none
Sample minifilter driver crashes the system RRS feed

  • General discussion

  • Hi, 

    I'm using VS2015 + WDK 10 on clean Windows 7 x64 system installed under VirtualBox machine (all steps according to https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx).

    I tried to compile and load any sample minifilter driver. I enabled test signing mode by executing Bcdedit.exe -set TESTSIGNING ON. I built an empty minifilter driver from VS. Before I modified all TODOs in the inf file - I used the sample values given in a file. I installed the driver (right click in the inf file -> Install). When I load the filter using fltmc load <FILTERDRIVER> command system crashes (blue screen). I also tried some sample drivers from https://github.com/Microsoft/Windows-driver-samples/tree/master/filesys/miniFilter and the result is identical. 

    Any idea on what could go wrong? 

    Regards, 

    M

    Wednesday, June 1, 2016 1:34 AM

All replies

  • Attaching minidup analysis

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: ffffffff80000003, The exception code that was not handled
    Arg2: fffff88002bfb0bd, The address that the exception occurred at
    Arg3: fffff880031245e8, Exception Record Address
    Arg4: fffff88003123e40, Context Record Address
    
    Debugging Details:
    ------------------
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 400
    
    BUILD_VERSION_STRING:  7601.23418.amd64fre.win7sp1_ldr.160408-2045
    
    SYSTEM_MANUFACTURER:  innotek GmbH
    
    VIRTUAL_MACHINE:  VirtualBox
    
    SYSTEM_PRODUCT_NAME:  VirtualBox
    
    SYSTEM_VERSION:  1.2
    
    BIOS_VENDOR:  innotek GmbH
    
    BIOS_VERSION:  VirtualBox
    
    BIOS_DATE:  12/01/2006
    
    BASEBOARD_MANUFACTURER:  Oracle Corporation
    
    BASEBOARD_PRODUCT:  VirtualBox
    
    BASEBOARD_VERSION:  1.2
    
    DUMP_TYPE:  2
    
    BUGCHECK_P1: ffffffff80000003
    
    BUGCHECK_P2: fffff88002bfb0bd
    
    BUGCHECK_P3: fffff880031245e8
    
    BUGCHECK_P4: fffff88003123e40
    
    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
    
    FAULTING_IP: 
    emptyminidriver!__security_init_cookie+2d
    fffff880`02bfb0bd cc              int     3
    
    EXCEPTION_RECORD:  fffff880031245e8 -- (.exr 0xfffff880031245e8)
    ExceptionAddress: fffff88002bfb0bd (emptyminidriver!__security_init_cookie+0x000000000000002d)
       ExceptionCode: 80000003 (Break instruction exception)
      ExceptionFlags: 00000000
    NumberParameters: 1
       Parameter[0]: 0000000000000000
    
    CONTEXT:  fffff88003123e40 -- (.cxr 0xfffff88003123e40)
    rax=00002b992ddfa232 rbx=fffffa8007cba000 rcx=0000000000000006
    rdx=fffffa8007cba000 rsi=fffffa8007cba000 rdi=fffffa8007d80cb0
    rip=fffff88002bfb0bd rsp=fffff88003124828 rbp=0000000000000000
     r8=fffffa80047e4000  r9=0000000000000000 r10=0000000000000000
    r11=0000000000000000 r12=0000000000000001 r13=ffffffff80000814
    r14=fffff9802a4a4fc0 r15=000000000000001c
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    emptyminidriver!__security_init_cookie+0x2d:
    fffff880`02bfb0bd cc              int     3
    Resetting default scope
    
    CPU_COUNT: 4
    
    CPU_MHZ: d52
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: 5e
    
    CPU_STEPPING: 3
    
    CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: 0'00000000 (cache) 0'00000000 (init)
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
    
    BUGCHECK_STR:  0x7E
    
    PROCESS_NAME:  System
    
    CURRENT_IRQL:  0
    
    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
    
    EXCEPTION_CODE_STR:  80000003
    
    EXCEPTION_PARAMETER1:  0000000000000000
    
    ANALYSIS_SESSION_HOST:  R2D2
    
    ANALYSIS_SESSION_TIME:  06-01-2016 11:35:02.0665
    
    ANALYSIS_VERSION: 10.0.10586.567 amd64fre
    
    LAST_CONTROL_TRANSFER:  from fffff88002bfb079 to fffff88002bfb0bd
    
    STACK_TEXT:  
    fffff880`03124828 fffff880`02bfb079 : 00000000`00000000 00000000`00000000 fffff880`00000002 fffff880`031249c0 : emptyminidriver!__security_init_cookie+0x2d
    fffff880`03124830 fffff800`02ccc476 : fffffa80`07d80cb0 ffffffff`80000814 fffff980`2a4a4fc0 00000000`00000001 : emptyminidriver!GsDriverEntry+0x15 [d:\th\minkernel\tools\gs_support\kmodefastfail\gs_driverentry.c @ 46]
    fffff880`03124860 fffff800`02ccc875 : 00000000`00000010 00000000`00000000 00000000`00000010 00000000`00010202 : nt!IopLoadDriver+0xa06
    fffff880`03124b30 fffff800`028d8749 : fffff800`00000000 ffffffff`80000814 fffff800`02ccc820 fffff800`02a782d8 : nt!IopLoadUnloadDriver+0x55
    fffff880`03124b70 fffff800`02b66bc6 : 00000000`00000000 fffffa80`03727b50 00000000`00000080 fffffa80`0370a040 : nt!ExpWorkerThread+0x111
    fffff880`03124c00 fffff800`028c06a6 : fffff880`02eaa180 fffffa80`03727b50 fffff880`02eb4fc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
    fffff880`03124c40 00000000`00000000 : fffff880`03125000 fffff880`0311f000 fffff880`03124010 00000000`00000000 : nt!KxStartSystemThread+0x16
    
    
    THREAD_SHA1_HASH_MOD_FUNC:  17f458aa92b80492e24832062062155c6594cd5a
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  26f7c3175f18fd5c416e72a77a9e3c04e5e66423
    
    THREAD_SHA1_HASH_MOD:  2a858fc4fa8a769e4ec52478b8e5db0aa722ad5b
    
    FOLLOWUP_IP: 
    emptyminidriver!__security_init_cookie+2d
    fffff880`02bfb0bd cc              int     3
    
    FAULT_INSTR_CODE:  65cccccc
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  emptyminidriver!__security_init_cookie+2d
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: emptyminidriver
    
    IMAGE_NAME:  emptyminidriver.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  574cfdcc
    
    STACK_COMMAND:  .cxr 0xfffff88003123e40 ; kb
    
    FAILURE_BUCKET_ID:  X64_0x7E_VRF_emptyminidriver!__security_init_cookie+2d
    
    BUCKET_ID:  X64_0x7E_VRF_emptyminidriver!__security_init_cookie+2d
    
    PRIMARY_PROBLEM_CLASS:  X64_0x7E_VRF_emptyminidriver!__security_init_cookie+2d
    
    TARGET_TIME:  2016-06-01T03:09:22.000Z
    
    OSBUILD:  7601
    
    OSSERVICEPACK:  1000
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  272
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 7
    
    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2016-04-09 13:46:22
    
    BUILDDATESTAMP_STR:  160408-2045
    
    BUILDLAB_STR:  win7sp1_ldr
    
    BUILDOSVER_STR:  6.1.7601.23418.amd64fre.win7sp1_ldr.160408-2045
    
    ANALYSIS_SESSION_ELAPSED_TIME: 1424
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0x7e_vrf_emptyminidriver!__security_init_cookie+2d
    
    FAILURE_ID_HASH:  {8cdd6bd2-bab9-ceaa-c326-68e25050e20d}
    
    Followup:     MachineOwner
    ---------
    
    Wednesday, June 1, 2016 3:38 AM
  • I found the source of the problem. In project settings under Driver Settings I had Target OS Version set to Windows 10. 

    That caused different libraries to be linked with the driver (including buffer overflow lib - BufferOverflowFailK.lib instead of BufferOverflowK.lib), this, in turn, caused the buffer overflow protection mechanism crash while initializing cookie mechanism (buffer overflow detection mechanism). 

    The solution was simply to change Target OS to Windows 7. 

    However I'm bit surprised that such compliance is not verified during loading the driver. 

    Further readings:

    https://msdn.microsoft.com/en-us/windows/hardware/drivers/develop/building-drivers-for-different-versions-of-windows

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff554887

    Wednesday, June 1, 2016 6:42 AM