Share via

BSOD when trying to create a DMF module

IgnoreException 0 Reputation points
2023-06-07T04:20:25.2433333+00:00

I am working on a driver that emulates a joystick device from mouse input. In order to ensure the emulated joystick has low latency and does not run into compatibility issues I decided to make a mouse filter in order to read incoming mouse input. I then need to convert that input to the format of the joystick. From my research it seems other people have used DMF to make a child device, but I have some questions about merging the mouse filter driver and the joystick emulating into 1 single driver. But the main problem is I cant figure out how to get DMF correctly set up without getting a bsod.

During my implementation of this (the mouse filter part already works but I removed it for now to just test DMF) I got SYSTEM_THREAD_EXCEPTION_NOT_HANDLED error and wanted to know what caused it. The error is caused by this line status = DMF_ModulesCreate(device, &dmfDeviceInit); but the following code is called from inside my EvtDeviceAdd function which was called from WDF_DRIVER_CONFIG_INIT(&config, EvtDeviceAdd); from inside my DriverEntry function.


        PDMFDEVICE_INIT dmfDeviceInit = NULL;

        dmfDeviceInit = DMF_DmfDeviceInitAllocate(DeviceInit);

        if (dmfDeviceInit == NULL)  {
            DebugMessage("DMF_DmfDeviceInitAllocate failed \n");
            return STATUS_INSUFFICIENT_RESOURCES;
        }


        DMF_DmfDeviceInitHookPnpPowerEventCallbacks(dmfDeviceInit, NULL);
        DMF_DmfDeviceInitHookPowerPolicyEventCallbacks(dmfDeviceInit, NULL);
        DebugMessage("DMF Test 3 \n");

#pragma region Prepare child list
        WDF_CHILD_LIST_CONFIG_INIT(&config, sizeof(PDO_IDENTIFICATION_DESCRIPTION), Bus_EvtDeviceListCreatePdo);

        config.EvtChildListIdentificationDescriptionCompare = EvtChildListIdentificationDescriptionCompare;

        WdfFdoInitSetDefaultChildListConfig(DeviceInit, &config, WDF_NO_OBJECT_ATTRIBUTES);
        DebugMessage("DMF Test 4 \n");
#pragma endregion

#pragma region Assign File Object Configuration
        WDF_FILEOBJECT_CONFIG_INIT(&foConfig, Bus_DeviceFileCreate, Bus_FileClose, NULL);

        WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&fileHandleAttributes, FDO_FILE_DATA);

        DMF_DmfDeviceInitHookFileObjectConfig(dmfDeviceInit, &foConfig);

        WdfDeviceInitSetFileObjectConfig(DeviceInit, &foConfig, &fileHandleAttributes);
        DebugMessage("DMF Test 5 \n");
#pragma endregion

#pragma region Create FDO
        WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&fdoAttributes, FDO_DEVICE_DATA);

        // Create a framework device object. This call will in turn create a WDM deviceobject, attach to the lower stack and set the appropriate flags and attributes.
        if (!NT_SUCCESS(status = WdfDeviceCreate(&DeviceInit, &fdoAttributes, &device))) {
            DebugMessage("WdfDeviceCreate failed with status %!STATUS! \n");
            break;
        }

        pFDOData = FdoGetData(device);
        pFDOData->InterfaceReferenceCounter = 0;
        pFDOData->NextSessionId = FDO_FIRST_SESSION_ID;
        DebugMessage("DMF Test 6 \n");
#pragma endregion

#pragma region Expose FDO interfac
        if (!NT_SUCCESS(status = WdfDeviceCreateDeviceInterface(device, &GUID_DEVINTERFACE_JOYSTICK, NULL))) {
            DebugMessage("WdfDeviceCreateDeviceInterface failed with status %x \n", status);
            break;
        }
        DebugMessage("DMF Test 7 \n");
#pragma endregion

#pragma region Set bus information
        busInfo.BusTypeGuid = GUID_BUS_TYPE_USB;
        busInfo.LegacyBusType = PNPBus;
        busInfo.BusNumber = 0;

        WdfDeviceSetBusInformationForChildren(device, &busInfo);
        DebugMessage("DMF Test 8 \n");
#pragma endregion


        DMF_EVENT_CALLBACKS dmfEventCallbacks;
        DMF_EVENT_CALLBACKS_INIT(&dmfEventCallbacks);
        dmfEventCallbacks.EvtDmfDeviceModulesAdd = DmfDeviceModulesAdd;
        DMF_DmfDeviceInitSetEventCallbacks(dmfDeviceInit, &dmfEventCallbacks);

        status = DMF_ModulesCreate(device, &dmfDeviceInit); // <--- Error occurred on this line

        if (!NT_SUCCESS(status)) {
            DebugMessage("DMF_ModulesCreate failed with status %x \n", status);
            break;
        }

And the following is the exception that was detected by my network debugger (WinDbg)

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff801395531f0, The address that the exception occurred at
Arg3: ffff9d0ece5166b8, Exception Record Address
Arg4: ffff9d0ece515ef0, Context Record Address

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.Sec
    Value: 4

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-SBQN4VR

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 7

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 70

    Key  : Analysis.System
    Value: CreateObject


BUGCHECK_CODE:  7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff801395531f0

BUGCHECK_P3: ffff9d0ece5166b8

BUGCHECK_P4: ffff9d0ece515ef0

EXCEPTION_RECORD:  ffff9d0ece5166b8 -- (.exr 0xffff9d0ece5166b8)
ExceptionAddress: fffff801395531f0 (WppRecorder!imp_WppRecorderIsDefaultLogAvailable+0x0000000000000010)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT:  ffff9d0ece515ef0 -- (.cxr 0xffff9d0ece515ef0)
rax=6f74737543666457 rbx=0000000000000000 rcx=fffff801530071e0
rdx=ffff9d0ece516900 rsi=0000000000000000 rdi=ffffa28fbec88300
rip=fffff801395531f0 rsp=ffff9d0ece5168f0 rbp=ffff9d0ece516990
 r8=00000000000001ee  r9=fffff801394dae08 r10=fffff80134a1e6f0
r11=ffff9d0ece516930 r12=00005d70409ad5c8 r13=00005d70409ad5c8
r14=ffff9d0ece516da0 r15=00005d7041377d78
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
WppRecorder!imp_WppRecorderIsDefaultLogAvailable+0x10:
fffff801`395531f0 488b88c8000000  mov     rcx,qword ptr [rax+0C8h] ds:002b:6f747375`4366651f=????????????????
Resetting default scope

PROCESS_NAME:  System

READ_ADDRESS:  ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

EXCEPTION_STR:  0xc0000005

LOCK_ADDRESS:  fffff80135444ba0 -- (!locks fffff80135444ba0)

Resource @ nt!PiEngineLock (0xfffff80135444ba0)    Exclusively owned
    Contention Count = 5
     Threads: ffffa28fb9a62040-01<*> 
1 total locks

PNP_TRIAGE_DATA: 
    Lock address  : 0xfffff80135444ba0
    Thread Count  : 1
    Thread address: 0xffffa28fb9a62040
    Thread wait   : 0x3c1a

STACK_TEXT:  
ffff9d0e`ce5168f0 fffff801`530170b7 : 00000000`00000040 00000000`00000000 00005d70`41377d78 ffff9d0e`ce516da0 : WppRecorder!imp_WppRecorderIsDefaultLogAvailable+0x10
ffff9d0e`ce516920 fffff801`530179f4 : 00005d70`40dd72d8 00000000`00000000 ffffa28f`bea18800 ffff9d0e`ce516c80 : KMDF!DmfModuleInFlightRecorderInitialize+0xc7 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfCore.c @ 1038] 
ffff9d0e`ce5169a0 fffff801`53014281 : ffff9d0e`ce516da0 ffffa28f`bec88300 00005d70`41377d78 00000000`00000000 : KMDF!DMF_ModuleCreate+0x70c [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfCore.c @ 1429] 
ffff9d0e`ce516ae0 fffff801`5300c95a : ffffa28f`bea187e8 00000000`00000000 ffff9d0e`ce516e60 ffffa28f`c08b2b20 : KMDF!DMF_Bridge_Create+0x291 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\Modules.Core\Dmf_Bridge.c @ 2795] 
ffff9d0e`ce516d60 fffff801`5300e687 : ffffa28f`c099aee0 00005d70`3f665198 00000000`00000040 ffffa28f`be7ec810 : KMDF!DMF_ModuleCollectionCreate+0x4b6 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfModuleCollection.c @ 3517] 
ffff9d0e`ce516eb0 fffff801`5300ada0 : 00000000`00000000 00000000`00000000 ffffa28f`bf53fdd0 00000000`00000000 : KMDF!DMF_ModulesCreate+0x327 [C:\Users\me\source\repos\KMDF\DMF\Dmf\Framework\DmfModuleCollection.c @ 3948] 
ffff9d0e`ce517040 fffff801`39494c07 : 00005d70`4116a198 ffffa28f`bc6f0120 ffffa28f`bc6f0120 fffff801`34a12e29 : KMDF!MouFilter_EvtDeviceAdd+0x410 [C:\Users\me\source\repos\KMDF\Moufiltr.c @ 224] 
ffff9d0e`ce517280 fffff801`39494b2c : ffffa28f`bc6f0120 fffff801`34b3bffc ffffa28f`bc6f0120 00000000`00002710 : Wdf01000!FxDriver::AddDevice+0xc7 [minkernel\wdf\framework\shared\core\km\fxdriverkm.cpp @ 72] 
ffff9d0e`ce5176a0 fffff801`34b6d98b : ffffa28f`becace30 fffff801`34ef4bfd 00000000`00000000 00000000`00000000 : Wdf01000!FxDriver::AddDevice+0x2c [minkernel\wdf\framework\shared\core\km\fxdriverkm.cpp @ 47] 
ffff9d0e`ce5176d0 fffff801`34f39580 : ffffa28f`becace30 ffffa28f`bf7896d0 00000000`00000005 ffffca80`7bdb4bba : nt!PpvUtilCallAddDevice+0x3b
ffff9d0e`ce517710 fffff801`34f369fb : 00000000`00000003 ffff9d0e`ce5178d0 ffffca80`7cdf1270 fffff801`00000002 : nt!PnpCallAddDevice+0x94
ffff9d0e`ce5177d0 fffff801`34f35d83 : ffffa28f`bc3eacb0 ffff9d0e`ce517a11 ffffa28f`bc3eacb0 00000000`00000000 : nt!PipCallDriverAddDevice+0x827
ffff9d0e`ce517990 fffff801`34f2fcc6 : ffffa28f`bc3eac00 ffffa28f`bea57101 ffff9d0e`ce517ab0 fffff801`00000000 : nt!PipProcessDevNodeTree+0x333
ffff9d0e`ce517a60 fffff801`34b6efba : 00000001`00000003 ffffa28f`bc3eacb0 00000000`00000000 ffffa28f`bea571e0 : nt!PiRestartDevice+0xba
ffff9d0e`ce517ab0 fffff801`34a8e5c5 : ffffa28f`b9a62040 ffffa28f`b9092cc0 fffff801`354433c0 ffffa28f`00000000 : nt!PnpDeviceActionWorker+0x46a
ffff9d0e`ce517b70 fffff801`34b265f5 : ffffa28f`b9a62040 00000000`00000080 ffffa28f`b9091040 000fa427`b19bbdff : nt!ExpWorkerThread+0x105
ffff9d0e`ce517c10 fffff801`34c048d8 : fffff801`32a5a180 ffffa28f`b9a62040 fffff801`34b265a0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffff9d0e`ce517c60 00000000`00000000 : ffff9d0e`ce518000 ffff9d0e`ce512000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME:  WppRecorder!imp_WppRecorderIsDefaultLogAvailable+10

MODULE_NAME: WppRecorder

IMAGE_NAME:  WppRecorder.sys

STACK_COMMAND:  .cxr 0xffff9d0ece515ef0 ; kb

BUCKET_ID_FUNC_OFFSET:  10

FAILURE_BUCKET_ID:  AV_WppRecorder!imp_WppRecorderIsDefaultLogAvailable

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {1cc4e0d3-a668-e140-3d59-dd12de006ed6}

Followup:     MachineOwner
Windows for business Windows Client for IT Pros User experience Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,746 Reputation points
    2023-06-07T12:48:56.99+00:00

    Hello there,

    We might need to dig more to get the right reason for the BSOD.

    Is there anything in event viewer?

    I would suggest you to use proc mon to identify if there is nothing on the event viewer.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file

    system, Registry and process/thread activity. You can get the tool from here

    https://docs.microsoft.com/enus/sysinternals/downloads/procmon

    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log

    system activity to the Windows event log.You can get the tool from here

    https://docs.microsoft.com/enus/sysinternals/downloads/sysmon

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.