Nmap Development mailing list archives
Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys)
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Fri, 26 Feb 2016 14:51:26 +0800
Hi yyjdelete, Thanks for the report first! Currently I only analyzed the 3 dump files you attached. Havn't tried to reproduce this issue yet. But I have some questions. The 1st 022616-53187-01.dmp result is as below: It seems that this BSoD was caused by liebaonat64.sys, a LWF driver from 猎豹免费WiFi. In fact, Npcap is also a LWF driver. I don't know if this BSoD is merely because of 猎豹免费WiFi, or the coexisting problem with Npcap. Sometimes LWF drivers do conflict with each other. So I suggest you uninstall the product named 猎豹免费WiFi before you test with Npcap. 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc) An attempt was made to execute non-executable memory. The guilty driver is on the stack trace (and is typically the current instruction pointer). When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: ffffaf06162c85b0, Virtual address for the attempted execute. Arg2: 80000001432009e3, PTE contents. Arg3: ffffc28005c7b140, (reserved) Arg4: 0000000000000003, (reserved) Debugging Details: ------------------ DUMP_CLASS: 1 DUMP_QUALIFIER: 400 BUILD_VERSION_STRING: 14267.1000.amd64fre.rs1_release.160213-0213 DUMP_TYPE: 2 BUGCHECK_P1: ffffaf06162c85b0 BUGCHECK_P2: 80000001432009e3 BUGCHECK_P3: ffffc28005c7b140 BUGCHECK_P4: 3 CPU_COUNT: 4 CPU_MHZ: c79 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3a CPU_STEPPING: 9 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0xFC PROCESS_NAME: EapolLogin.exe CURRENT_IRQL: 2 ANALYSIS_SESSION_HOST: AKISN0W-PC ANALYSIS_SESSION_TIME: 02-26-2016 12:32:34.0528 ANALYSIS_VERSION: 10.0.10586.567 amd64fre TRAP_FRAME: ffffc28005c7b140 -- (.trap 0xffffc28005c7b140) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffaf06162c85b0 rbx=0000000000000000 rcx=ffffaf0624004000 rdx=ffffaf061a4fa580 rsi=0000000000000000 rdi=0000000000000000 rip=ffffaf06162c85b0 rsp=ffffc28005c7b2d8 rbp=ffffc28005c7b349 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc ffffaf06`162c85b0 0501900300 add eax,39001h Resetting default scope LAST_CONTROL_TRANSFER: from fffff803241eb311 to fffff8032415d240 STACK_TEXT: ffffc280`05c7aed8 fffff803`241eb311 : 00000000`000000fc ffffaf06`162c85b0 80000001`432009e3 ffffc280`05c7b140 : nt!KeBugCheckEx ffffc280`05c7aee0 fffff803`24197765 : ffffc280`05c7b0c8 00000000`00000011 ffffaf06`162c85b0 00000000`00000000 : nt!MiCheckSystemNxFault+0x69 ffffc280`05c7af20 fffff803`24055957 : 00000980`00000000 ffffc280`05c7b070 00000000`00000011 fffff80f`7ca682de : nt! ?? ::FNODOBFM::`string'+0x2b405 ffffc280`05c7af70 fffff803`241668fc : 00000000`00000001 00000201`00000000 00000000`00000000 fffff80f`7d4734c4 : nt!MmAccessFault+0x137 ffffc280`05c7b140 ffffaf06`162c85b0 : fffff80f`7ca6170b ffffaf06`19662080 ffffc280`05c7b6ec 00000000`00000001 : nt!KiPageFault+0x13c ffffc280`05c7b2d8 fffff80f`7ca6170b : ffffaf06`19662080 ffffc280`05c7b6ec 00000000`00000001 ffffc280`05c7b6f0 : 0xffffaf06`162c85b0 ffffc280`05c7b2e0 fffff80f`7ca70d4a : ffffaf06`0f65c100 fffff80f`7ca70c02 00000000`00000000 ffffaf06`1a4fa500 : ndis!ndisMSendCompleteNetBufferListsInternal+0x13b ffffc280`05c7b3b0 fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000 ffffaf06`1a4fa580 fffff803`2404e92c : ndis!ndisInvokeNextSendCompleteHandler+0x4a ffffc280`05c7b490 fffff80f`7d4f2703 : 000000a7`800ab2d3 00000000`00000000 ffffaf06`1521f550 00000000`00000000 : ndis!NdisFSendNetBufferListsComplete+0x1f8a8 ffffc280`05c7b510 fffff80f`7ca7f8de : fffff80f`7d4b53b8 ffffaf06`1521f550 00000002`00000000 ffffaf06`19662080 : pacer!PcFilterSendNetBufferListsComplete+0x7f3 ffffc280`05c7b780 fffff803`240c0b15 : ffffc280`05c7b8e9 ffffc280`05c7b8d0 ffffaf06`1a4fa580 fffff80f`7d3a6b11 : ndis!ndisDataPathExpandStackCallback+0x3e ffffc280`05c7b7d0 fffff80f`7ca72cc1 : ffffaf06`1a4fa580 ffffaf06`0e086a60 ffffaf06`162c85b0 00000000`00000001 : nt!KeExpandKernelStackAndCalloutInternal+0x85 ffffc280`05c7b820 fffff80f`7ca70e31 : ffffaf06`1521f550 fffff80f`7ca6ed14 00000000`00000001 fffff80f`7d3a80e2 : ndis!ndisExpandStack+0x19 ffffc280`05c7b860 fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000 ffffaf06`1a4fa580 00000000`00000002 : ndis!ndisInvokeNextSendCompleteHandler+0x131 ffffc280`05c7b940 fffff80f`7d472326 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!NdisFSendNetBufferListsComplete+0x1f8a8 ffffc280`05c7b9c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc280`05c7bb40 : liebaonat64+0x2326 STACK_COMMAND: kb THREAD_SHA1_HASH_MOD_FUNC: b89ff1e6e8deed938c2205c7eb357ea90ab3d631 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 817eb332e7333a1e17472167496047c5f0f112cf THREAD_SHA1_HASH_MOD: b1e13271be08c5ceb3e69961f060ecbebf6f698c FOLLOWUP_IP: pacer!PcFilterSendNetBufferListsComplete+7f3 fffff80f`7d4f2703 e9d5fbffff jmp pacer!PcFilterSendNetBufferListsComplete+0x3cd (fffff80f`7d4f22dd) FAULT_INSTR_CODE: fffbd5e9 SYMBOL_STACK_INDEX: 9 SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+7f3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: pacer IMAGE_NAME: pacer.sys DEBUG_FLR_IMAGE_TIMESTAMP: 56bf284a IMAGE_VERSION: 10.0.14267.1000 BUCKET_ID_FUNC_OFFSET: 7f3 FAILURE_BUCKET_ID: 0xFC_pacer!PcFilterSendNetBufferListsComplete BUCKET_ID: 0xFC_pacer!PcFilterSendNetBufferListsComplete PRIMARY_PROBLEM_CLASS: 0xFC_pacer!PcFilterSendNetBufferListsComplete TARGET_TIME: 2016-02-26T02:07:14.000Z OSBUILD: 14267 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2016-02-13 20:56:11 BUILDDATESTAMP_STR: 160213-0213 BUILDLAB_STR: rs1_release BUILDOSVER_STR: 10.0.14267.1000.amd64fre.rs1_release.160213-0213 ANALYSIS_SESSION_ELAPSED_TIME: dd56 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xfc_pacer!pcfiltersendnetbufferlistscomplete FAILURE_ID_HASH: {58376b4a-2e7b-a663-6625-e3b6176db5e4} Followup: MachineOwner The 2nd 022616-50812-01.dmp result is as below: (the 3rd 022616-50296-01.dmp result is the same with the 2nd, so I won't post the 3rd result here) This BSoD is caused by Npcap driver. WinDbg points the error to numSentPackets ++; numSentPackets is a variable used as sending packets in multiple times. The repetition times are controled by the user software through the BIOCSWRITEREP IOCTL call. Do you specify Npcap in this way to send packets for multiple times? Also something I wanna ask is does your adapter a "Npcap Loopback Adapter", or specified as a "Send-To-Rx" adapter? or just ordinary physical Ethernet adapter? 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff80745e9de30, Address of the instruction which caused the bugcheck Arg3: ffffa38002702de0, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ *** WARNING: Unable to verify timestamp for npf.sys DUMP_CLASS: 1 DUMP_QUALIFIER: 400 BUILD_VERSION_STRING: 14267.1000.amd64fre.rs1_release.160213-0213 SYSTEM_MANUFACTURER: Dell Inc. SYSTEM_PRODUCT_NAME: OptiPlex 7010 SYSTEM_SKU: OptiPlex 7010 SYSTEM_VERSION: 01 BIOS_VENDOR: Dell Inc. BIOS_VERSION: A14 BIOS_DATE: 06/10/2013 BASEBOARD_MANUFACTURER: Dell Inc. BASEBOARD_PRODUCT: 09PR9H BASEBOARD_VERSION: A01 DUMP_TYPE: 2 BUGCHECK_P1: c0000005 BUGCHECK_P2: fffff80745e9de30 BUGCHECK_P3: ffffa38002702de0 BUGCHECK_P4: 0 EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. FAULTING_IP: ndis!NdisFSendNetBufferLists+c0 fffff807`45e9de30 4c8b5818 mov r11,qword ptr [rax+18h] CONTEXT: ffffa38002702de0 -- (.cxr 0xffffa38002702de0) rax=6b49534e02130018 rbx=6b49534e02130019 rcx=0000000000000001 rdx=0000000000000000 rsi=ffffd50728240030 rdi=ffffd5072c4ac8d0 rip=fffff80745e9de30 rsp=ffffa380027037e0 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000060001 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206 ndis!NdisFSendNetBufferLists+0xc0: fffff807`45e9de30 4c8b5818 mov r11,qword ptr [rax+18h] ds:002b:6b49534e`02130030=???????????????? Resetting default scope CPU_COUNT: 4 CPU_MHZ: c79 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3a CPU_STEPPING: 9 CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 1B'00000000 (cache) 1B'00000000 (init) CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: EapolLogin.exe CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: AKISN0W-PC ANALYSIS_SESSION_TIME: 02-26-2016 13:42:06.0762 ANALYSIS_VERSION: 10.0.10586.567 amd64fre LAST_CONTROL_TRANSFER: from fffff807476f67f8 to fffff80745e9de30 STACK_TEXT: ffffa380`027037e0 fffff807`476f67f8 : 00000000`00000000 00000000`00000000 00000000`00000001 ffffd507`3a613570 : ndis!NdisFSendNetBufferLists+0xc0 ffffa380`02703860 fffff803`8c698c05 : ffffd507`3a6134a0 00000000`00000000 00000000`00000001 fffff680`00003140 : npf!NPF_Write+0x214 [j:\npcap\packetwin7\npf\npf\write.c @ 324] ffffa380`027038d0 fffff803`8c69840a : ffffd507`39edba60 ffffd507`3a6134a0 ffffd507`2871aef0 ffffa380`02703b80 : nt!IopSynchronousServiceTail+0x1a5 ffffa380`02703990 fffff803`8c3d2f83 : ffff8208`1164b160 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x67a ffffa380`02703a90 00007fff`94c21034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0014e248 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`94c21034 THREAD_SHA1_HASH_MOD_FUNC: 8de63a100febe6f9f89153a5a9abc9ba86d452de THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c12fe9b8d789ae102dec8036452ef91cdcd180b3 THREAD_SHA1_HASH_MOD: bccfea03237cfde6486a55b63bb95e3341833378 FOLLOWUP_IP: npf!NPF_Write+214 [j:\npcap\packetwin7\npf\npf\write.c @ 324] fffff807`476f67f8 8b6c2478 mov ebp,dword ptr [rsp+78h] FAULT_INSTR_CODE: 78246c8b FAULTING_SOURCE_LINE: j:\npcap\packetwin7\npf\npf\write.c FAULTING_SOURCE_FILE: j:\npcap\packetwin7\npf\npf\write.c FAULTING_SOURCE_LINE_NUMBER: 324 FAULTING_SOURCE_CODE: 320: NDIS_DEFAULT_PORT_NUMBER, 321: SendFlags); 322: } 323:
324: numSentPackets ++;
325: } 326: else 327: { 328: // 329: // no packets are available in the Transmit pool, wait some time. The SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: npf!NPF_Write+214 FOLLOWUP_NAME: MachineOwner MODULE_NAME: npf IMAGE_NAME: npf.sys DEBUG_FLR_IMAGE_TIMESTAMP: 56c2d58e STACK_COMMAND: .cxr 0xffffa38002702de0 ; kb BUCKET_ID_FUNC_OFFSET: 214 FAILURE_BUCKET_ID: 0x3B_npf!NPF_Write BUCKET_ID: 0x3B_npf!NPF_Write PRIMARY_PROBLEM_CLASS: 0x3B_npf!NPF_Write TARGET_TIME: 2016-02-26T02:30:30.000Z OSBUILD: 14267 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2016-02-13 20:56:11 BUILDDATESTAMP_STR: 160213-0213 BUILDLAB_STR: rs1_release BUILDOSVER_STR: 10.0.14267.1000.amd64fre.rs1_release.160213-0213 ANALYSIS_SESSION_ELAPSED_TIME: 127c9 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x3b_npf!npf_write FAILURE_ID_HASH: {2eb5e15e-9853-313b-618d-2ac277a2bfb5} Followup: MachineOwner On Fri, Feb 26, 2016 at 11:23 AM, yyjdelete () 126 com <yyjdelete () 126 com> wrote:
Step: 1. Get the eth list 2. disabled an eth(you can also disable and reenable it) 3. send pkg to the eth 4. see bluescreen with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) I'm an C# programmer and use SharpPcap.4.2.0 to wrap npacp, so I'm not sure what it actually do, maybe an call to pcap_sendpacket. PS: The capture don't stop after disabled the eth as it done before(can't remember the version). Sorry for my poor English, ask me if more info is needed. ---- Test Envirment: npcap-nmap-0.05-r13 Win10(14267) ---- I'm not sure if it's an bug of npcap or win10, for that 14267 is an insyder preview version. Could someone test on other version of windows? _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) yyjdelete () 126 com (Feb 25)
- Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 25)
- Message not available
- Re: Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 27)
- Re: Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 29)
- Message not available
- Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 25)
- <Possible follow-ups>
- npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) yyjdelete () 126 com (Mar 03)