tooflat老大的代码，写标志时重入creat。bugcheck

搞不懂，明明传往下层了，怎么又回来了


*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

TSS:  00000028 -- (.tss 0x28)
eax=816c9178 ebx=816c9178 ecx=00000000 edx=816c9178 esi=817c7530 edi=8169c9f8
eip=f9aa0935 esp=f9edffec ebp=f9ee086c iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
Sfilter!SfCreate+0x3b:
f9aa0935 ff1584faa9f9    call    dword ptr [Sfilter!_imp__KeGetCurrentIrql (f9a9fa84)] ds:0023:f9a9fa84={hal!KeGetCurrentIrql (806ef2e8)}
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from 804e4d77 to f9aa0935

STACK_TEXT:  
f9ee086c 804e4d77 81782748 8169c9e8 8169c9e8 Sfilter!SfCreate+0x3b [e:\?úí?\fsd\code\test\sfilter.c @ 2155]
f9ee087c 80571f9c 8174ce18 816993ec f9ee0a24 nt!IopfCallDriver+0x31
f9ee095c 8056486c 8174ce30 00000000 81699348 nt!IopParseDevice+0xa58
f9ee09e4 80568c63 00000000 f9ee0a24 00000240 nt!ObpLookupObjectName+0x56a
f9ee0a38 80572477 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb
f9ee0ab4 8057c274 f9ee0b74 00100000 f9ee0b54 nt!IopCreateFile+0x407
f9ee0afc f994eea5 f9ee0b74 00100000 f9ee0b54 nt!IoCreateFileSpecifyDeviceObjectHint+0x52
f9ee0c9c f994f6d1 81782470 f9ee0d88 f9ee0d85 sr!SrpExpandPathOfFileName+0x111
f9ee0cbc f994f713 81782470 816994d8 f9ee0d88 sr!SrpGetFileNameFromFileObject+0xe7
f9ee0cd4 f994f7a0 81782470 816994d8 00140008 sr!SrpExpandFileName+0x35
f9ee0cfc f99483e2 81782470 816994d8 f98a1700 sr!SrIsFileEligible+0x5a
f9ee0e9c f994a82c 81782470 816994d8 00140008 sr!SrCreateContext+0x13e
f9ee0efc 804e4d77 81782470 00000005 817c7530 sr!SrCreate+0x106
f9ee0f0c f9aa0bdd 00000001 00000000 f9ee1304 nt!IopfCallDriver+0x31
f9ee1794 804e4d77 81782748 816bb008 816bb008 Sfilter!SfCreate+0x2e3 [e:\?úí?\fsd\code\test\sfilter.c @ 2242]
f9ee17a4 80571f9c 8174ce18 8177c0ac f9ee194c nt!IopfCallDriver+0x31
f9ee1884 8056486c 8174ce30 00000000 8177c008 nt!IopParseDevice+0xa58
f9ee190c 80568c63 00000000 f9ee194c 00000240 nt!ObpLookupObjectName+0x56a
f9ee1960 80572477 00000000 00000000 7a95b000 nt!ObOpenObjectByName+0xeb
f9ee19dc 80572546 f9ee1b8c 00100002 f9ee1b6c nt!IopCreateFile+0x407
f9ee1a38 8057267c f9ee1b8c 00100002 f9ee1b6c nt!IoCreateFile+0x8e
f9ee1a78 804e006b f9ee1b8c 00100002 f9ee1b6c nt!NtCreateFile+0x30
f9ee1a78 804ddfb9 f9ee1b8c 00100002 f9ee1b6c nt!KiFastCallEntry+0xf8
f9ee1b1c f9a9f281 f9ee1b8c 00100002 f9ee1b6c nt!ZwCreateFile+0x11
f9ee1f90 f9a9babc 81782748 e148f03c 00000001 Sfilter!SfSetFileEncrypted+0x22b [e:\?úí?\fsd\code\test\sfilter.c @ 8301]
f9ee1fcc f9aa0dc9 f9ee281c 00000001 00000000 Sfilter!SfPostCreateWorker+0x286 [e:\?úí?\fsd\code\test\sfilter.c @ 2417]
f9ee2858 804e4d77 81782748 816c1008 816c1008 Sfilter!SfCreate+0x4cf [e:\?úí?\fsd\code\test\sfilter.c @ 2318]
f9ee2868 80571f9c 8174ce18 81782694 f9ee2a10 nt!IopfCallDriver+0x31
f9ee2948 8056486c 8174ce30 00000000 817825f0 nt!IopParseDevice+0xa58
f9ee29d0 80568c63 00000000 f9ee2a10 00000240 nt!ObpLookupObjectName+0x56a
f9ee2a24 80572477 00000000 00000000 565c2f00 nt!ObOpenObjectByName+0xeb
f9ee2aa0 80572546 f9ee2bdc 00000081 f9ee2b48 nt!IopCreateFile+0x407
f9ee2afc 8058fd8f f9ee2bdc 00000081 f9ee2b48 nt!IoCreateFile+0x8e
f9ee2b70 80590392 f9ee2b98 00000081 f9ee2bd0 nt!CcPfGetSectionObject+0x91
f9ee2c04 805b6220 f9ee2d24 01000002 01ee2c30 nt!CcPfPrefetchSections+0x2b7
f9ee2dac 8057efed 81793b88 00000000 00000000 nt!CcPfBootWorker+0x3fc
f9ee2ddc 804fb477 805b5edd 81793b88 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  .tss 0x28 ; kb

FOLLOWUP_IP:
Sfilter!SfCreate+3b [e:\?úí?\fsd\code\test\sfilter.c @ 2155]
f9aa0935 ff1584faa9f9    call    dword ptr [Sfilter!_imp__KeGetCurrentIrql (f9a9fa84)]

FAULTING_SOURCE_CODE:  
  2151:     PWSTR FileName = NULL;
  2152:     NTSTATUS Status = STATUS_SUCCESS;
  2153:     POST_CREATE_WORKER_CONTEXT WorkerCtx;
  2154:
> 2155:     PAGED_CODE();
  2156:
  2157:     //
  2158:     // If this is for our control device object, don't allow it to be opened.
  2159:     //
  2160:     if (IS_MY_CONTROL_DEVICE_OBJECT(DeviceObject))


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Sfilter!SfCreate+3b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Sfilter

IMAGE_NAME:  Sfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  46a9c4aa

FAILURE_BUCKET_ID:  0x7f_8_Sfilter!SfCreate+3b

BUCKET_ID:  0x7f_8_Sfilter!SfCreate+3b

Followup: MachineOwner

妈呀！！！这是什么？一点都看不懂！

你应该把pdb文件放到windbg目录下,再把对应的源码帖出来

It seems IoCreateFileSpecifyDeviceObjectHint() is called with NULL device object.

What is the IRQL when SfSetFileEncrypted() is called.