Blue screen when device object is deleted.

TheMSsForum.com: The Microsoft Software Forum

I wrote a non device driver to hook ZwCreateFile using SSDT hooking
technique. While running one of my test case my system crashed (blued
screen).

Test case:
---------------
During mid of a copying operation if i unload my driver, system
crashes (blue screen). Before unloading driver restore the original
ZwCreatefile address in SSDT and then destroy device object.

As i narrowed down the problem, it crases when device object is
deleted. It appears that one of the threads still using my
newZwCreatefile and meanwhile driver object is deleted and system
crashes. Its what accroding to my understanding.

Can anyone give me any idea how to avoid this crash, or its some
other reason.

Thanks
Top

Re: Blue screen when device object is deleted. by Maxim

Maxim
Fri Mar 28 08:24:55 CDT 2008

> I wrote a non device driver to hook ZwCreateFile using SSDT hooking
> technique. While running one of my test case my system crashed (blued
> screen).

Which is a usual way for such a dirty code. Also note that Vista/2008 x64 makes
SSDT hooking just plain impossible.

> During mid of a copying operation if i unload my driver,

Hookers cannot be unloaded. Period. You can try to do this, but occasionally it
will BSOD, and there is no even theoretical possibility of getting rid of such
BSODs.

> Can anyone give me any idea how to avoid this crash

Impossible.

Even the legacy FS filters cannot unload.

To be unloadable, your only chance is FltMgr's minifilter.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Top

Re: Blue screen when device object is deleted. by zaman

zaman
Fri Mar 28 09:00:05 CDT 2008

On Mar 28, 6:24=A0am, "Maxim S. Shatskih" <ma...@storagecraft.com>
wrote:
> > I wrote a non device driver to hook ZwCreateFile using SSDT hooking
> > technique. While running one of my test case my system crashed (blued
> > screen).
>
> Which is a usual way for such a dirty code. Also note that Vista/2008 x64 =
makes
> SSDT hooking just plain impossible.
>
> > During mid of a =A0copying operation if i unload my driver,
>
> Hookers cannot be unloaded. Period. You can try to do this, but occasional=
ly it
> will BSOD, and there is no even theoretical possibility of getting rid of =
such
> BSODs.
>
> > Can anyone =A0give me any idea how to avoid this crash
>
> Impossible.
>
> Even the legacy FS filters cannot unload.
>
> To be unloadable, your only chance is FltMgr's minifilter.
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> ma...@storagecraft.comhttp://www.storagecraft.com
Thanks for your quick response.
ok, i understand and accept its a dirty way, But in simple scenario if
i let the copy opereation to complete and after that if i unload the
driver, there is no BSODS. It works fine and i checked it repeatedly.
Only if i unload the driver in mid of the copying operation it
crashes.
During copying operaion all the file creation is going through my
NewZwCreateFile. Now when i send command to unload the driver, it
first restore the SSDT with original ZwcreateFile and then delete
the device object.
Crash does not occur where i unhook, it occurs when i delete the
device object.
Can you please tell me a logical reason, why it happens so, as
apparenty everything looks smooth and fine.

Thanks

Top

Re: Blue screen when device object is deleted. by Maxim

Maxim
Fri Mar 28 09:15:44 CDT 2008

>driver, there is no BSODS. It works fine and i checked it repeatedly.

So what? "It works sometimes" does not mean "it is possible to make it 100%
reliable".

>Can you please tell me a logical reason, why it happens so, as
>apparenty everything looks smooth and fine.

You have BSODs, this means that this is not smooth and fine.

SSDT hooking is not supported by MS, so, there are no guarantees at all that
this will not BSOD, or that this will work on x64 Windows, or that the driver
using such will not be marked as virus by major antivirus software.

Unloadable hookers are unreliable by very definition. Yes, they will work
smooth and fine 99 times of 100, and BSOD 1 time of 100. Not better.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Top

Re: Blue screen when device object is deleted. by Ben

Ben
Mon Mar 31 17:22:28 CDT 2008

> During copying operaion all the file creation is going through my
> NewZwCreateFile. Now when i send command to unload the driver, it
> first restore the SSDT with original ZwcreateFile and then delete
> the device object.
> Crash does not occur where i unhook, it occurs when i delete the
> device object.
> Can you please tell me a logical reason, why it happens so, as
> apparenty everything looks smooth and fine.

Because some thread has an instruction pointer inside your hook, and you
just freed the memory that contains the code. So access violation and BSOD.

User mode has a function FreeLibraryAndExitThread that safely deals with
this problem. No other method will work, because -- if you use a mutex of
some sort (probably semaphore) to prevent unload while the function is
running, you must free the mutex at the end of the function... but then the
driver might be unloaded, when the mutex release routine returns the CPU
will try to read the instruction following the call, which is gone. BSOD
again.

The only thing you can do is to eliminate the call frame of your function
before calling the mutex release routine, so that it returns directly to
your caller. This is going to be very ugly and fragile, and probably need
lots of inline assembler and some __declspec(naked). Highly discouraged.

>
> Thanks


Top