I'm writing a windows device driver. The driver is very simple. It does nothing fancy. I'm just trying to get familiar with the windows driver development.
In my driver I'm allocating some memory from NonPagedPool, but have a very strange error.
Here goes my code segment:
pMyNode = (PMY_NODE)ExAllocatePoolWithTag(NonPagedPool, sizeof(MY_NODE), 'TEST');
if (pMyNode == NULL){
DbgPrint("Not Enough Memory\n");
}
else{
// Do Some Stuffs and free memory
}
The corresponding assembly code(from IDA Pro Disassembler) is:
call ds:__imp__ExAllocatePoolWithTag
mov [ebp+pMyNode], eax
cmp [ebp+pMyNode], 0
jnz SOME_OFFSET
call _DbgPrint
SOME_OFFSET:
.........
.........
This code segment goes into the handler function of PsSetCreateProcessNotifyRoutine. So every time a new process is created, this code segment gets executed. Now if I run the driver for a long time, I get BSoD error suddenly. And WinDbg triggers the instruction mov [ebp+pMyNode], eax as the faulting instruction. This line actually assigns the return value of ExAllocatePoolWithTag to pMyNode pointer. I don't understand howcome this might be a faulty instruction.
The error message in BSoD screen is A Device Driver Has Pool. Check the WinDbg log below:
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: e252a000, memory referenced
Arg2: 0000000d, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8054baee, address which referenced memory
Any help is appreciable.