How can I debug a kernel driver crash in Windows?

Question

I wrote a kernel driver that hooks into a process and hides a folder. This driver works very well, until I connect an external hard disk.

At this point, my OS (either Windows XP or Server 2003) crashes with a blue screen of death (BSOD).

What could be causing this crash, and how can I modify my driver to solve it?

Answer 1

There would be two ways in general:

1. post-mortem debugging. This is usually what you do when you have no local machine available to reproduce the crash. In this case you're inspecting the crashdump file (either full or mini dump).
2. live debugging. In this case, if you know the system is going to crash, you prepare one machine to control this machine using WinDbg and connect via serial or FireWire cable. The latter is much faster.

However, I agree that you give way too few details. You "hook"? Well, how? SSDT-hooking? Or do you use the proper way of writing a filter driver? If a filter driver, which model? Mini-filter or legacy filter?

I just noticed your comment that you hook "NtOpenProcess and NtQueryDirectoryFile", so it sounds like SSDT-hooking. What exactly are you doing in your implementation? I know plenty of drivers that do improper SSDT-hooking. It starts with the method used to get the hook in place and usually does not end with a daring implementation.

Please note that for live debugging WinDbg offers some fine features to transfer and load your latest driver version at boot time. So you can debug your latest version without extra preparation. The kernel debugger on the remote end and WinDbg on your machine will take care of it.

Also, you may want to post your question to the lists over at OSR (namely NTDEV).