i have a unknow problem with this very simple TDI hook
after a few "TDIDeviceDispatch" i get this... (WinXP)

#include "test.h"
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DRIVER_OBJECT      g_TDI;
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTSTATUS TDICompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp,PVOID Context)
{
  PIO_COMPLETION_ROUTINE RealCompletionRoutine = (PIO_COMPLETION_ROUTINE)Context;
  if(Context != NULL)
  {
      return RealCompletionRoutine(DeviceObject,Irp,NULL);
  }else{
      return STATUS_SUCCESS;
  }
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTSTATUS TDIDeviceDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
  NTSTATUS                  Status;
  PIO_STACK_LOCATION  StackLocationPtr;
  if(Irp == NULL) return STATUS_SUCCESS;
  StackLocationPtr = IoGetCurrentIrpStackLocation(Irp);
  if(StackLocationPtr->CompletionRoutine != NULL)
  {
      StackLocationPtr->Context = StackLocationPtr->CompletionRoutine;
  }else{
      StackLocationPtr->Context = NULL;
  }
  StackLocationPtr->CompletionRoutine = (PIO_COMPLETION_ROUTINE)TDICompletionRoutine;
  StackLocationPtr->Control = SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL;
  Status = g_TDI.MajorFunction(DeviceObject,Irp);
  DbgPrint("TDIDeviceDispatch\n");
  return Status;
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTSTATUS HookTDI(void)
{
  NTSTATUS            Status;
  UNICODE_STRING  usDriverName;
  PDRIVER_OBJECT  DriverObjectToHookPtr;
  int                  i;
  RtlInitUnicodeString(&usDriverName,L"\\Driver\\Tcpip");
  Status = ObReferenceObjectByName(&usDriverName,OBJ_CASE_INSENSITIVE,NULL,0,IoDriverObjectType,KernelMode,NULL,&DriverObjectToHookPtr);
  if(Status != STATUS_SUCCESS) return Status;
  for(i = 0;i < IRP_MJ_MAXIMUM_FUNCTION;i++)
  {
      g_TDI.MajorFunction = DriverObjectToHookPtr->MajorFunction;
      DriverObjectToHookPtr->MajorFunction = TDIDeviceDispatch;
  }
  return STATUS_SUCCESS;
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTSTATUS UnHookTDI(void)
{
  NTSTATUS Status;
  UNICODE_STRING usDriverName;
  PDRIVER_OBJECT DriverObjectToHookPtr;
  int i;
  RtlInitUnicodeString(&usDriverName,L"\\Driver\\Tcpip");
  Status = ObReferenceObjectByName(&usDriverName,OBJ_CASE_INSENSITIVE,NULL,0,IoDriverObjectType,KernelMode,NULL,&DriverObjectToHookPtr);
  if(Status != STATUS_SUCCESS) return Status;
  for(i = 0;i < IRP_MJ_MAXIMUM_FUNCTION;i++)
      DriverObjectToHookPtr->MajorFunction = g_TDI.MajorFunction;
  return STATUS_SUCCESS;
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
VOID OnUnload(PDRIVER_OBJECT DriverObject)
{
  UnHookTDI();
  DbgPrint("OnUnload\n");
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTSTATUS ForwardAndForget(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
  Irp->IoStatus.Status = STATUS_SUCCESS;
  IoCompleteRequest(Irp, IO_NO_INCREMENT);
  return Irp->IoStatus.Status;
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
  int  i;
  for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
      DriverObject->MajorFunction = ForwardAndForget;
  DriverObject->DriverUnload  = OnUnload;
  DbgPrint("DriverEntry\n");
  return HookTDI();
}
//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Posted on 2005-07-26 03:38:22 by Criminal2
Hi!

The Bug Check code is 0x0A

"The IRQL_NOT_LESS_OR_EQUAL bug check has a value of 0x0000000A.
This indicates that Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

Parameters
The following parameters are displayed on the blue screen.

---------------------------------------
Parameter Description
---------------------------------------
1  -  Memory referenced
2  -  IRQL at time of reference
3  -  0: Read
      1: Write
4  -  Address which referenced memory
---------------------------------------"


Use some kernel mode debugger and see what instruction is at 0x804efcdc.

And don't forget to use the ObDereferenceObject function if you use the
ObReferenceObjectByName function.


Good luck  :D

Regards,
Opc0de
Posted on 2005-07-26 10:26:52 by Opcode

And don't forget to use the ObDereferenceObject function if you use the
ObReferenceObjectByName function.
Good luck  :D

i didn't see that :)
Thank you very much
Posted on 2005-07-26 13:32:47 by Criminal2