-
Notifications
You must be signed in to change notification settings - Fork 668
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compatibility with Rising antivirus software #1211
Comments
Hi @fcyinxunpeng ,
It technically could but I believe it shouldn't provide one as the current IRP major is
Normally we should allocate that MDL from the Lines 105 to 114 in 69e3d88
We could change our code to override their value by removing this check and the same one in Line 106 in 69e3d88
|
Hi @Liryna , Line 106 in 69e3d88
Line 589 in 69e3d88
But it seems like it's not working because RequestContext->Irp->UserBuffer is always NULL, while RequestContext->Irp->MdlAddress is not NULL even when I don't have antivirus software installed. If I zero memory in DokanQueryDirecory():
Dokany2.sys doesn't crash at this line of code, so RequestContext->Irp->MdlAddress is valid at this moment. |
Thanks for testing! |
OK, I intend to ask for official help. |
This is the official reply of rising:
But I think the real reason is that the anti-virus software modified the address of MmGetSystemAddressForMdlNormalSafe() to point to user space, but this address is only valid in the current context. When dokany is executing DokanCompleteDirectoryControl(), this address is invalid. |
Thanks @fcyinxunpeng ! I am not sure about their answer. I believe we do everything correctly. We try catch and lock the page when we receive the request Lines 590 to 600 in 69e3d88
and only release when we no longer need it. https://github.com/dokan-dev/dokany/blob/master/sys/directory.c#L323 I agree with you that they might not wait for our completion and do something with the buffer they gave us and things go wrong. |
@fcyinxunpeng Were you able to get more info from Rising ? |
@Liryna I decompiled one of Rising's driver files named rsutil.sys. In the IoCompletion of IRP_MJ_DIRECTORY_CONTROL, the code releases the MDL without checking the value of IRP->PendingReturned. I have emailed this conclusion to the Rising staff. She replied that it has been forwarded to the developers to investigate the issue, but three weeks have passed, and there has been no news. Rising may not want to modify their code regarding this issue. |
Environment
Check List
Description
When I run memfs.exe with administrator privileges on a PC with certain antivirus software installed, I get a BSOD,seemingly crashing in dokan2.sys
If I disable the antivirus software or stop its USB protection feature, memfs.exe can work normally.
Also, if I enable the antivirus software and its USB protection feature but run memfs.exe without administrator privileges, memfs.exe can work normally.
I've tested version 2.1.0.1000 on both Windows 7 and Windows 10.
The name of the antivirus software is Rising, and it's from China. Here is the download page: rising v17 download page
I am a novice and not very familiar with Windows driver development. I have conducted some basic debugging and it seems that the buffer obtained through the MmGetSystemAddressForMdlNormalSafe() function points to an incorrect address. When executing RtlZeroMemory() on this buffer, an error occurred.
I looked into the code, and I have a question: In the DokanQueryDirectory() function (sys/directory.c:106), could the value of RequestContext->Irp->MdlAddress be filled by the program of antivirus software?
My English is bad. This is the translation provided by ChatGPT.
Thank you very much.
Logs
Here is my log and the output of !analyze -v:
dokan log:
log.txt
!analyze -v output:
analyze.txt
minidump file:
minidump.dmp
The text was updated successfully, but these errors were encountered: