt!KeBugCheck2+0xa71
ffffd18b7ef16b00 fffff80647c97663 : 0000000000000050 ffffffff800034f0 0000000000000000 ffffd18b7ef16de0 : nt!KeBugCheckEx+0x107
ffffd18b7ef16b40 fffff80647a75cf6 : 0000000000000000 0000000000000000 ffffd18b7ef16d40 0000000000000000 : nt!MiSystemFault+0x1d3433
ffffd18b7ef16c40 fffff80647c268f5 : 0000000000000000 0000000000000000 0000000000000000 00001f8001000000 : nt!MmAccessFault+0x2a6
ffffd18b7ef16de0 fffff8064936b227 : ffffd18b7ef171f9 0000000000000000 fffff806690030c8 ffffae0abea86010 : nt!KiPageFault+0x335
ffffd18b7ef16f70 fffff80669001422 : ffffae0ac0306cb0 0000000000000008 ffffd18b7ef17108 0000000000000008 : FLTMGR!FltSendMessage+0xc7
ffffd18b7ef170c0 fffff80649366f74 : ffffae0ac3ec2b88 ffffd18b7ef171e0 ffffd18b7ef171b8 ffffd18b7ef171f9 : minifilter64!MinifltExampleCreatePreRoutine+0x192 [C:\Users\leobe\Desktop\minifilter-example\minifilter\operations.c @ 69]
ffffd18b7ef17150 fffff80649366a26 : ffffd18b7ef172f0 fffff80649368800 0000000000000000 fffff80647e96c00 : FLTMGR!FltpPerformPreCallbacksWorker+0x374
ffffd18b7ef17260 fffff8064939dac0 : ffffd18b7ef18000 ffffd18b7ef12000 ffffae0abea53cd0 fffff80647ea7f0b : FLTMGR!FltpPassThroughInternal+0xc6
ffffd18b7ef172b0 fffff80647a504a5 : 0000000000000000 ffffae0abea4c8a0 0000000000000000 0000000000000000 : FLTMGR!FltpCreate+0x300
ffffd18b7ef17360 fffff80647ea8cf7 : ffffae0abea53cd0 ffffae0abea4c8a0 ffffd18b7ef17660 ffffd18b00000040 : nt!IofCallDriver+0x55
ffffd18b7ef173a0 fffff80647e95951 : 0000000000000000 ffff970724243b50 0000000000000000 ffff970724243b20 : nt!IopParseDevice+0x897
ffffd18b7ef17560 fffff80647e94951 : 0000000000000000 ffffd18b7ef17790 0000000000000040 ffffae0abe0fe980 : nt!ObpLookupObjectName+0xac1
ffffd18b7ef17700 fffff80647ec8f45 : 0000100000000000 000000000778ed60 0000000000000001 000000000778ed90 : nt!ObOpenObjectByNameEx+0x1f1
ffffd18b7ef17830 fffff80647c2a275 : ffffae0ac43ca0c0 0000000000ad1220 ffffae0ac43ca0c0 0000000000000001 : nt!NtQueryAttributesFile+0x1c5
ffffd18b7ef17ae0 00007ffb963046b4 : 00007ffb938c4c75 005c006500730061 0069006e0069006d 002e0000006f0001 : nt!KiSystemServiceCopyEnd+0x25
000000000778ed28 00007ffb938c4c75 : 005c006500730061 0069006e0069006d 002e0000006f0001 0000000000000101 : ntdll!NtQueryAttributesFile+0x14
000000000778ed30 00007ffb939086b6 : 0000000000008000 000000000778f170 0000000000000001 0000000000000000 : KERNELBASE!GetFileAttributesW+0x85
000000000778edd0 00007ffb7ca8b85b : 0000000000000000 0000000000000000 00000000000036c4 00000000000036c4 : KERNELBASE!GetLongPathNameW+0x76
000000000778f0e0 00007ffb7ca8bc76 : 000000001a6502fc 000000001a6502f8 000000001a6502fc 000000000778f699 : appresolver!CAppResolver::GetAppIDForProcess+0x22b
000000000778f5f0 00007ffb7b5b3967 : 00000000001105a8 00000000001105a8 00007ffb00000002 00000000001105a8 : appresolver!CAppResolver::GetAppIDForWindow+0x1a6
000000000778f6f0 00007ffb7b5b37d7 : 0000000000000000 000000001d99c0f0 000000001d810120 000000001a64fec0 : Taskbar!ResolveWindowWorker+0x127
000000000778f7d0 00007ffb7b5b3709 : 000000001d80c4b0 000000001d99c0f0 0000000000000000 0000000000000000 : Taskbar!CTaskBand::CResolveWindowTask::_ResolveWindow+0xc7
000000000778f840 00007ffb7b5c733f : 0000000000000000 0000000002c4c988 000000001d810120 0000000002c4c920 : Taskbar!CTaskBand::CResolveWindowTask::InternalResumeRT+0x9
000000000778f870 00007ffb91a0ab3e : 0000000000000a50 000000001d810130 000000001d810120 0000000000000009 : Taskbar!CRunnableTask::Run+0xdf
000000000778f8b0 00007ffb91a0a775 : 00000000126453e0 fffffffffffffffe fffffffffffffffe 000000001d80c4c0 : windows_storage!CShellTask::TT_Run+0x46
000000000778f8e0 00007ffb91a0a414 : 00000000126453e0 00000000126453e0 0000000000000000 00007ffb962c9bbe : windows_storage!CShellTaskThread::ThreadProc+0xdd
000000000778f990 00007ffb94d6b4e0 : 0000000000000000 0000000000000000 0000f9897d68ce9b 0000000000000000 : windows_storage!CShellTaskThread::s_ThreadProc+0x44
000000000778f9f0 00007ffb962d0dd1 : 000000001af01530 000000007ffe0386 0000000000000000 00007ffb0000000f : shcore!ExecuteWorkItemThreadProc+0x20
000000000778fa20 00007ffb96277386 : 0000000000000000 0000000012644ee0 00007ffb94d6b4c0 0000000000000000 : ntdll!RtlpTpWorkCallback+0x171
000000000778fb00 00007ffb957c54e0 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x686
000000000778fdf0 00007ffb9626485b : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x10
000000000778fe20 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x2bFAULTING_SOURCE_LINE: C:\Users\leobe\Desktop\minifilter-example\minifilter\operations.c
FAULTING_SOURCE_FILE: C:\Users\leobe\Desktop\minifilter-example\minifilter\operations.c
FAULTING_SOURCE_LINE_NUMBER: 69
FAULTING_SOURCE_CODE:
65: KdPrint(("test test_port %d\n ", &test_port));
66: KdPrint(("size of coucou : %d\n", sizeof(coucou)));
67: KdPrint(("size of &coucou : %d\n", sizeof(&coucou)));
68: if (connect==1){69: status = FltSendMessage(flt_handle, &test_port, &coucou, sizeof(coucou), NULL, 0, &Timeout);
70: if (!NT_SUCCESS(status)) {
71: KdPrint(("erreur sending message"));
72: }
73: }
74: }SYMBOL_NAME: minifilter64!MinifltExampleCreatePreRoutine+192
MODULE_NAME: minifilter64
IMAGE_NAME: minifilter64.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 192
FAILURE_BUCKET_ID: AV_R_(null)_minifilter64!MinifltExampleCreatePreRoutine
OS_VERSION: 10.0.22000.1
BUILDLAB_STR: co_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {981f0655-e3a3-bace-a574-44bcd595ff0c}
Followup: MachineOwner
I am totally lost and I really don't know what to do.. If you have any clue i would be verry happy to heard it!
