Имеется драйвер который становится в стек устройств и перехватывает IRP пакеты. Некоторые пакеты нужно перехватить на обратном пути и посмотреть что там внутри них. Делаю так: Код (Text): NTSTATUS DispatchRoutine( PDEVICE_OBJECT HookDevice, IN PIRP Irp ) { BOOLEAN hookCompletion; //... switch (currentIrpStack->MajorFunction) { case IRP_MJ_CREATE: hookCompletion = TRUE; break; default: hookCompletion = FALSE; break; } if (hookCompletion) { IoCopyCurrentIrpStackLocationToNext(Irp); IoSetCompletionRoutine( Irp, CompletionRoutine, NULL, TRUE, TRUE, TRUE ); } else IoSkipCurrentIrpStackLocation(Irp); // // Return the results of the call to the caller // return IoCallDriver( hookExt->FileSystem, Irp ); } Так вот при вызове IoCallDriver падает, в отладчике пишет следующее: Код (Text): Access violation - code c0000005 (!!! second chance !!!) sr!SrCreate+0x70: f994a796 f6422d01 test byte ptr [edx+0x2d],0x1 В CompletionRoutine не попадает. Код ее примерно такой: Код (Text): NTSTATUS CompletionRoutine( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { KIRQL oldirql; KeAcquireSpinLock(&FStoreMutex, &oldirql); if (Irp->IoStatus.Information == FILE_CREATED || Irp->IoStatus.Information == FILE_OVERWRITTEN) { //.... } else { //.... } KeReleaseSpinLock(&FStoreMutex, oldirql); // // Now we have to mark Irp as pending if necessary // if( Irp->PendingReturned ) { IoMarkIrpPending( Irp ); } return Irp->IoStatus.Status; } Если в WinDbg при падении выполнить !analyze -v, то получаю следующее: Код (Text): Unknown bugcheck code (0) Unknown bugcheck description Arguments: Arg1: 00000000 Arg2: 00000000 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ PROCESS_NAME: svchost.exe FAULTING_IP: sr!SrCreate+70 f994a796 f6422d01 test byte ptr [edx+0x2d],0x1 EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff) ExceptionAddress: f994a796 (sr!SrCreate+0x00000070) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000002e Attempt to read from address 0000002e ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> READ_ADDRESS: 0000002e BUGCHECK_STR: ACCESS_VIOLATION DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 804e3d77 to f994a796 STACK_TEXT: f8000998 804e3d77 81bd7d40 819d5630 819d57dc sr!SrCreate+0x70 f80009a8 f9c5f1ad 819d5640 819442c0 00000000 nt!IopfCallDriver+0x31 f8000a38 f9c61cfb 8189f340 819d5630 8189f340 dtd!DispatchRoutine+0x37d [g:\src\dtd\filemon.c @ 3077] //..... STACK_COMMAND: kb FOLLOWUP_IP: dtd!DispatchRoutine+37d [g:\src\dtd\filemon.c @ 3077] f9c5f1ad 8b4ddc mov ecx,[ebp-0x24] FAULTING_SOURCE_CODE: 3073: // 3074: // Return the results of the call to the caller 3075: // 3076: return IoCallDriver( hookExt->FileSystem, Irp ); > 3077: } SYMBOL_STACK_INDEX: 2 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: dtd!DispatchRoutine+37d MODULE_NAME: dtd IMAGE_NAME: dtd.sys DEBUG_FLR_IMAGE_TIMESTAMP: 45bf41cb FAILURE_BUCKET_ID: ACCESS_VIOLATION_dtd!DispatchRoutine+37d BUCKET_ID: ACCESS_VIOLATION_dtd!DispatchRoutine+37d Followup: MachineOwner ---------
