2015-08-03 17:57 GMT+02:00 Yang Luo <hslu...@gmail.com>: > Hi Pascal, > > Thanks for testing. The output of your dump is pasted below. It seems that > NdisFOidRequest call fails in Npcap's NPF_GetDeviceMTU routine. It is in > the same position with the previous SYSTEM_SERVICE_EXCEPTION BSoD. So I > think they may belong to the same bug. However, I didn't find what's wrong > with this code (go to this link if anyone is interested with the code: > https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/Openclos.c, > Line: 570). WinDbg said "*An attempt was made to access a pageable (or > completely invalid) address at an interrupt request level (IRQL) that is > too high.*" But actually all arguments of NdisFOidRequest are from the > OPEN_INSTANCE struct and this struct is allocated in a NonPaged pool, so > it's hard to understand its reason. > > Another way is to reproduce this BSoD. I didn't encounter this BSoD > before, from the dump I only recognized that you installed VirtualBox. It > will be very helpful if you can provide the reproduce steps. >
Yes I have Virtualbox 5.0 installed (which allows me to run a Windows 10 RTM machine on which Npcap does not crash (I could even capture some loopbak traffic and find - and fix - a bug in Wireshark: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11412). To reproduce the crash on this machine, it is as simple as: - installing Npcap - rebooting the laptop (I did not try without rebooting) - Launching Wireshark 1.99.9 development build (you can find some nightly installers here: https://www.wireshark.org/download/automated/ ) - And bang it crashes immediately during Wireshark initialization (presumably when dumpcap tries to retrieve interfaces, but I could not confirm this as my PC reboots immediately) > > Cheers, > Yang > > Loading User Symbols > PEB is paged out (Peb.Ldr = 00000000`7efdf018). Type ".hh dbgerr001" for > details > Loading unloaded module list > ......................... > > ******************************************************************************* > * > * > * Bugcheck Analysis > * > * > * > > ******************************************************************************* > > Use !analyze -v to get detailed debugging information. > > BugCheck D1, {7fefe838, 2, 0, fffff880010d86c2} > > Probably caused by : npf.sys ( npf!NPF_GetDeviceMTU+ad ) > > Followup: MachineOwner > --------- > > 6: kd> !analyze -v > > ******************************************************************************* > * > * > * Bugcheck Analysis > * > * > * > > ******************************************************************************* > > DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) > An attempt was made to access a pageable (or completely invalid) address > at an > interrupt request level (IRQL) that is too high. This is usually > caused by drivers using improper addresses. > If kernel debugger is available get stack backtrace. > Arguments: > Arg1: 000000007fefe838, memory referenced > Arg2: 0000000000000002, IRQL > Arg3: 0000000000000000, value 0 = read operation, 1 = write operation > Arg4: fffff880010d86c2, address which referenced memory > > Debugging Details: > ------------------ > > > SYSTEM_SKU: LENOVO_MT_20AN_BU_Think_FM_ThinkPad T440p > > SYSTEM_VERSION: ThinkPad T440p > > BIOS_DATE: 10/21/2014 > > BASEBOARD_PRODUCT: 20AN006VFR > > BASEBOARD_VERSION: 0B98401 PRO > > BUGCHECK_P1: 7fefe838 > > BUGCHECK_P2: 2 > > BUGCHECK_P3: 0 > > BUGCHECK_P4: fffff880010d86c2 > > READ_ADDRESS: 000000007fefe838 > > CURRENT_IRQL: 2 > > FAULTING_IP: > ndis!ndisFQueueRequestOnNext+a2 > fffff880`010d86c2 0fb638 movzx edi,byte ptr [rax] > > CPU_COUNT: 8 > > CPU_MHZ: 95a > > CPU_VENDOR: GenuineIntel > > CPU_FAMILY: 6 > > CPU_MODEL: 3c > > CPU_STEPPING: 3 > > DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT > > BUGCHECK_STR: 0xD1 > > PROCESS_NAME: dumpcap.exe > > ANALYSIS_VERSION: 10.0.10240.9 amd64fre > > TRAP_FRAME: fffff8800e07f2c0 -- (.trap 0xfffff8800e07f2c0) > NOTE: The trap frame does not contain all registers. > Some register values may be zeroed or incorrect. > rax=000000007fefe838 rbx=0000000000000000 rcx=fffffa800a6f8d00 > rdx=fffffa8016f500c0 rsi=0000000000000000 rdi=0000000000000000 > rip=fffff880010d86c2 rsp=fffff8800e07f450 rbp=fffff88001138110 > r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 > r11=fffff8800e07f448 r12=0000000000000000 r13=0000000000000000 > r14=0000000000000000 r15=0000000000000000 > iopl=0 nv up ei ng nz na po nc > ndis!ndisFQueueRequestOnNext+0xa2: > fffff880`010d86c2 0fb638 movzx edi,byte ptr [rax] > ds:00000000`7fefe838=?? > Resetting default scope > > LAST_CONTROL_TRANSFER: from fffff80003080e69 to fffff800030818c0 > > STACK_TEXT: > fffff880`0e07f178 fffff800`03080e69 : 00000000`0000000a 00000000`7fefe838 > 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx > fffff880`0e07f180 fffff800`0307fae0 : 00000000`00000002 00000000`00000000 > 00000000`00000000 00000000`c0000001 : nt!KiBugCheckDispatch+0x69 > fffff880`0e07f2c0 fffff880`010d86c2 : fffffa80`0a6f8c80 fffff800`03215588 > fffffa80`0a6f8c80 00000000`c0000001 : nt!KiPageFault+0x260 > fffff880`0e07f450 fffff880`010d8cf9 : fffff880`0e07f500 fffff880`01138110 > fffffa80`16f50000 fffff800`0309867f : ndis!ndisFQueueRequestOnNext+0xa2 > fffff880`0e07f4c0 fffff880`01d8d1d1 : fffffa80`16f50098 fffffa80`16f50000 > fffffa80`16f50098 00000000`00000000 : ndis!NdisFOidRequest+0xc9 > fffff880`0e07f5a0 fffff880`01d8d51f : fffffa80`09c9b5b0 fffffa80`16cd5410 > fffffa80`16cd5340 fffffa80`16f50000 : npf!NPF_GetDeviceMTU+0xad > [j:\npcap\packetwin7\npf\npf\openclos.c @ 570] > fffff880`0e07f5e0 fffff800`0337fb4b : 00000000`00000025 00000000`00000040 > fffffa80`16da8c90 fffffa80`16da8d28 : npf!NPF_OpenAdapter+0xef > [j:\npcap\packetwin7\npf\npf\openclos.c @ 308] > fffff880`0e07f610 fffff800`0337bb5e : fffffa80`09c9b460 00000000`00000000 > fffffa80`13c75750 00000000`00000001 : nt!IopParseDevice+0x14e2 > fffff880`0e07f770 fffff800`0337c646 : 00000000`00000000 fffff880`0e07f8f0 > fffff8a0`00000040 fffffa80`06d5d080 : nt!ObpLookupObjectName+0x784 > fffff880`0e07f870 fffff800`0337df4c : fffffa80`16df4e60 00000000`00000000 > fffff8a0`07bcc701 00000000`00000000 : nt!ObOpenObjectByName+0x306 > fffff880`0e07f940 fffff800`03389574 : 00000000`001edbf8 00000000`c0100080 > 00000000`001ee4c0 00000000`001edc10 : nt!IopCreateFile+0x2bc > fffff880`0e07f9e0 fffff800`03080b53 : fffffa80`16e81b50 fffff880`0e07fb60 > fffffa80`16e81b50 fffff800`03377894 : nt!NtCreateFile+0x78 > fffff880`0e07fa70 00000000`7701e10a : 00000000`00000000 00000000`00000000 > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 > 00000000`001edb88 00000000`00000000 : 00000000`00000000 00000000`00000000 > 00000000`00000000 00000000`00000000 : 0x7701e10a > > > On Mon, Aug 3, 2015 at 6:35 PM, Pascal Quantin <pascal.quan...@gmail.com> > wrote: > >> Hi Yang >> >> 2015-08-03 9:33 GMT+02:00 Yang Luo <hslu...@gmail.com>: >> > >> > Hi list, >> > >> > I think have fixed the BAD_POOL_CALLER BSoD in Npcap 0.03 r3 version, >> it turns out to be a memory double-free bug in WFP classifyFn function used >> for loopback packet capturing. The lastest installer is: >> https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r3.exe >> > >> > I have tested it under Win 8.1 x64 with VMware Workstation 11 installed >> and Win10 x64, if you encounter any BSoDs with this version, please let me >> know. >> >> I just gave it a try on the Windows 7 x64 laptop that was crashing last >> week: >> - like Tyson my Wifi is no more working when installing Npcap. No issue >> when using shutting down Wifi and using Ethernet >> - I still get a BSoD when launching Wireshark. The full and mini memory >> dumps are available here: >> https://www.dropbox.com/sh/2oz00ox20kv3oe0/AACFQC83vyKS2dY7bI7hnZBOa?dl=0 >> >> Cheers, >> Pascal. >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe