-2

I wrote a kernel driver that hooks into a process and hides a folder. This driver works very well, until I connect an external hard disk.

At this point, my OS (either Windows XP or Server 2003) crashes with a blue screen of death (BSOD).

What could be causing this crash, and how can I modify my driver to solve it?

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
M.Rezaei
  • 992
  • 3
  • 11
  • 28
  • 3
    It's almost like saying, "Doctor, I'm not feeling well today, can you help me?" – user541686 Jan 13 '11 at 07:31
  • Doctor, my arm hurts when I do this. Then don't do that. – leppie Jan 13 '11 at 07:42
  • I need to connect external hard disk to the system – M.Rezaei Jan 13 '11 at 07:57
  • 4
    @M.Rezaei: What the other two commenters are trying to tell you is that it's *very* difficult to help you determine the source of your problem without posting some of your code or at least a stack trace that might give us some hint as to what's going wrong. You can edit your question to add extra information at any time. – Cody Gray - on strike Jan 13 '11 at 09:54
  • I hook NTOpenProcess and NTQueryDerectoryFile for hide folder and hide process. – M.Rezaei Jan 13 '11 at 14:36
  • 2
    Hide process? SO is not the place to ask for help with rootkit development. – Ben Voigt Feb 12 '11 at 16:05

3 Answers3

1

There would be two ways in general:

  1. post-mortem debugging. This is usually what you do when you have no local machine available to reproduce the crash. In this case you're inspecting the crashdump file (either full or mini dump).
  2. live debugging. In this case, if you know the system is going to crash, you prepare one machine to control this machine using WinDbg and connect via serial or FireWire cable. The latter is much faster.

However, I agree that you give way too few details. You "hook"? Well, how? SSDT-hooking? Or do you use the proper way of writing a filter driver? If a filter driver, which model? Mini-filter or legacy filter?

I just noticed your comment that you hook "NtOpenProcess and NtQueryDirectoryFile", so it sounds like SSDT-hooking. What exactly are you doing in your implementation? I know plenty of drivers that do improper SSDT-hooking. It starts with the method used to get the hook in place and usually does not end with a daring implementation.

Please note that for live debugging WinDbg offers some fine features to transfer and load your latest driver version at boot time. So you can debug your latest version without extra preparation. The kernel debugger on the remote end and WinDbg on your machine will take care of it.

Also, you may want to post your question to the lists over at OSR (namely NTDEV).

0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
1

When developing kernel drivers, typically you want to test them in a virtual machine, with a kernel debugger connection (host is debugger, VM is debuggee). Some of the virtual machine environments provide direct support for debugging.

Afterward of course you need to debug on a variety of physical and virtual hardware.

Ben Voigt
  • 277,958
  • 43
  • 419
  • 720
0

You have posted almost no technical details of the BSOD, or how your code works, so it is impossible to provide a specific answer. As a general starting point, I would suggest you analyze the minidump to get some specifics of what went wrong to trigger the BSOD. Here is a good getting started guide.

http://forums.majorgeeks.com/showthread.php?p=1418737

myron-semack
  • 6,259
  • 1
  • 26
  • 38