[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Re: Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXE
From: 食肉大灰兔V5 <hsluoyz () gmail ! com>
Date: 2016-02-29 16:24:58
Message-ID: CAHGzw13M4a-4ftDO+tR78SkyhS1=DuswN-Oq7J_Jqof++90CWg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi yyjdelete,
This BSoD issue is fixed in the latest Npcap 0.06. I have tested it under
Win10 10586 x64 and Win7 x64.
Please try the installer at:
https://github.com/nmap/npcap/releases
Cheers,
Yang
On Sat, Feb 27, 2016 at 9:04 PM, 食肉大灰兔V5 <hsluoyz@gmail.com> wrote:
> Hi yyjdelete,
>
> I have confirmed this issue on nearly all versions of Npcap and my Win10
> 10586 x64 VM. So it should be a general issue. Currently I don't know how
> to fix it. I have posted a question on StackOverflow:
> http://stackoverflow.com/questions/18180150/is-filtersendnetbufferlists-handler-a-must-for-an-ndis-filter-to-use-ndisfsendne.
> If anyone knows about this please inform me. And I will fix this issue ASAP.
>
> Cheers,
> Yang
>
>
> On Fri, Feb 26, 2016 at 5:41 PM, yyjdelete@126.com <yyjdelete@126.com>
> wrote:
>
> > 1. I uninstall 猎豹免费WiFi, and will see if
> > ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY happen again.(
> > SYSTEM_SERVICE_EXCEPTION does)
> > 2. It's an physical Ethernet adapter, and multiple is not set.
> >
> > ------------------------------
> > yyjdelete@126.com
> >
> >
> > *From:* 食肉大灰兔V5 <hsluoyz@gmail.com>
> > *Date:* 2016-02-26 14:51
> > *To:* yyjdelete@126.com
> > *CC:* dev <dev@nmap.org>
> > *Subject:* Re: npcap crash win10(14267) when send package to an disabled
> > eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or
> > SYSTEM_SERVICE_EXCEPTION(ndis.sys)
> > Hi yyjdelete,
> >
> > Thanks for the report first! Currently I only analyzed the 3 dump files
> > you attached. Havn't tried to reproduce this issue yet. But I have some
> > questions.
> >
> > The 1st 022616-53187-01.dmp result is as below:
> > It seems that this BSoD was caused by liebaonat64.sys, a LWF driver
> > from 猎豹免费WiFi. In fact, Npcap is also a LWF driver. I don't know if this
> > BSoD is merely because of 猎豹免费WiFi, or the coexisting problem with Npcap.
> > Sometimes LWF drivers do conflict with each other. So I suggest you
> > uninstall the product named 猎豹免费WiFi before you test with Npcap.
> >
> >
> > 0: kd> !analyze -v
> >
> > *******************************************************************************
> > *
> > *
> > * Bugcheck Analysis
> > *
> > *
> > *
> >
> > *******************************************************************************
> >
> > ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
> > An attempt was made to execute non-executable memory. The guilty driver
> > is on the stack trace (and is typically the current instruction pointer).
> > When possible, the guilty driver's name (Unicode string) is printed on
> > the bugcheck screen and saved in KiBugCheckDriver.
> > Arguments:
> > Arg1: ffffaf06162c85b0, Virtual address for the attempted execute.
> > Arg2: 80000001432009e3, PTE contents.
> > Arg3: ffffc28005c7b140, (reserved)
> > Arg4: 0000000000000003, (reserved)
> >
> > Debugging Details:
> > ------------------
> >
> >
> > DUMP_CLASS: 1
> >
> > DUMP_QUALIFIER: 400
> >
> > BUILD_VERSION_STRING: 14267.1000.amd64fre.rs1_release.160213-0213
> >
> > DUMP_TYPE: 2
> >
> > BUGCHECK_P1: ffffaf06162c85b0
> >
> > BUGCHECK_P2: 80000001432009e3
> >
> > BUGCHECK_P3: ffffc28005c7b140
> >
> > BUGCHECK_P4: 3
> >
> > CPU_COUNT: 4
> >
> > CPU_MHZ: c79
> >
> > CPU_VENDOR: GenuineIntel
> >
> > CPU_FAMILY: 6
> >
> > CPU_MODEL: 3a
> >
> > CPU_STEPPING: 9
> >
> > CUSTOMER_CRASH_COUNT: 1
> >
> > DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
> >
> > BUGCHECK_STR: 0xFC
> >
> > PROCESS_NAME: EapolLogin.exe
> >
> > CURRENT_IRQL: 2
> >
> > ANALYSIS_SESSION_HOST: AKISN0W-PC
> >
> > ANALYSIS_SESSION_TIME: 02-26-2016 12:32:34.0528
> >
> > ANALYSIS_VERSION: 10.0.10586.567 amd64fre
> >
> > TRAP_FRAME: ffffc28005c7b140 -- (.trap 0xffffc28005c7b140)
> > NOTE: The trap frame does not contain all registers.
> > Some register values may be zeroed or incorrect.
> > rax=ffffaf06162c85b0 rbx=0000000000000000 rcx=ffffaf0624004000
> > rdx=ffffaf061a4fa580 rsi=0000000000000000 rdi=0000000000000000
> > rip=ffffaf06162c85b0 rsp=ffffc28005c7b2d8 rbp=ffffc28005c7b349
> > r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
> > r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
> > r14=0000000000000000 r15=0000000000000000
> > iopl=0 nv up ei pl zr na po nc
> > ffffaf06`162c85b0 0501900300 add eax,39001h
> > Resetting default scope
> >
> > LAST_CONTROL_TRANSFER: from fffff803241eb311 to fffff8032415d240
> >
> > STACK_TEXT:
> > ffffc280`05c7aed8 fffff803`241eb311 : 00000000`000000fc ffffaf06`162c85b0
> > 80000001`432009e3 ffffc280`05c7b140 : nt!KeBugCheckEx
> > ffffc280`05c7aee0 fffff803`24197765 : ffffc280`05c7b0c8 00000000`00000011
> > ffffaf06`162c85b0 00000000`00000000 : nt!MiCheckSystemNxFault+0x69
> > ffffc280`05c7af20 fffff803`24055957 : 00000980`00000000 ffffc280`05c7b070
> > 00000000`00000011 fffff80f`7ca682de : nt! ?? ::FNODOBFM::`string'+0x2b405
> > ffffc280`05c7af70 fffff803`241668fc : 00000000`00000001 00000201`00000000
> > 00000000`00000000 fffff80f`7d4734c4 : nt!MmAccessFault+0x137
> > ffffc280`05c7b140 ffffaf06`162c85b0 : fffff80f`7ca6170b ffffaf06`19662080
> > ffffc280`05c7b6ec 00000000`00000001 : nt!KiPageFault+0x13c
> > ffffc280`05c7b2d8 fffff80f`7ca6170b : ffffaf06`19662080 ffffc280`05c7b6ec
> > 00000000`00000001 ffffc280`05c7b6f0 : 0xffffaf06`162c85b0
> > ffffc280`05c7b2e0 fffff80f`7ca70d4a : ffffaf06`0f65c100 fffff80f`7ca70c02
> > 00000000`00000000 ffffaf06`1a4fa500 :
> > ndis!ndisMSendCompleteNetBufferListsInternal+0x13b
> > ffffc280`05c7b3b0 fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000
> > ffffaf06`1a4fa580 fffff803`2404e92c :
> > ndis!ndisInvokeNextSendCompleteHandler+0x4a
> > ffffc280`05c7b490 fffff80f`7d4f2703 : 000000a7`800ab2d3 00000000`00000000
> > ffffaf06`1521f550 00000000`00000000 :
> > ndis!NdisFSendNetBufferListsComplete+0x1f8a8
> > ffffc280`05c7b510 fffff80f`7ca7f8de : fffff80f`7d4b53b8 ffffaf06`1521f550
> > 00000002`00000000 ffffaf06`19662080 :
> > pacer!PcFilterSendNetBufferListsComplete+0x7f3
> > ffffc280`05c7b780 fffff803`240c0b15 : ffffc280`05c7b8e9 ffffc280`05c7b8d0
> > ffffaf06`1a4fa580 fffff80f`7d3a6b11 :
> > ndis!ndisDataPathExpandStackCallback+0x3e
> > ffffc280`05c7b7d0 fffff80f`7ca72cc1 : ffffaf06`1a4fa580 ffffaf06`0e086a60
> > ffffaf06`162c85b0 00000000`00000001 :
> > nt!KeExpandKernelStackAndCalloutInternal+0x85
> > ffffc280`05c7b820 fffff80f`7ca70e31 : ffffaf06`1521f550 fffff80f`7ca6ed14
> > 00000000`00000001 fffff80f`7d3a80e2 : ndis!ndisExpandStack+0x19
> > ffffc280`05c7b860 fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000
> > ffffaf06`1a4fa580 00000000`00000002 :
> > ndis!ndisInvokeNextSendCompleteHandler+0x131
> > ffffc280`05c7b940 fffff80f`7d472326 : 00000000`00000000 00000000`00000000
> > 00000000`00000000 00000000`00000000 :
> > ndis!NdisFSendNetBufferListsComplete+0x1f8a8
> > ffffc280`05c7b9c0 00000000`00000000 : 00000000`00000000 00000000`00000000
> > 00000000`00000000 ffffc280`05c7bb40 : liebaonat64+0x2326
> >
> >
> > STACK_COMMAND: kb
> >
> > THREAD_SHA1_HASH_MOD_FUNC: b89ff1e6e8deed938c2205c7eb357ea90ab3d631
> >
> > THREAD_SHA1_HASH_MOD_FUNC_OFFSET:
> > 817eb332e7333a1e17472167496047c5f0f112cf
> >
> > THREAD_SHA1_HASH_MOD: b1e13271be08c5ceb3e69961f060ecbebf6f698c
> >
> > FOLLOWUP_IP:
> > pacer!PcFilterSendNetBufferListsComplete+7f3
> > fffff80f`7d4f2703 e9d5fbffff jmp
> > pacer!PcFilterSendNetBufferListsComplete+0x3cd (fffff80f`7d4f22dd)
> >
> > FAULT_INSTR_CODE: fffbd5e9
> >
> > SYMBOL_STACK_INDEX: 9
> >
> > SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+7f3
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > MODULE_NAME: pacer
> >
> > IMAGE_NAME: pacer.sys
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 56bf284a
> >
> > IMAGE_VERSION: 10.0.14267.1000
> >
> > BUCKET_ID_FUNC_OFFSET: 7f3
> >
> > FAILURE_BUCKET_ID: 0xFC_pacer!PcFilterSendNetBufferListsComplete
> >
> > BUCKET_ID: 0xFC_pacer!PcFilterSendNetBufferListsComplete
> >
> > PRIMARY_PROBLEM_CLASS: 0xFC_pacer!PcFilterSendNetBufferListsComplete
> >
> > TARGET_TIME: 2016-02-26T02:07:14.000Z
> >
> > OSBUILD: 14267
> >
> > OSSERVICEPACK: 0
> >
> > SERVICEPACK_NUMBER: 0
> >
> > OS_REVISION: 0
> >
> > SUITE_MASK: 272
> >
> > PRODUCT_TYPE: 1
> >
> > OSPLATFORM_TYPE: x64
> >
> > OSNAME: Windows 10
> >
> > OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
> >
> > OS_LOCALE:
> >
> > USER_LCID: 0
> >
> > OSBUILD_TIMESTAMP: 2016-02-13 20:56:11
> >
> > BUILDDATESTAMP_STR: 160213-0213
> >
> > BUILDLAB_STR: rs1_release
> >
> > BUILDOSVER_STR: 10.0.14267.1000.amd64fre.rs1_release.160213-0213
> >
> > ANALYSIS_SESSION_ELAPSED_TIME: dd56
> >
> > ANALYSIS_SOURCE: KM
> >
> > FAILURE_ID_HASH_STRING: km:0xfc_pacer!pcfiltersendnetbufferlistscomplete
> >
> > FAILURE_ID_HASH: {58376b4a-2e7b-a663-6625-e3b6176db5e4}
> >
> > Followup: MachineOwner
> >
> >
> > The 2nd 022616-50812-01.dmp result is as below: (the
> > 3rd 022616-50296-01.dmp result is the same with the 2nd, so I won't post
> > the 3rd result here)
> > This BSoD is caused by Npcap driver. WinDbg points the error to
> > numSentPackets ++;
> > numSentPackets is a variable used as sending packets in multiple times.
> > The repetition times are controled by the user software through the
> > BIOCSWRITEREP IOCTL call. Do you specify Npcap in this way to send packets
> > for multiple times?
> >
> > Also something I wanna ask is does your adapter a "Npcap Loopback
> > Adapter", or specified as a "Send-To-Rx" adapter? or just ordinary physical
> > Ethernet adapter?
> >
> >
> >
> > 0: kd> !analyze -v
> >
> > *******************************************************************************
> > *
> > *
> > * Bugcheck Analysis
> > *
> > *
> > *
> >
> > *******************************************************************************
> >
> > SYSTEM_SERVICE_EXCEPTION (3b)
> > An exception happened while executing a system service routine.
> > Arguments:
> > Arg1: 00000000c0000005, Exception code that caused the bugcheck
> > Arg2: fffff80745e9de30, Address of the instruction which caused the
> > bugcheck
> > Arg3: ffffa38002702de0, Address of the context record for the exception
> > that caused the bugcheck
> > Arg4: 0000000000000000, zero.
> >
> > Debugging Details:
> > ------------------
> >
> > *** WARNING: Unable to verify timestamp for npf.sys
> >
> > DUMP_CLASS: 1
> >
> > DUMP_QUALIFIER: 400
> >
> > BUILD_VERSION_STRING: 14267.1000.amd64fre.rs1_release.160213-0213
> >
> > SYSTEM_MANUFACTURER: Dell Inc.
> >
> > SYSTEM_PRODUCT_NAME: OptiPlex 7010
> >
> > SYSTEM_SKU: OptiPlex 7010
> >
> > SYSTEM_VERSION: 01
> >
> > BIOS_VENDOR: Dell Inc.
> >
> > BIOS_VERSION: A14
> >
> > BIOS_DATE: 06/10/2013
> >
> > BASEBOARD_MANUFACTURER: Dell Inc.
> >
> > BASEBOARD_PRODUCT: 09PR9H
> >
> > BASEBOARD_VERSION: A01
> >
> > DUMP_TYPE: 2
> >
> > BUGCHECK_P1: c0000005
> >
> > BUGCHECK_P2: fffff80745e9de30
> >
> > BUGCHECK_P3: ffffa38002702de0
> >
> > BUGCHECK_P4: 0
> >
> > EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p
> > referenced memory at 0x%p. The memory could not be %s.
> >
> > FAULTING_IP:
> > ndis!NdisFSendNetBufferLists+c0
> > fffff807`45e9de30 4c8b5818 mov r11,qword ptr [rax+18h]
> >
> > CONTEXT: ffffa38002702de0 -- (.cxr 0xffffa38002702de0)
> > rax=6b49534e02130018 rbx=6b49534e02130019 rcx=0000000000000001
> > rdx=0000000000000000 rsi=ffffd50728240030 rdi=ffffd5072c4ac8d0
> > rip=fffff80745e9de30 rsp=ffffa380027037e0 rbp=0000000000000000
> > r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
> > r11=0000000000060001 r12=0000000000000000 r13=0000000000000000
> > r14=0000000000000000 r15=0000000000000000
> > iopl=0 nv up ei pl nz na po nc
> > cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
> > efl=00010206
> > ndis!NdisFSendNetBufferLists+0xc0:
> > fffff807`45e9de30 4c8b5818 mov r11,qword ptr [rax+18h]
> > ds:002b:6b49534e`02130030=????????????????
> > Resetting default scope
> >
> > CPU_COUNT: 4
> >
> > CPU_MHZ: c79
> >
> > CPU_VENDOR: GenuineIntel
> >
> > CPU_FAMILY: 6
> >
> > CPU_MODEL: 3a
> >
> > CPU_STEPPING: 9
> >
> > CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 1B'00000000 (cache) 1B'00000000
> > (init)
> >
> > CUSTOMER_CRASH_COUNT: 1
> >
> > DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
> >
> > BUGCHECK_STR: 0x3B
> >
> > PROCESS_NAME: EapolLogin.exe
> >
> > CURRENT_IRQL: 0
> >
> > ANALYSIS_SESSION_HOST: AKISN0W-PC
> >
> > ANALYSIS_SESSION_TIME: 02-26-2016 13:42:06.0762
> >
> > ANALYSIS_VERSION: 10.0.10586.567 amd64fre
> >
> > LAST_CONTROL_TRANSFER: from fffff807476f67f8 to fffff80745e9de30
> >
> > STACK_TEXT:
> > ffffa380`027037e0 fffff807`476f67f8 : 00000000`00000000 00000000`00000000
> > 00000000`00000001 ffffd507`3a613570 : ndis!NdisFSendNetBufferLists+0xc0
> > ffffa380`02703860 fffff803`8c698c05 : ffffd507`3a6134a0 00000000`00000000
> > 00000000`00000001 fffff680`00003140 : npf!NPF_Write+0x214
> > [j:\npcap\packetwin7\npf\npf\write.c @ 324]
> > ffffa380`027038d0 fffff803`8c69840a : ffffd507`39edba60 ffffd507`3a6134a0
> > ffffd507`2871aef0 ffffa380`02703b80 : nt!IopSynchronousServiceTail+0x1a5
> > ffffa380`02703990 fffff803`8c3d2f83 : ffff8208`1164b160 00000000`00000000
> > 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x67a
> > ffffa380`02703a90 00007fff`94c21034 : 00000000`00000000 00000000`00000000
> > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
> > 00000000`0014e248 00000000`00000000 : 00000000`00000000 00000000`00000000
> > 00000000`00000000 00000000`00000000 : 0x00007fff`94c21034
> >
> >
> > THREAD_SHA1_HASH_MOD_FUNC: 8de63a100febe6f9f89153a5a9abc9ba86d452de
> >
> > THREAD_SHA1_HASH_MOD_FUNC_OFFSET:
> > c12fe9b8d789ae102dec8036452ef91cdcd180b3
> >
> > THREAD_SHA1_HASH_MOD: bccfea03237cfde6486a55b63bb95e3341833378
> >
> > FOLLOWUP_IP:
> > npf!NPF_Write+214 [j:\npcap\packetwin7\npf\npf\write.c @ 324]
> > fffff807`476f67f8 8b6c2478 mov ebp,dword ptr [rsp+78h]
> >
> > FAULT_INSTR_CODE: 78246c8b
> >
> > FAULTING_SOURCE_LINE: j:\npcap\packetwin7\npf\npf\write.c
> >
> > FAULTING_SOURCE_FILE: j:\npcap\packetwin7\npf\npf\write.c
> >
> > FAULTING_SOURCE_LINE_NUMBER: 324
> >
> > FAULTING_SOURCE_CODE:
> > 320: NDIS_DEFAULT_PORT_NUMBER,
> > 321: SendFlags);
> > 322: }
> > 323:
> > > 324: numSentPackets ++;
> > 325: }
> > 326: else
> > 327: {
> > 328: //
> > 329: // no packets are available in the Transmit pool, wait some
> > time. The
> >
> >
> > SYMBOL_STACK_INDEX: 1
> >
> > SYMBOL_NAME: npf!NPF_Write+214
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > MODULE_NAME: npf
> >
> > IMAGE_NAME: npf.sys
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 56c2d58e
> >
> > STACK_COMMAND: .cxr 0xffffa38002702de0 ; kb
> >
> > BUCKET_ID_FUNC_OFFSET: 214
> >
> > FAILURE_BUCKET_ID: 0x3B_npf!NPF_Write
> >
> > BUCKET_ID: 0x3B_npf!NPF_Write
> >
> > PRIMARY_PROBLEM_CLASS: 0x3B_npf!NPF_Write
> >
> > TARGET_TIME: 2016-02-26T02:30:30.000Z
> >
> > OSBUILD: 14267
> >
> > OSSERVICEPACK: 0
> >
> > SERVICEPACK_NUMBER: 0
> >
> > OS_REVISION: 0
> >
> > SUITE_MASK: 272
> >
> > PRODUCT_TYPE: 1
> >
> > OSPLATFORM_TYPE: x64
> >
> > OSNAME: Windows 10
> >
> > OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
> >
> > OS_LOCALE:
> >
> > USER_LCID: 0
> >
> > OSBUILD_TIMESTAMP: 2016-02-13 20:56:11
> >
> > BUILDDATESTAMP_STR: 160213-0213
> >
> > BUILDLAB_STR: rs1_release
> >
> > BUILDOSVER_STR: 10.0.14267.1000.amd64fre.rs1_release.160213-0213
> >
> > ANALYSIS_SESSION_ELAPSED_TIME: 127c9
> >
> > ANALYSIS_SOURCE: KM
> >
> > FAILURE_ID_HASH_STRING: km:0x3b_npf!npf_write
> >
> > FAILURE_ID_HASH: {2eb5e15e-9853-313b-618d-2ac277a2bfb5}
> >
> > Followup: MachineOwner
> >
> >
> >
> >
> >
> > On Fri, Feb 26, 2016 at 11:23 AM, yyjdelete@126.com <yyjdelete@126.com>
> > wrote:
> >
> > > Step:
> > >
> > > 1. Get the eth list
> > >
> > > 2. disabled an eth(you can also disable and reenable it)
> > >
> > > 3. send pkg to the eth
> > >
> > > 4. see bluescreen
> > > with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys)
> > >
> > >
> > > I'm an C# programmer and use SharpPcap.4.2.0 to wrap npacp, so I'm not
> > > sure what it actually do, maybe an call to pcap_sendpacket.
> > >
> > > PS: The capture don't stop after disabled the eth as it done
> > > before(can't remember the version).
> > >
> > >
> > > Sorry for my poor English, ask me if more info is needed.
> > >
> > > ----
> > >
> > > Test Envirment:
> > >
> > > npcap-nmap-0.05-r13
> > >
> > > Win10(14267)
> > >
> > > ----
> > >
> > > I'm not sure if it's an bug of npcap or win10, for that 14267 is an
> > > insyder preview version. Could someone test on other version of windows?
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
> > >
> >
> >
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi yyjdelete,<div><br></div><div>This BSoD issue is fixed in the \
latest Npcap 0.06. I have tested it under Win10 10586 x64 and Win7 \
x64.</div><div><br></div><div>Please try the installer at:</div><div><a \
href="https://github.com/nmap/npcap/releases">https://github.com/nmap/npcap/releases</ \
a><br></div><div><br></div><div><br></div><div>Cheers,</div><div>Yang</div><div><br></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 27, 2016 at 9:04 PM, \
食肉大灰兔V5 <span dir="ltr"><<a href="mailto:hsluoyz@gmail.com" \
target="_blank">hsluoyz@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi yyjdelete,<div><br></div><div>I have \
confirmed this issue on nearly all versions of Npcap and my Win10 10586 x64 VM. So it \
should be a general issue. Currently I don't know how to fix it. I have posted a \
question on StackOverflow: <a \
href="http://stackoverflow.com/questions/18180150/is-filtersendnetbufferlists-handler-a-must-for-an-ndis-filter-to-use-ndisfsendne" \
target="_blank">http://stackoverflow.com/questions/18180150/is-filtersendnetbufferlists-handler-a-must-for-an-ndis-filter-to-use-ndisfsendne</a>. \
If anyone knows about this please inform me. And I will fix this issue \
ASAP.</div><div><br></div><div>Cheers,</div><div>Yang</div><div><br></div></div><div \
class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div \
class="gmail_quote">On Fri, Feb 26, 2016 at 5:41 PM, <a \
href="mailto:yyjdelete@126.com" target="_blank">yyjdelete@126.com</a> <span \
dir="ltr"><<a href="mailto:yyjdelete@126.com" \
target="_blank">yyjdelete@126.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div> <div><span></span>1. I uninstall <span \
style="font-size:10.5pt;line-height:1.5;background-color:window">猎豹免费WiFi, \
and will see if </span><span \
style="font-size:10.5pt;line-height:1.5;background-color:window">ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY</span><span \
style="font-size:10.5pt;line-height:1.5;background-color:window"> happen \
again.(</span><span style="font-size:10.5pt;line-height:1.5;background-color:window">SYSTEM_SERVICE_EXCEPTION</span><span \
style="font-size:10.5pt;line-height:1.5;background-color:window"> does</span><span \
style="background-color:window;font-size:10.5pt;line-height:1.5">)</span></div><div><span \
style="background-color:window;font-size:10.5pt;line-height:1.5">2. It's an \
</span><span style="font-size:10.5pt;line-height:1.5;background-color:window">physical \
Ethernet adapter, and </span><span \
style="font-size:10.5pt;line-height:1.5;background-color:window">multiple</span><span \
style="font-size:10.5pt;line-height:1.5;background-color:window"> is not \
set.</span></div> <div><br></div><hr style="WIDTH:210px;min-height:1px" \
color="#b5c4df" size="1" align="left"> <div><span><div \
style="FONT-SIZE:10pt;FONT-FAMILY:verdana;MARGIN:10px"> <div><a \
href="mailto:yyjdelete@126.com" \
target="_blank">yyjdelete@126.com</a></div></div></span></div> <blockquote \
style="margin-top:0px;margin-bottom:0px;margin-left:0.5em"><div> </div><div \
style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><div \
style="PADDING-RIGHT:8px;PADDING-LEFT:8px;FONT-SIZE:12px;FONT-FAMILY:tahoma;COLOR:#000000;BACKGROUND:#efefef;PADDING-BOTTOM:8px;PADDING-TOP:8px"><div><b>From:</b> \
<a href="mailto:hsluoyz@gmail.com" \
target="_blank">食肉大灰兔V5</a></div><div><b>Date:</b> 2016-02-26 \
14:51</div><div><b>To:</b> <a href="mailto:yyjdelete@126.com" \
target="_blank">yyjdelete@126.com</a></div><div><b>CC:</b> <a \
href="mailto:dev@nmap.org" target="_blank">dev</a></div><div><b>Subject:</b> Re: \
npcap crash win10(14267) when send package to an disabled eth with \
ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or \
SYSTEM_SERVICE_EXCEPTION(ndis.sys)</div></div></div><div><div><div><div><div \
dir="ltr"><div>Hi yyjdelete,</div><div><br></div><div>Thanks for the report first! \
Currently I only analyzed the 3 dump files you attached. Havn't tried to \
reproduce this issue yet. But I have some questions.</div><div><br></div><div>The 1st \
022616-53187-01.dmp result is as below:</div><div>It seems that this BSoD was caused \
by liebaonat64.sys, a LWF driver from 猎豹免费WiFi. In fact, Npcap is also a LWF \
driver. I don't know if this BSoD is merely because of 猎豹免费WiFi, or the \
coexisting problem with Npcap. Sometimes LWF drivers do conflict with each other. So \
I suggest you uninstall the product named 猎豹免费WiFi before you test with \
Npcap.</div><div><br></div><div><br></div><div>0: kd> !analyze \
-v</div><div>*******************************************************************************</div><div>* \
*</div><div>* Bugcheck Analysis \
*</div><div>* \
*</div><div>*******************************************************************************</div><div><br></div><div>ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY \
(fc)</div><div>An attempt was made to execute non-executable memory. The guilty \
driver</div><div>is on the stack trace (and is typically the current instruction \
pointer).</div><div>When possible, the guilty driver's name (Unicode string) is \
printed on</div><div>the bugcheck screen and saved in \
KiBugCheckDriver.</div><div>Arguments:</div><div>Arg1: ffffaf06162c85b0, Virtual \
address for the attempted execute.</div><div>Arg2: 80000001432009e3, PTE \
contents.</div><div>Arg3: ffffc28005c7b140, (reserved)</div><div>Arg4: \
0000000000000003, (reserved)</div><div><br></div><div>Debugging \
Details:</div><div>------------------</div><div><br></div><div><br></div><div>DUMP_CLASS: \
1</div><div><br></div><div>DUMP_QUALIFIER: \
400</div><div><br></div><div>BUILD_VERSION_STRING: \
14267.1000.amd64fre.rs1_release.160213-0213</div><div><br></div><div>DUMP_TYPE: \
2</div><div><br></div><div>BUGCHECK_P1: \
ffffaf06162c85b0</div><div><br></div><div>BUGCHECK_P2: \
80000001432009e3</div><div><br></div><div>BUGCHECK_P3: \
ffffc28005c7b140</div><div><br></div><div>BUGCHECK_P4: \
3</div><div><br></div><div>CPU_COUNT: 4</div><div><br></div><div>CPU_MHZ: \
c79</div><div><br></div><div>CPU_VENDOR: \
GenuineIntel</div><div><br></div><div>CPU_FAMILY: \
6</div><div><br></div><div>CPU_MODEL: 3a</div><div><br></div><div>CPU_STEPPING: \
9</div><div><br></div><div>CUSTOMER_CRASH_COUNT: \
1</div><div><br></div><div>DEFAULT_BUCKET_ID: \
WIN8_DRIVER_FAULT</div><div><br></div><div>BUGCHECK_STR: \
0xFC</div><div><br></div><div>PROCESS_NAME: \
EapolLogin.exe</div><div><br></div><div>CURRENT_IRQL: \
2</div><div><br></div><div>ANALYSIS_SESSION_HOST: \
AKISN0W-PC</div><div><br></div><div>ANALYSIS_SESSION_TIME: 02-26-2016 \
12:32:34.0528</div><div><br></div><div>ANALYSIS_VERSION: 10.0.10586.567 \
amd64fre</div><div><br></div><div>TRAP_FRAME: ffffc28005c7b140 -- (.trap \
0xffffc28005c7b140)</div><div>NOTE: The trap frame does not contain all \
registers.</div><div>Some register values may be zeroed or \
incorrect.</div><div>rax=ffffaf06162c85b0 rbx=0000000000000000 \
rcx=ffffaf0624004000</div><div>rdx=ffffaf061a4fa580 rsi=0000000000000000 \
rdi=0000000000000000</div><div>rip=ffffaf06162c85b0 rsp=ffffc28005c7b2d8 \
rbp=ffffc28005c7b349</div><div> r8=0000000000000000 r9=0000000000000000 \
r10=0000000000000000</div><div>r11=0000000000000000 r12=0000000000000000 \
r13=0000000000000000</div><div>r14=0000000000000000 \
r15=0000000000000000</div><div>iopl=0 nv up ei pl zr na po \
nc</div><div>ffffaf06`162c85b0 0501900300 add \
eax,39001h</div><div>Resetting default \
scope</div><div><br></div><div>LAST_CONTROL_TRANSFER: from fffff803241eb311 to \
fffff8032415d240</div><div><br></div><div>STACK_TEXT: </div><div>ffffc280`05c7aed8 \
fffff803`241eb311 : 00000000`000000fc ffffaf06`162c85b0 80000001`432009e3 \
ffffc280`05c7b140 : nt!KeBugCheckEx</div><div>ffffc280`05c7aee0 fffff803`24197765 : \
ffffc280`05c7b0c8 00000000`00000011 ffffaf06`162c85b0 00000000`00000000 : \
nt!MiCheckSystemNxFault+0x69</div><div>ffffc280`05c7af20 fffff803`24055957 : \
00000980`00000000 ffffc280`05c7b070 00000000`00000011 fffff80f`7ca682de : nt! ?? \
::FNODOBFM::`string'+0x2b405</div><div>ffffc280`05c7af70 fffff803`241668fc : \
00000000`00000001 00000201`00000000 00000000`00000000 fffff80f`7d4734c4 : \
nt!MmAccessFault+0x137</div><div>ffffc280`05c7b140 ffffaf06`162c85b0 : \
fffff80f`7ca6170b ffffaf06`19662080 ffffc280`05c7b6ec 00000000`00000001 : \
nt!KiPageFault+0x13c</div><div>ffffc280`05c7b2d8 fffff80f`7ca6170b : \
ffffaf06`19662080 ffffc280`05c7b6ec 00000000`00000001 ffffc280`05c7b6f0 : \
0xffffaf06`162c85b0</div><div>ffffc280`05c7b2e0 fffff80f`7ca70d4a : ffffaf06`0f65c100 \
fffff80f`7ca70c02 00000000`00000000 ffffaf06`1a4fa500 : \
ndis!ndisMSendCompleteNetBufferListsInternal+0x13b</div><div>ffffc280`05c7b3b0 \
fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000 ffffaf06`1a4fa580 \
fffff803`2404e92c : ndis!ndisInvokeNextSendCompleteHandler+0x4a</div><div>ffffc280`05c7b490 \
fffff80f`7d4f2703 : 000000a7`800ab2d3 00000000`00000000 ffffaf06`1521f550 \
00000000`00000000 : ndis!NdisFSendNetBufferListsComplete+0x1f8a8</div><div>ffffc280`05c7b510 \
fffff80f`7ca7f8de : fffff80f`7d4b53b8 ffffaf06`1521f550 00000002`00000000 \
ffffaf06`19662080 : pacer!PcFilterSendNetBufferListsComplete+0x7f3</div><div>ffffc280`05c7b780 \
fffff803`240c0b15 : ffffc280`05c7b8e9 ffffc280`05c7b8d0 ffffaf06`1a4fa580 \
fffff80f`7d3a6b11 : ndis!ndisDataPathExpandStackCallback+0x3e</div><div>ffffc280`05c7b7d0 \
fffff80f`7ca72cc1 : ffffaf06`1a4fa580 ffffaf06`0e086a60 ffffaf06`162c85b0 \
00000000`00000001 : nt!KeExpandKernelStackAndCalloutInternal+0x85</div><div>ffffc280`05c7b820 \
fffff80f`7ca70e31 : ffffaf06`1521f550 fffff80f`7ca6ed14 00000000`00000001 \
fffff80f`7d3a80e2 : ndis!ndisExpandStack+0x19</div><div>ffffc280`05c7b860 \
fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000 ffffaf06`1a4fa580 \
00000000`00000002 : ndis!ndisInvokeNextSendCompleteHandler+0x131</div><div>ffffc280`05c7b940 \
fffff80f`7d472326 : 00000000`00000000 00000000`00000000 00000000`00000000 \
00000000`00000000 : ndis!NdisFSendNetBufferListsComplete+0x1f8a8</div><div>ffffc280`05c7b9c0 \
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 \
ffffc280`05c7bb40 : liebaonat64+0x2326</div><div><br></div><div><br></div><div>STACK_COMMAND: \
kb</div><div><br></div><div>THREAD_SHA1_HASH_MOD_FUNC: \
b89ff1e6e8deed938c2205c7eb357ea90ab3d631</div><div><br></div><div>THREAD_SHA1_HASH_MOD_FUNC_OFFSET: \
817eb332e7333a1e17472167496047c5f0f112cf</div><div><br></div><div>THREAD_SHA1_HASH_MOD: \
b1e13271be08c5ceb3e69961f060ecbebf6f698c</div><div><br></div><div>FOLLOWUP_IP: \
</div><div>pacer!PcFilterSendNetBufferListsComplete+7f3</div><div>fffff80f`7d4f2703 \
e9d5fbffff jmp pacer!PcFilterSendNetBufferListsComplete+0x3cd \
(fffff80f`7d4f22dd)</div><div><br></div><div>FAULT_INSTR_CODE: \
fffbd5e9</div><div><br></div><div>SYMBOL_STACK_INDEX: \
9</div><div><br></div><div>SYMBOL_NAME: \
pacer!PcFilterSendNetBufferListsComplete+7f3</div><div><br></div><div>FOLLOWUP_NAME: \
MachineOwner</div><div><br></div><div>MODULE_NAME: \
pacer</div><div><br></div><div>IMAGE_NAME: \
pacer.sys</div><div><br></div><div>DEBUG_FLR_IMAGE_TIMESTAMP: \
56bf284a</div><div><br></div><div>IMAGE_VERSION: \
10.0.14267.1000</div><div><br></div><div>BUCKET_ID_FUNC_OFFSET: \
7f3</div><div><br></div><div>FAILURE_BUCKET_ID: \
0xFC_pacer!PcFilterSendNetBufferListsComplete</div><div><br></div><div>BUCKET_ID: \
0xFC_pacer!PcFilterSendNetBufferListsComplete</div><div><br></div><div>PRIMARY_PROBLEM_CLASS: \
0xFC_pacer!PcFilterSendNetBufferListsComplete</div><div><br></div><div>TARGET_TIME: \
2016-02-26T02:07:14.000Z</div><div><br></div><div>OSBUILD: \
14267</div><div><br></div><div>OSSERVICEPACK: \
0</div><div><br></div><div>SERVICEPACK_NUMBER: \
0</div><div><br></div><div>OS_REVISION: 0</div><div><br></div><div>SUITE_MASK: \
272</div><div><br></div><div>PRODUCT_TYPE: \
1</div><div><br></div><div>OSPLATFORM_TYPE: x64</div><div><br></div><div>OSNAME: \
Windows 10</div><div><br></div><div>OSEDITION: Windows 10 WinNt TerminalServer \
SingleUserTS</div><div><br></div><div>OS_LOCALE: \
</div><div><br></div><div>USER_LCID: 0</div><div><br></div><div>OSBUILD_TIMESTAMP: \
2016-02-13 20:56:11</div><div><br></div><div>BUILDDATESTAMP_STR: \
160213-0213</div><div><br></div><div>BUILDLAB_STR: \
rs1_release</div><div><br></div><div>BUILDOSVER_STR: \
10.0.14267.1000.amd64fre.rs1_release.160213-0213</div><div><br></div><div>ANALYSIS_SESSION_ELAPSED_TIME: \
dd56</div><div><br></div><div>ANALYSIS_SOURCE: \
KM</div><div><br></div><div>FAILURE_ID_HASH_STRING: \
km:0xfc_pacer!pcfiltersendnetbufferlistscomplete</div><div><br></div><div>FAILURE_ID_HASH: \
{58376b4a-2e7b-a663-6625-e3b6176db5e4}</div><div><br></div><div>Followup: \
MachineOwner</div><div><br></div><div><br></div><div>The 2nd 022616-50812-01.dmp \
result is as below: (the 3rd 022616-50296-01.dmp result is the same with the 2nd, so \
I won't post the 3rd result here)<br></div><div>This BSoD is caused by Npcap \
driver. WinDbg points the error to</div><div>numSentPackets \
++;<br></div><div>numSentPackets is a variable used as sending packets in multiple \
times. The repetition times are controled by the user software through the \
BIOCSWRITEREP IOCTL call. Do you specify Npcap in this way to send packets for \
multiple times?<br></div><div><br></div><div>Also something I wanna ask is does your \
adapter a "Npcap Loopback Adapter", or specified as a \
"Send-To-Rx" adapter? or just ordinary physical Ethernet \
adapter?</div><div><br></div><div><br></div><div><br></div><div><div>0: kd> \
!analyze -v</div><div>*******************************************************************************</div><div>* \
*</div><div>* Bugcheck Analysis \
*</div><div>* \
*</div><div>*******************************************************************************</div><div><br></div><div>SYSTEM_SERVICE_EXCEPTION \
(3b)</div><div>An exception happened while executing a system service \
routine.</div><div>Arguments:</div><div>Arg1: 00000000c0000005, Exception code that \
caused the bugcheck</div><div>Arg2: fffff80745e9de30, Address of the instruction \
which caused the bugcheck</div><div>Arg3: ffffa38002702de0, Address of the context \
record for the exception that caused the bugcheck</div><div>Arg4: 0000000000000000, \
zero.</div><div><br></div><div>Debugging \
Details:</div><div>------------------</div><div><br></div><div>*** WARNING: Unable to \
verify timestamp for npf.sys</div><div><br></div><div>DUMP_CLASS: \
1</div><div><br></div><div>DUMP_QUALIFIER: \
400</div><div><br></div><div>BUILD_VERSION_STRING: \
14267.1000.amd64fre.rs1_release.160213-0213</div><div><br></div><div>SYSTEM_MANUFACTURER: \
Dell Inc.</div><div><br></div><div>SYSTEM_PRODUCT_NAME: OptiPlex \
<div style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<p style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">Step:</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">1. \
Get the eth list</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">2. \
disabled an eth(you can also disable and reenable it)</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">3. \
send pkg to the eth</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">4. \
see bluescreen <span style="font-family:'Calibri, Arial, Helvetica, \
sans-serif';font-size:12pt;line-height:1.5;background-color:rgba(0,0,0,0)">with \
ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or \
SYSTEM_SERVICE_EXCEPTION(ndis.sys)</span></p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px"><br></p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">I'm \
an C# programmer and use <span style="font-family:'Calibri, Arial, Helvetica, \
sans-serif';font-size:12pt;line-height:1.5;background-color:rgba(0,0,0,0)">SharpPcap.4.2.0 \
to wrap npacp, so I'm not sure what it actually do, maybe an call to \
</span><span style="font-family:'';font-size:12pt;line-height:1.5">pcap_sendpacket.</span></p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">PS: \
The capture don't stop after disabled the eth as it done before(can't \
remember the version).</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px"><br></p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">Sorry \
for my poor English, ask me if more info is needed.</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px">----</p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px"><span \
style="font-family:'Calibri, Arial, Helvetica, \
sans-serif';color:rgb(0,0,0);background-color:rgba(0,0,0,0)">Test \
Envirment:</span></p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px"><span \
style="font-family:'Calibri, Arial, Helvetica, \
sans-serif';color:rgb(0,0,0);background-color:rgba(0,0,0,0)"> \
npcap-nmap-0.05-r13</span></p><p \
style="font-family:Calibri,Arial,Helvetica,sans-serif;margin-top:0px;margin-bottom:0px"><span \
style="font-family:'Calibri, Arial, Helvetica, \
sans-serif';color:rgb(0,0,0);background-color:rgba(0,0,0,0)"> \
Win10(14267)</span></p><p style="margin-top:0px;margin-bottom:0px"><font \
face="Calibri, Arial, Helvetica, sans-serif">----</font></p><p \
style="margin-top:0px;margin-bottom:0px"><font face="Calibri, Arial, Helvetica, \
sans-serif">I'm not sure if it's an bug of </font><span \
style="font-family:'Calibri, Arial, Helvetica, \
sans-serif';color:rgb(0,0,0);background-color:rgba(0,0,0,0)">npcap </span><font \
face="Calibri, Arial, Helvetica, sans-serif">or </font><span \
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;line-height:1.5">win10</span><font \
face="Calibri, Arial, Helvetica, sans-serif" style="font-size:12pt;line-height:1.5">, \
for that </font><span \
style="font-size:12pt;line-height:1.5;font-family:'Calibri, Arial, Helvetica, \
sans-serif'">14267 is an insyder preview version. Could someone test on other \
version of windows?</span></p> </div>
</div><br>_______________________________________________<br>
Sent through the dev mailing list<br>
<a href="https://nmap.org/mailman/listinfo/dev" rel="noreferrer" \
target="_blank">https://nmap.org/mailman/listinfo/dev</a><br> Archived at <a \
href="http://seclists.org/nmap-dev/" rel="noreferrer" \
target="_blank">http://seclists.org/nmap-dev/</a><br></blockquote></div><br></div></div>
</div></div></div></div></blockquote>
</div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic