ZwQueryInformationProcess problem - NTDEV - OSR Developer Community

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT:
Use ‘!findthebuild’ command to search for the target build information.
If the build information is available, run ‘!findthebuild -s ; .reload’ to set symbol path and load symbols.

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4ddcf1c6

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
e1b1c000

CURRENT_IRQL: 2

FAULTING_IP:
nt!IoQueryFileInformation+16c
80587d82 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 805333be to 804e3b25

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f8a771f0 805333be 00000003 e1b1c000 80587d82 nt!DbgBreakPointWithStatus+0x4
f8a775d0 804e2158 0000000a e1b1c000 00000002 nt!KeDeregisterBugCheckReasonCallback+0x6c7
f8a77604 fc3cd459 f8a77648 804e3d77 80e1a5e0 nt!Kei386EoiHelper+0x285d
f8a776b8 80587df8 80d98800 80e7b900 00000000 sr+0x459
f8a776d8 80588483 80d98800 80e7b900 80dee600 nt!IoQueryFileInformation+0x1e2
f8a777fc 80589f49 80d98800 80dee600 0000006a nt!ObQueryNameString+0x132
f8a77828 80589d89 80d98800 0000006a f8a77848 nt!PsSetProcessWindowStation+0xe92
f8a77854 805d78d3 80ded4f0 f8a77a38 f8a77a7c nt!PsSetProcessWindowStation+0xcd2
f8a77a60 804df06b 0000040c 0000001b 00000000 nt!IoWMIQueryAllData+0x6cc
f8a77a7c 804dda28 badb0d00 f8a77af4 00000000 nt!ZwYieldExecution+0xb96
f8a77b24 f900b22e 0000040c f8a77b34 04000000 nt!ZwQueryInformationProcess+0x11
f8a77b4c f900a899 00000404 f8a77b5c 00c80000 PsNotifier!RetrieveProcessNameByID+0x12e
f8a77b78 805f9b73 000004ac 00000404 00000001 PsNotifier!PsNotifyCreateProcessRoutine+0xc9
f8a77cc4 8057f340 018bdc44 001f03ff 00000000 nt!RtlUnicodeStringToInteger+0x1a2f4
f8a77d3c 804df06b 018bdc44 001f03ff 00000000 nt!PsSetThreadWin32Thread+0x70d
f8a77ddc 804fa477 fc302b85 ffb2e908 00000000 nt!ZwYieldExecution+0xb96
f8a77e20 7c910732 0000ebb8 00000000 7c910738 nt!KeInitializeTimer+0x10c
f8a77e5c 7c90e20a 0007fa1c 0000ee18 00000000 ntdll!RtlAllocateHeap+0x15e
00000000 00000000 00000000 00000000 00000000 ntdll!ZwQueryValueKey+0xc

STACK_COMMAND: kb

FOLLOWUP_IP:
PsNotifier!RetrieveProcessNameByID+12e
f900b22e 8945f4 mov dword ptr [ebp-0Ch],eax

SYMBOL_STACK_INDEX: b

SYMBOL_NAME: PsNotifier!RetrieveProcessNameByID+12e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: PsNotifier

IMAGE_NAME: PsNotifier.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

Can you tell me what’s wrong?

Thanks!

Looks to me, your kernel symbols are not correct (your own output says this)
Get them fixed and then post the output

-Deepak

On Wed, May 25, 2011 at 5:44 PM, wrote:

> Hi guys,
>
> First of all I know there is large number of posts about this routine,
> however I haven’t found anything like this.
>
> Here is what I’m talking about.
>
> I want to get procees full path. I’ve found this article already
> http://www.osronline.com/article.cfm?article=472 but it’s about current
> process. I Want I my driver to get path of process on basis of processId
> driver got so I’m doing it like this
>
>
> BOOLEAN RetrieveProcessNameByID(HANDLE ProcessId, PUNICODE_STRING
> pusImageFileName)
> {
>
>
> UNICODE_STRING ProcImgName = {0};
> HANDLE hProcessHandle = NULL;
> NTSTATUS status = STATUS_ACCESS_DENIED;
> PEPROCESS eProcess = NULL;
> int iEntryIndex = -1;
>
> status = PsLookupProcessByProcessId(ProcessId, &eProcess);
> if((!NT_SUCCESS(status)) || (!eProcess))
> {
> return FALSE;
> }
>
>
>
> status = ObOpenObjectByPointer(eProcess, 0, NULL, 0, 0, KernelMode,
> &hProcessHandle);
> if((!NT_SUCCESS(status)) || (!hProcessHandle))
> {
> ObDereferenceObject(eProcess);
> return FALSE;
> }
>
> ProcImgName.Length = 0;
> ProcImgName.MaximumLength = 1024;
> ProcImgName.Buffer = ExAllocatePoolWithTag(NonPagedPool,
> ProcImgName.MaximumLength, ‘2leN’);
> if(ProcImgName.Buffer == NULL)
> {
> ZwClose(hProcessHandle);
> ObDereferenceObject(eProcess);
> return FALSE;
> }
>
> RtlZeroMemory( ProcImgName.Buffer, ProcImgName.MaximumLength ) ;
>
> status = GetProcessImageName(hProcessHandle, &ProcImgName);
>
> if(!NT_SUCCESS(status))
> {
> DbgPrint(“[NotifyProcessCreate] GetProcessImageName failed
> (0x%08x)\n”, status);
> ExFreePoolWithTag(ProcImgName.Buffer, ‘2leN’);
> ZwClose(hProcessHandle);
> ObDereferenceObject(eProcess);
> return FALSE;
> }
>
>
>
> if
> (pusImageFileName)
> {
>
> RtlCopyUnicodeString(pusImageFileName, &ProcImgName);
>
> }
>
>
>
> ExFreePoolWithTag(ProcImgName.Buffer, ‘2leN’);
> ZwClose(hProcessHandle);
> ObDereferenceObject(eProcess);
> return TRUE;
> }
>
>
> //…
>
> NTSTATUS GetProcessImageName(HANDLE hProcessHandle, PUNICODE_STRING
> ProcessImageName)
> {
> NTSTATUS status;
> ULONG returnedLength;
> ULONG bufferLength;
> PVOID buffer;
> PUNICODE_STRING imageName;
>
>
>
> if (NULL == ZwQueryInformationProcess) {
>
> UNICODE_STRING routineName;
>
> RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
>
> ZwQueryInformationProcess =
> (QUERY_INFO_PROCESS) MmGetSystemRoutineAddress(&routineName);
>
> if (NULL == ZwQueryInformationProcess) {
> DbgPrint(“Cannot resolve ZwQueryInformationProcess\n”);
> }
> }
>
>
>
> //
> // Step one - get the size we need
> //
> status = ZwQueryInformationProcess( hProcessHandle,
> ProcessImageFileName,
> NULL, // buffer
> 0, // buffer size
> &returnedLength);
>
> if (STATUS_INFO_LENGTH_MISMATCH != status) {
>
>
> return status;
>
> }
>
>
>
> //
> // Is the passed-in buffer going to be big enough for us?
> // This function returns a single contguous buffer model…
> //
> bufferLength = returnedLength - sizeof(UNICODE_STRING);
>
> if (ProcessImageName->MaximumLength < bufferLength) {
>
> ProcessImageName->Length = (USHORT) bufferLength;
>
> return STATUS_BUFFER_OVERFLOW;
>
> }
>
> //
> // If we get here, the buffer IS going to be big enough for us, so
> // let’s allocate some storage.
> //
> buffer = ExAllocatePoolWithTag(PagedPool, returnedLength, ‘ipgD’);
>
> if (NULL == buffer) {
>
> return STATUS_INSUFFICIENT_RESOURCES;
>
> }
>
> //
> // Now lets go get the data
> //
> status = ZwQueryInformationProcess( hProcessHandle,
> ProcessImageFileName,
> buffer,
> returnedLength,
> &returnedLength);
>
> if (NT_SUCCESS(status)) {
> //
> // Ah, we got what we needed
> //
> imageName = (PUNICODE_STRING) buffer;
>
> RtlCopyUnicodeString(ProcessImageName, imageName);
>
> }
>
> //
> // free our buffer
> //
> ExFreePool(buffer);
>
> //
> // And tell the caller what happened.
> //
> return status;
>
> }
>
> OK. Now I’m using PsSetCreateProcessNotifyRoutine so I’ve got ParentId and
> ProcessId … when I call RetrieveProcessNameByID(ParentId,&processName); it
> is working, but when I call
> RetrieveProcessNameByID(ProcessId,&processName);
> I’ve got blue screen:
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address at
> an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: e1b1c000, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, bitfield :
> bit 0 : value 0 = read operation, 1 = write operation
> bit 3 : value 0 = not an execute operation, 1 = execute operation
> (only on chips which support this level of status)
> Arg4: 80587d82, address which referenced memory
>
> Debugging Details:
> ------------------
>
> Kernel symbols are WRONG. Please fix symbols to do analysis.
>
> ********************************************************************
> ******
> ******
> Your debugger is not using the correct symbols
> ******
> In order for this command to work properly, your symbol path
> must point to .pdb files that have full type information.
> ******
> Certain .pdb files (such as the public OS symbols) do not
> contain the required information. Contact the group that
> provided you with these symbols if you need this command to
> work.
> ******
> Type referenced: nt!_KPRCB
> ******
>
>
> ******
> ******
> Your debugger is not using the correct symbols
> ******
> In order for this command to work properly, your symbol path
> must point to .pdb files that have full type information.
> ******
> Certain .pdb files (such as the public OS symbols) do not
> contain the required information. Contact the group that
> provided you with these symbols if you need this command to
> work.
> ******
> Type referenced: nt!_KPRCB
> ******
> *************************************************************************
>
> ADDITIONAL_DEBUG_TEXT:
> Use ‘!findthebuild’ command to search for the target build information.
> If the build information is available, run ‘!findthebuild -s ; .reload’ to
> set symbol path and load symbols.
>
> FAULTING_MODULE: 804d7000 nt
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4ddcf1c6
>
> READ_ADDRESS: unable to get nt!MmSpecialPoolStart
> unable to get nt!MmSpecialPoolEnd
> unable to get nt!MmPoolCodeStart
> unable to get nt!MmPoolCodeEnd
> e1b1c000
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!IoQueryFileInformation+16c
> 80587d82 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> LAST_CONTROL_TRANSFER: from 805333be to 804e3b25
>
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> f8a771f0 805333be 00000003 e1b1c000 80587d82 nt!DbgBreakPointWithStatus+0x4
> f8a775d0 804e2158 0000000a e1b1c000 00000002
> nt!KeDeregisterBugCheckReasonCallback+0x6c7
> f8a77604 fc3cd459 f8a77648 804e3d77 80e1a5e0 nt!Kei386EoiHelper+0x285d
> f8a776b8 80587df8 80d98800 80e7b900 00000000 sr+0x459
> f8a776d8 80588483 80d98800 80e7b900 80dee600
> nt!IoQueryFileInformation+0x1e2
> f8a777fc 80589f49 80d98800 80dee600 0000006a nt!ObQueryNameString+0x132
> f8a77828 80589d89 80d98800 0000006a f8a77848
> nt!PsSetProcessWindowStation+0xe92
> f8a77854 805d78d3 80ded4f0 f8a77a38 f8a77a7c
> nt!PsSetProcessWindowStation+0xcd2
> f8a77a60 804df06b 0000040c 0000001b 00000000 nt!IoWMIQueryAllData+0x6cc
> f8a77a7c 804dda28 badb0d00 f8a77af4 00000000 nt!ZwYieldExecution+0xb96
> f8a77b24 f900b22e 0000040c f8a77b34 04000000
> nt!ZwQueryInformationProcess+0x11
> f8a77b4c f900a899 00000404 f8a77b5c 00c80000
> PsNotifier!RetrieveProcessNameByID+0x12e
> f8a77b78 805f9b73 000004ac 00000404 00000001
> PsNotifier!PsNotifyCreateProcessRoutine+0xc9
> f8a77cc4 8057f340 018bdc44 001f03ff 00000000
> nt!RtlUnicodeStringToInteger+0x1a2f4
> f8a77d3c 804df06b 018bdc44 001f03ff 00000000
> nt!PsSetThreadWin32Thread+0x70d
> f8a77ddc 804fa477 fc302b85 ffb2e908 00000000 nt!ZwYieldExecution+0xb96
> f8a77e20 7c910732 0000ebb8 00000000 7c910738 nt!KeInitializeTimer+0x10c
> f8a77e5c 7c90e20a 0007fa1c 0000ee18 00000000 ntdll!RtlAllocateHeap+0x15e
> 00000000 00000000 00000000 00000000 00000000 ntdll!ZwQueryValueKey+0xc
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> PsNotifier!RetrieveProcessNameByID+12e
> f900b22e 8945f4 mov dword ptr [ebp-0Ch],eax
>
> SYMBOL_STACK_INDEX: b
>
> SYMBOL_NAME: PsNotifier!RetrieveProcessNameByID+12e
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: PsNotifier
>
> IMAGE_NAME: PsNotifier.sys
>
> BUCKET_ID: WRONG_SYMBOLS
>
> Followup: MachineOwner
> ---------
>
> Can you tell me what’s wrong?
>
> Thanks!
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

kd> !analyze -v
*******************************************************************************
* Bugcheck Analysis *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: e149b000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80587d82, address which referenced memory

Debugging Details:

READ_ADDRESS: e149b000 Paged pool

CURRENT_IRQL: 2

FAULTING_IP:
nt!IopQueryNameInternal+255
80587d82 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0xA

PROCESS_NAME: svchost.exe

TRAP_FRAME: f8aaa5f0 – (.trap 0xfffffffff8aaa5f0)
ErrCode = 00000000
eax=80dd903e ebx=e14003e0 ecx=2011a048 edx=80502d3c esi=e149b000 edi=80e73c5a
eip=80587d82 esp=f8aaa664 ebp=f8aaa6b8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!IopQueryNameInternal+0x255:
80587d82 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 805328e7 to 804e3b25

STACK_TEXT:
f8aaa1a4 805328e7 00000003 f8aaa500 00000000 nt!RtlpBreakWithStatusInstruction
f8aaa1f0 805333be 00000003 e149b000 80587d82 nt!KiBugCheckDebugBreak+0x19
f8aaa5d0 804e2158 0000000a e149b000 00000002 nt!KeBugCheck2+0x574
f8aaa5d0 80587d82 0000000a e149b000 00000002 nt!KiTrap0E+0x233
f8aaa6b8 80587df8 80d53a40 80e7b900 00000000 nt!IopQueryNameInternal+0x255
f8aaa6d8 80588483 80d53a40 80e7b900 80dd9008 nt!IopQueryName+0x1b
f8aaa7fc 80589f49 80d53a40 80dd9008 00000072 nt!ObQueryNameString+0xe0
f8aaa828 80589d89 80d53a40 00000072 f8aaa848 nt!SeInitializeProcessAuditName+0x90
f8aaa854 805d78d3 ffa523c0 f8aaaa38 f8aaaa7c nt!SeLocateProcessImageName+0x4b
f8aaaa60 804df06b 00000228 0000001b 00000000 nt!NtQueryInformationProcess+0x85e
f8aaaa60 804dda28 00000228 0000001b 00000000 nt!KiFastCallEntry+0xf8
f8aaab78 805f9b73 00000338 000003d4 00000001 nt!ZwQueryInformationProcess+0x11
f8aaacc4 8057f340 0178f3e0 001f03ff 00000000 nt!PspCreateThread+0x3e3
f8aaad3c 804df06b 0178f3e0 001f03ff 00000000 nt!NtCreateThread+0x118
f8aaad3c 7c90eb94 0178f3e0 001f03ff 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0178fa5c 77de7838 00001184 0178fb58 00000000 0x7c90eb94
0178fab0 5006ff38 00001184 0178fb58 00000000 0x77de7838
0178fd68 5006fc9b 00000002 01fd0c20 5006f208 0x5006ff38
0178fdb8 5006fb99 00000000 500448d4 01fd16f8 0x5006fc9b
0178fdd8 5006faf2 01ff9970 00000001 01fd0c20 0x5006fb99
0178fdf8 5004417a 00000016 00000000 01fd0c20 0x5006faf2
0178fe10 500440f7 00000001 00000016 01fd0cf4 0x5004417a
0178fe3c 5004461d 00000001 01fd0c20 00000001 0x500440f7
0178fe5c 50044596 00000000 00000000 00000003 0x5004461d
0178fe80 50066898 50002000 7c80ac28 00000000 0x50044596
0178ff18 500013f0 00000001 000cf9e0 500012a7 0x50066898
0178ff6c 010011cc 00000001 000cf9e0 00000000 0x500013f0
0178ffa0 77ddb48b 00000001 000cf9e0 0007e898 0x10011cc
0178ffb4 7c80b50b 000cf9d8 00000000 0007e898 0x77ddb48b
0178ffec 00000000 77ddb479 000cf9d8 00000000 0x7c80b50b

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804d910c - nt!KiXMMIZeroPage+73
[fb:90]
804d9112-804d9115 4 bytes - nt!KiXMMIZeroPage+79 (+0x06)
[57 ff ff ff:35 8b 7e 00]
804d9545-804d954a 6 bytes - nt!ExAcquireResourceSharedLite+10 (+0x433)
[fa 8b 75 08 33 db:e9 6b 87 7e 00 cc]
804d9564 - nt!ExAcquireResourceSharedLite+98 (+0x1f)
[fb:90]
804d9569-804d9570 8 bytes - nt!ExAcquireResourceSharedLite+b8 (+0x05)
[c2 08 00 90 90 90 90 90:e9 63 9b 9b 00 c2 08 00]
804dbb82 - nt!ExReleaseResourceLite+ba (+0x2619)
[99:3f]
804dbb94 - nt!ExReleaseResourceLite+c8 (+0x12)
[87:2d]
804dbba0 - nt!ExReleaseResourceLite+d0 (+0x0c)
[7e:24]
804dbbc5-804dbbcd 9 bytes - nt!ExReleaseResourceLite+f5 (+0x25)
[90 90 90 90 90 90 90 90:e9 f1 74 9b 00 5f 5e 5b]
804dbbd5-804dbbd8 4 bytes - nt!ExReleaseResourceLite+5 (+0x10)
[64 a1 24 01:e9 bc 60 7e]
804dbbda - nt!ExReleaseResourceLite+a (+0x05)
[00:cc]
804dbbe8 - nt!ExReleaseResourceLite+18 (+0x0e)
[36:dc]
804dbbf9 - nt!ExReleaseResourceLite+29 (+0x11)
[25:cb]
804dbc16-804dbc1a 5 bytes - nt!ExReleaseResourceLite+75 (+0x1d)
[66 81 e2 7f ff:e9 69 60 7e 00]
804deff2-804deff8 7 bytes - nt!KiFastCallEntry+7f (+0x33dc)
[c7 45 08 00 0d db ba:e9 5e 2c 7e 00 cc cc]
804df07c-804df07f 4 bytes - nt!KiServiceExit (+0x8a)
[fa f7 45 70:e9 7c 40 9b]
804df16b-804df16d 3 bytes - nt!KiSystemCallExitBranch+2 (+0xef)
[5a 59 9d:c8 02 04]
804df8fb-804df8fe 4 bytes - nt!KiExceptionExit (+0x790)
[fa f7 45 70:e9 30 38 9b]
804e1fc9-804e1fce 6 bytes - nt!KiTrap0E+a4 (+0x26ce)
[fb f7 45 70 00 02:90 e9 7e 11 9b 00]
804e34b4-804e34b8 5 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x14eb)
[fa 8b 01 89 02:e9 4b e7 7d 00]
804e34d1-804e34d6 6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x1d)
[fa 8b 41 04 89 0a:e9 51 e7 7d 00 cc]
804e34f2-804e34f6 5 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x21)
[fa 8b 01 3b c1:e9 e5 e6 7d 00]
804e3b4c-804e3b4f 4 bytes - nt!ExAcquireResourceExclusiveLite+7 (+0x65a)
[64 a1 24 01:e9 19 f5 9a]
804e3b6d-804e3b71 5 bytes - nt!ExAcquireResourceExclusiveLite+47 (+0x21)
[89 46 1c 66 89:e9 16 f5 9a 00]
804e9175-804e917a 6 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x5608)
[fa 8b 75 08 33 db:e9 2c 8b 7d 00 cc]
804e9194 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f)
[fb:90]
804e9199-804e91a0 8 bytes - nt!ExAcquireSharedWaitForExclusive+ef (+0x05)
[c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00]
804ed809-804ed80f 7 bytes - nt!CcGetActiveVacb+5 (+0x4670)
[fa 8b 45 08 8b 48 48:e9 b6 44 7d 00 cc cc]
804ef1dc-804ef1e3 8 bytes - nt!CcSetActiveVacb+7 (+0x19d3)
[fa 8b 45 08 83 78 48 00:e9 38 2b 7d 00 cc cc cc]
804ef1ff-804ef20c 14 bytes - nt!CcSetActiveVacb+a3 (+0x23)
[8b 0a 89 48 48 89 58 50:e9 05 2b 7d 00 e9 f4 2a]
137 errors : !nt (804d910c-804ef20c)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

Followup: memory_corruption

MEMORY_CORRUPTION_LARGE. It tries to copy a huge number of dwords (in ecx) which does not seem right.
Besides, the address is in paged pool and you are at DISPATCH.

/* From my very limited experience with process creation callbacks on XP, at the callback time the process information in PEB can be not yet complete enough for ZwQueryInformationProcess to work. This may cause your crash, or can be something else. */

Pavel your comment about “not yet complete enough for Zw***” unfortunately can be true… I’ve read about this somewhere and since I’m using PsNotifyCreate routine it is possible that process is not yet created… but how can I read process full path under win xp?

Any suggestions?

Thanks!!!

Maybe examining the PEB.ProcessParameters->ImagePathName directly can help
here.
Does it look like a valid string?
Note that PsNotifyCreate callback is called in context of parent process and
you need the PEB of the new process.

wrote in message news:xxxxx@ntdev…
> Pavel your comment about “not yet complete enough for Zw***” unfortunately
> can be true… I’ve read about this somewhere and since I’m using
> PsNotifyCreate routine it is possible that process is not yet created…
> but how can I read process full path under win xp?
>
> Any suggestions?
>
> Thanks!!!
>