Fltsendmessage make crash my VM
Hello everyone! I am trying to develope a commubication between a minifilter-driver and application. In order to make them communicate, I try to use the fonctions fltsendmessages.
I am building my driver on a visual studio and I test my driver and application on a Hyper-V VM wich runs an image of windows 11.
Here u can see the part of my driver code that i Use to call fltsendmessages (flthandle and test_port are well created in an other part and connect value is equal to 1 when the application connects to the driver)
#include "miniflt.h"
#include <windef.h>
#include <wdm.h>
#include <stdio.h>
#include <string.h>
#include <locale.h>
#include <ntstrsafe.h>
#include <stdlib.h>
#include <sys/stat.h>PFLT_FILTER flt_handle;
FLT_OPERATION_REGISTRATION operations[] = {
{
IRP_MJ_CREATE,
0,
MinifltExampleCreatePreRoutine,
MinifltExampleCreatePostRoutine,
NULL
},
{
IRP_MJ_OPERATION_END
}
};FLT_PREOP_CALLBACK_STATUS
MinifltExampleCreatePreRoutine(
Inout PFLT_CALLBACK_DATA data,
In PCFLT_RELATED_OBJECTS flt_object,
Out PVOID* completion_context
)
{
UNREFERENCED_PARAMETER(flt_object);
UNREFERENCED_PARAMETER(completion_context);NTSTATUS status = STATUS_SUCCESS;
PFLT_FILE_NAME_INFORMATION name_info = NULL;status = FltGetFileNameInformation(data,
FLT_FILE_NAME_NORMALIZED
| FLT_FILE_NAME_QUERY_DEFAULT,
&name_info);
if (!NT_SUCCESS(status)) {
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
status = FltParseFileNameInformation(name_info);
if (!NT_SUCCESS(status)) {
FltReleaseFileNameInformation(name_info);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
UNICODE_STRING a;
RtlUnicodeStringInit(&a,L"exe");
BOOLEAN is_exe = RtlEqualUnicodeString(&a, &name_info->Extension, FALSE);
if ((int)is_exe == 1) {
KdPrint(("[miniflt] " FUNCTION " [%u] Start to creat/open a file (%wZ)\n",
PtrToUint(PsGetCurrentProcessId()),
&name_info->FinalComponent));
LARGE_INTEGER Timeout;
Timeout.QuadPart = (LONGLONG)101001000;
char coucou[4] = "abc";
if (connect==1){
status = FltSendMessage(flt_handle, &test_port, &coucou, sizeof(coucou), NULL, 0, &Timeout);
if (!NT_SUCCESS(status)) {
KdPrint(("erreur sending message"));
}
}
}
FltReleaseFileNameInformation(name_info);
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}
When i launch my minifilter on my VM (and the service), everythings work well until i launch my application, when i launch it everything freeze and i get this error when i debug it with windbg
*** Fatal System Error: 0x00000050
(0xFFFFFFFF800034F0,0x0000000000000000,0xFFFFF8064936B227,0x0000000000000002)Driver at fault:
*** FLTMGR.SYS - Address FFFFF8064936B227 base at FFFFF80649360000, DateStamp 5d6776e4
.
Break instruction exception - code 80000003 (first chance)A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff806`47c203d0 cc int 3
0: kd> !analyze -v
Connected to Windows 10 22000 x64 target at (Wed Aug 3 17:20:26.099 2022 (UTC + 1:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
.............................................
Loading User Symbols
................................................................
................................................................
................................................................
................................................................
.....................................................
Loading unloaded module list
................
*
Bugcheck Analysis *
*
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffffff800034f0, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8064936b227, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)Debugging Details:
KEY_VALUES_STRING: 1
Key : AV.Type Value: Read Key : Analysis.CPU.mSec Value: 11515 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 556487 Key : Analysis.Init.CPU.mSec Value: 16702 Key : Analysis.Init.Elapsed.mSec Value: 375706 Key : Analysis.Memory.CommitPeak.Mb Value: 151 Key : WER.OS.Branch Value: co_release Key : WER.OS.Timestamp Value: 2021-06-04T16:28:00Z Key : WER.OS.Version Value: 10.0.22000.1
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffffff800034f0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8064936b227
BUGCHECK_P4: 2
READ_ADDRESS: ffffffff800034f0
MM_INTERNAL_CODE: 2
FAULTING_MODULE: fffff80649360000 FLTMGR
PROCESS_NAME: explorer.exe
TRAP_FRAME: ffffd18b7ef16de0 -- (.trap 0xffffd18b7ef16de0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffae0ac0306f5b rbx=0000000000000000 rcx=ffffffff800034e8
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8064936b227 rsp=ffffd18b7ef16f70 rbp=ffffd18b7ef171f9
r8=0000000000000002 r9=0000000000000000 r10=fffff80647aee860
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
FLTMGR!FltSendMessage+0xc7:
fffff8064936b227 488b7108 mov rsi,qword ptr [rcx+8] ds:ffffffff
800034f0=????????????????
Resetting default scopeSTACK_TEXT:
ffffd18b7ef16328 fffff806
47d63462 : ffffd18b7ef16490 fffff806
47b5c710 fffff8064324e180 00000000
00000000 : nt!DbgBreakPointWithStatus
ffffd18b7ef16330 fffff806
47d62ca1 : fffff80600000003 ffffd18b
7ef16490 fffff80647c2d960 ffffd18b
7ef16a40 : nt!KiBugCheckDebugBreak+0x12
ffffd18b7ef16390 fffff806
47c17e07 : 0000000000000000 00000000
00000000 ffffffff800034f0 00000000
00000000 : nt!KeBugCheck2+0xa71
ffffd18b7ef16b00 fffff806
47c97663 : 0000000000000050 ffffffff
800034f0 0000000000000000 ffffd18b
7ef16de0 : nt!KeBugCheckEx+0x107
ffffd18b7ef16b40 fffff806
47a75cf6 : 0000000000000000 00000000
00000000 ffffd18b7ef16d40 00000000
00000000 : nt!MiSystemFault+0x1d3433
ffffd18b7ef16c40 fffff806
47c268f5 : 0000000000000000 00000000
00000000 0000000000000000 00001f80
01000000 : nt!MmAccessFault+0x2a6
ffffd18b7ef16de0 fffff806
4936b227 : ffffd18b7ef171f9 00000000
00000000 fffff806690030c8 ffffae0a
bea86010 : nt!KiPageFault+0x335
ffffd18b7ef16f70 fffff806
69001422 : ffffae0ac0306cb0 00000000
00000008 ffffd18b7ef17108 00000000
00000008 : FLTMGR!FltSendMessage+0xc7
ffffd18b7ef170c0 fffff806
49366f74 : ffffae0ac3ec2b88 ffffd18b
7ef171e0 ffffd18b7ef171b8 ffffd18b
7ef171f9 : minifilter64!MinifltExampleCreatePreRoutine+0x192 [C:\Users\leobe\Desktop\minifilter-example\minifilter\operations.c @ 69]
ffffd18b7ef17150 fffff806
49366a26 : ffffd18b7ef172f0 fffff806
49368800 0000000000000000 fffff806
47e96c00 : FLTMGR!FltpPerformPreCallbacksWorker+0x374
ffffd18b7ef17260 fffff806
4939dac0 : ffffd18b7ef18000 ffffd18b
7ef12000 ffffae0abea53cd0 fffff806
47ea7f0b : FLTMGR!FltpPassThroughInternal+0xc6
ffffd18b7ef172b0 fffff806
47a504a5 : 0000000000000000 ffffae0a
bea4c8a0 0000000000000000 00000000
00000000 : FLTMGR!FltpCreate+0x300
ffffd18b7ef17360 fffff806
47ea8cf7 : ffffae0abea53cd0 ffffae0a
bea4c8a0 ffffd18b7ef17660 ffffd18b
00000040 : nt!IofCallDriver+0x55
ffffd18b7ef173a0 fffff806
47e95951 : 0000000000000000 ffff9707
24243b50 0000000000000000 ffff9707
24243b20 : nt!IopParseDevice+0x897
ffffd18b7ef17560 fffff806
47e94951 : 0000000000000000 ffffd18b
7ef17790 0000000000000040 ffffae0a
be0fe980 : nt!ObpLookupObjectName+0xac1
ffffd18b7ef17700 fffff806
47ec8f45 : 0000100000000000 00000000
0778ed60 0000000000000001 00000000
0778ed90 : nt!ObOpenObjectByNameEx+0x1f1
ffffd18b7ef17830 fffff806
47c2a275 : ffffae0ac43ca0c0 00000000
00ad1220 ffffae0ac43ca0c0 00000000
00000001 : nt!NtQueryAttributesFile+0x1c5
ffffd18b7ef17ae0 00007ffb
963046b4 : 00007ffb938c4c75 005c0065
00730061 0069006e0069006d 002e0000
006f0001 : nt!KiSystemServiceCopyEnd+0x25
000000000778ed28 00007ffb
938c4c75 : 005c006500730061 0069006e
0069006d 002e0000006f0001 00000000
00000101 : ntdll!NtQueryAttributesFile+0x14
000000000778ed30 00007ffb
939086b6 : 0000000000008000 00000000
0778f170 0000000000000001 00000000
00000000 : KERNELBASE!GetFileAttributesW+0x85
000000000778edd0 00007ffb
7ca8b85b : 0000000000000000 00000000
00000000 00000000000036c4 00000000
000036c4 : KERNELBASE!GetLongPathNameW+0x76
000000000778f0e0 00007ffb
7ca8bc76 : 000000001a6502fc 00000000
1a6502f8 000000001a6502fc 00000000
0778f699 : appresolver!CAppResolver::GetAppIDForProcess+0x22b
000000000778f5f0 00007ffb
7b5b3967 : 00000000001105a8 00000000
001105a8 00007ffb00000002 00000000
001105a8 : appresolver!CAppResolver::GetAppIDForWindow+0x1a6
000000000778f6f0 00007ffb
7b5b37d7 : 0000000000000000 00000000
1d99c0f0 000000001d810120 00000000
1a64fec0 : Taskbar!ResolveWindowWorker+0x127
000000000778f7d0 00007ffb
7b5b3709 : 000000001d80c4b0 00000000
1d99c0f0 0000000000000000 00000000
00000000 : Taskbar!CTaskBand::CResolveWindowTask::_ResolveWindow+0xc7
000000000778f840 00007ffb
7b5c733f : 0000000000000000 00000000
02c4c988 000000001d810120 00000000
02c4c920 : Taskbar!CTaskBand::CResolveWindowTask::InternalResumeRT+0x9
000000000778f870 00007ffb
91a0ab3e : 0000000000000a50 00000000
1d810130 000000001d810120 00000000
00000009 : Taskbar!CRunnableTask::Run+0xdf
000000000778f8b0 00007ffb
91a0a775 : 00000000126453e0 ffffffff
fffffffe fffffffffffffffe 00000000
1d80c4c0 : windows_storage!CShellTask::TT_Run+0x46
000000000778f8e0 00007ffb
91a0a414 : 00000000126453e0 00000000
126453e0 0000000000000000 00007ffb
962c9bbe : windows_storage!CShellTaskThread::ThreadProc+0xdd
000000000778f990 00007ffb
94d6b4e0 : 0000000000000000 00000000
00000000 0000f9897d68ce9b 00000000
00000000 : windows_storage!CShellTaskThread::s_ThreadProc+0x44
000000000778f9f0 00007ffb
962d0dd1 : 000000001af01530 00000000
7ffe0386 0000000000000000 00007ffb
0000000f : shcore!ExecuteWorkItemThreadProc+0x20
000000000778fa20 00007ffb
96277386 : 0000000000000000 00000000
12644ee0 00007ffb94d6b4c0 00000000
00000000 : ntdll!RtlpTpWorkCallback+0x171
000000000778fb00 00007ffb
957c54e0 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!TppWorkerThread+0x686
000000000778fdf0 00007ffb
9626485b : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : KERNEL32!BaseThreadInitThunk+0x10
000000000778fe20 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlUserThreadStart+0x2bFAULTING_SOURCE_LINE: C:\Users\leobe\Desktop\minifilter-example\minifilter\operations.c
FAULTING_SOURCE_FILE: C:\Users\leobe\Desktop\minifilter-example\minifilter\operations.c
FAULTING_SOURCE_LINE_NUMBER: 69
FAULTING_SOURCE_CODE:
65: KdPrint(("test test_port %d\n ", &test_port));
66: KdPrint(("size of coucou : %d\n", sizeof(coucou)));
67: KdPrint(("size of &coucou : %d\n", sizeof(&coucou)));
68: if (connect==1){69: status = FltSendMessage(flt_handle, &test_port, &coucou, sizeof(coucou), NULL, 0, &Timeout);
70: if (!NT_SUCCESS(status)) {
71: KdPrint(("erreur sending message"));
72: }
73: }
74: }SYMBOL_NAME: minifilter64!MinifltExampleCreatePreRoutine+192
MODULE_NAME: minifilter64
IMAGE_NAME: minifilter64.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 192
FAILURE_BUCKET_ID: AV_R_(null)_minifilter64!MinifltExampleCreatePreRoutine
OS_VERSION: 10.0.22000.1
BUILDLAB_STR: co_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {981f0655-e3a3-bace-a574-44bcd595ff0c}
Followup: MachineOwner
I am totally lost and I really don't know what to do.. If you have any clue i would be verry happy to heard it!