Nmap Development mailing list archives

Re: npcap and still the same issues

From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 3 Oct 2016 21:11:01 +0800

Hi Mike,

I found that this BSoD is because you used Process Explorer (procexp.exe)
to end critical system processes like csrss.exe. As MSDN said:


CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or
been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.


So system is already malfunctioned, and running that script just pulls the
trigger. The BSoD has nothing to do with Npcap driver.

You REALLY need to re-install the OS I think.


Cheers,
Yang


----------------------
The entire report is here:


0: kd> !analyze -v
*******************************************************************************
*
  *
*                        Bugcheck Analysis
   *
*
  *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or
been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 84e93458, Terminating object
Arg3: 84e935c4, Process image file name
Arg4: 81c1beb0, Explanatory message (ascii)

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  7601.18247.x86fre.win7sp1_gdr.130828-1532

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  7659WAT

SYSTEM_VERSION:  ThinkPad T61

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  7LETA9WW (2.09 )

BIOS_DATE:  12/27/2007

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  7659WAT

BASEBOARD_VERSION:  Not Available

DUMP_TYPE:  1

BUGCHECK_P1: 3

BUGCHECK_P2: ffffffff84e93458

BUGCHECK_P3: ffffffff84e935c4

BUGCHECK_P4: ffffffff81c1beb0

PROCESS_NAME:  csrss.exe

CRITICAL_PROCESS:  csrss.exe

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: csrss

FAULTING_MODULE: 00000000

EXCEPTION_CODE: (Win32) 0x1 (1) - Incorrect function.

ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1

CPU_COUNT: 2

CPU_MHZ: 703

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: f

CPU_STEPPING: d

CPU_MICROCODE: 6,f,d,0 (F,M,S,R)  SIG: A3'00000000 (cache) A1'00000000
(init)

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xF4

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  AKISN0W-PC

ANALYSIS_SESSION_TIME:  10-03-2016 19:48:56.0091

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

STACK_TEXT:
a4c0fc9c 81ce13a7 000000f4 00000003 84e93458 nt!KeBugCheckEx+0x1e
a4c0fcc0 81c5eff9 81c1beb0 84e935c4 84e936c8 nt!PspCatchCriticalBreak+0x71
a4c0fcf0 81c5ef3c 84e93458 85090d48 00000001 nt!PspTerminateAllThreads+0x2d
a4c0fd24 81a408c6 000004ec 00000001 0024e800 nt!NtTerminateProcess+0x1a2
a4c0fd24 76f270f4 000004ec 00000001 0024e800 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0024e800 00000000 00000000 00000000 00000000 0x76f270f4


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  d712f50ca072f1612c7a4fd1bf3073f1e303157e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  7f2bcb48562de3a4aab0888136f4f1b11d49364a

THREAD_SHA1_HASH_MOD:  f08ac56120cad14894587db086f77ce277bfae84

FOLLOWUP_NAME:  MachineOwner

IMAGE_VERSION:

FAILURE_BUCKET_ID:
 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_TERMINATED_BY_procexp.exe_1

BUCKET_ID:
 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_TERMINATED_BY_procexp.exe_1

PRIMARY_PROBLEM_CLASS:
 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_TERMINATED_BY_procexp.exe_1

TARGET_TIME:  2016-10-03T04:18:43.000Z

OSBUILD:  7601

OSSERVICEPACK:  1000

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  784

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
Personal

OS_LOCALE:

USER_LCID:  0

OSBUILD_TIMESTAMP:  2013-08-29 08:58:30

BUILDDATESTAMP_STR:  130828-1532

BUILDLAB_STR:  win7sp1_gdr

BUILDOSVER_STR:  6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532

ANALYSIS_SESSION_ELAPSED_TIME: 160eb

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:
 km:0xf4_csrss.exe_bugcheck_critical_process_terminated_by_procexp.exe_1

FAILURE_ID_HASH:  {2b7c426f-9342-321c-9301-d9f30087fb66}

Followup:     MachineOwner
---------



On Mon, Oct 3, 2016 at 4:24 PM, Mike . <dmciscobgp () hotmail com> wrote:

thanks. i am 100% on my machine being secure. i scan it each week or month
and i am always watching it for anomolies. i think i caused the BSOD
because i terminated a service that was housing connhost using process
explorer. i did that because it kept looping that same cmd window over and
over and freezing my screen! this DMP is all it gave me to look into>


sending the dmp file to you through sendspace because i have a limit
apparently on size of files sending through my email. even when zipped it
is running past the designated size. so trust this link please

https://www.sendspace.com/file/3rh1mn
<https://www.sendspace.com/file/3rh1mn>
MEMORY.zip (49.45MB) - SendSpace.com
<https://www.sendspace.com/file/3rh1mn>
www.sendspace.com
Send, Receive, Track & Share Your Big Files with SendSpace file sharing!



------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, October 3, 2016 5:02 AM

*To:* Mike .; Nmap-dev
*Subject:* Re: npcap and still the same issues

Hi Mike,

Clicking DiagReport.bat is the right way and definitely should not cause a
BSoD. All the code is inside the DiagReport.ps1 which you can check, and it
only reads information about OS, hardware, network, registry, etc instead
of messing with anything. I'm really suspecting that your OS has been
broken or even compromised somehow.

Since you got a dump file, you can send it to me to see what causes that
BSoD.


Cheers,
Yang


On Mon, Oct 3, 2016 at 12:29 PM, Mike . <dmciscobgp () hotmail com> wrote:

yes sorry. i figured that was what you wanted, the install log. well,
something just happened that i hope does not happen again. so first off,
does the bat file in question have to be run through PS? because when i
clicked on it in non-PS mode, i got MANY console windows opening at once
and spawning countless connhost.exe's which i could not kill off. this
ended up in a BSOD (the first ever for my machine!) , then a core dump.
this happened why???????


Mike


------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, October 3, 2016 2:42 AM

*To:* Mike .; Nmap-dev
*Subject:* Re: npcap and still the same issues

Well, you seem to give me the wrong file.. What I'm asking for is the
DiagReport.

Npcap has provided a diagnostic utility called DiagReport. It provides a
lot of information including OS metadata, Npcap related files, install
options, registry values, services, etc. You can simply click the C:\Program
Files\Npcap\DiagReport.bat file to runDiagReport. It will pop up a text
report via Notepad (it's stored in: C:\Program Files\Npcap\DiagReport.txt).
Please always submit it to us if you encounter any issues.

Please run that bat after you do the "borrow" trick. I just want to see
if your registry modification is correct.

The DiagReport file name should be something like:
DiagReport-2016XXXX-XXXXXX.txt

XXXX is your current time.



On Mon, Oct 3, 2016 at 10:20 AM, Mike . <dmciscobgp () hotmail com> wrote:

looks like a successful install to me....but here:


------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, October 3, 2016 2:12 AM

*To:* Mike .; Nmap-dev
*Subject:* Re: npcap and still the same issues

Please provide me your DiagReport (documented here:
https://github.com/nmap/npcap#diagnostic-report), for me to tell if
there's anything wrong.



On Mon, Oct 3, 2016 at 1:05 AM, Mike . <dmciscobgp () hotmail com> wrote:

i did EXACTLY as you say---the results speak for themselves:


C:\Users\Tools>dumpcap -D
1. \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179} (Local Area
Connection)

that is the only adapter it finds for use. so i replaced the current
values with your suggestion. basically taking my current working adapter
and "borrowing" it for the npcap one. does it have to be a differerent
adapter? anyway, nothing you said that would occur happened. still shows
this 1 adapter and still no loopback/npcap ability:

DEV    WINDEVICE
eth0   \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179}
lo0    <none>
lo0    <none>
<none> \Device\NPF_{E2F8A220-AF88-446C-9A55-453E58DD3A33}
<none> \Device\NPF_NdisWanIpv6
<none> \Device\NPF_NdisWanIp


i'm stumped

Mike



------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Sunday, October 2, 2016 4:04 PM
*To:* Mike .; Nmap-dev

*Subject:* Re: npcap and still the same issues

Here's how to do the trick to “borrow" an adapter to be Npcap Loopback
Adapter.

1) Install Wireshark, and open a CMD in its installation folder.
Because we need to use its dumpcap.exe tool. Run "dumpcap -D"

C:\Program Files\Wireshark>dumpcap -D
1. \Device\NPF_{7C4E0476-D3F1-4F4C-9FE4-FA514710032A} (VMware Network
Adapter VMnet1)
2. \Device\NPF_{385F30D0-9166-45D3-BBC6-F1D9C5300AF9} (Wi-Fi)
3. \Device\NPF_{2F6EC492-5488-42D4-BAF4-049CD820EB66} (VMware Network
Adapter VMnet8)
4. \Device\NPF_{2A2FCEC4-C241-4B8B-8532-C901A74DC867} (Npcap Loopback
Adapter)
5. \Device\NPF_{AC093F81-04F0-4B51-9137-18E7B8376782} (Ethernet 2)

Let's say that your original 4. (Npcap Loopback Adapter) is broken, so
we are going to use 2. (Wi-Fi) as the new Npcap Loopback Adapter. Copy out
its GUID name: \Device\NPF_{385F30D0-9166-45D3-BBC6-F1D9C5300AF9}

2) Remove the "NPF_" in the above string, so it should be:
\Device\{385F30D0-9166-45D3-BBC6-F1D9C5300AF9}

Copy it to two places in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\L
oopbackAdapter
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Npcap\LoopbackAdapter

(the 2nd registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Npcap\LoopbackAdapter
if you are using a 32-bit OS)

3) Restart the driver, by running two commands in CMD:

net stop npcap
net start npcap

4) Now, the "Wi-Fi" adapter should be gone and the new "Npcap Loopback
Adapter" is generated. Capture with it.


Cheers,
Yang


On Sun, Oct 2, 2016 at 11:42 PM, Mike . <dmciscobgp () hotmail com> wrote:

my current adapter , after identifying , gives me this in my
systray---44fac. how did it retreive that? apparently, that is what the
"identifying" portion is looking for. does anyone elses' ISP do this or
just mine? and now, how do i take my current WORKING adapter and turn it
into the "NPCAP adapter"?


------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Sunday, October 2, 2016 3:24 PM
*To:* Mike .
*Cc:* nmap-group
*Subject:* Re: npcap and still the same issues

Hi Mike,

Npcap doesn't count on any MAC or IP on its adapters. It only relies
on the miniports. And again:

*Npcap does not necessarily rely on the "Microsoft Loopback Adapter"*.

"Npcap Loopback Adapter" can be any adapter. Npcap just "borrows" the
shell of an adapter. So if your "Microsoft Loopback Adapter" doesn't work
out, you can just choose another workable adapter to be the "Npcap Loopback
Adapter", like a bluetooth adapter, or a real physical ethernet adapter
which is not in use. After you specify its GUID in the registry, Npcap will
recognize it as "Npcap Loopback Adapter" and let all loopback traffic go
through it. The original traffic will be gone. So this whole trick will
sacrifice one of your normal adapters.

So the question is very simple, *can you provide any working adapter
to be the "Npcap Loopback Adapter"?* If the answer is NO, for
example, all your adapters are in the middle of "identifying..", then I
must acknowledge that no one could save your machine.


Cheers,
Yang


On Sun, Oct 2, 2016 at 10:09 PM, Mike . <dmciscobgp () hotmail com>
wrote:

so i figured i would try out the latest npcap, hoping it would allow
me to get past the issues i was having before. NOPE. as i can see it, after
looking at the install log and all the files in place, i don't think it is
npcap. i think it is just my network/ISP and the way it is set up and
configured. i now am almost 100% convinced i have to somehow hard-code the
DNS/GATEWAY/ETC to somehow get this to work. right now it is sitting on an
autoconfiged 169 addy and a constant "identifying.." in my systray where my
adapter icon sits. as long as it says that, i get nothing. so i just
disable it. does anyone else out there have this "identifying..." issue? i
am almost convinced it is sending out or trying to identify it's MAC for my
ISP?? not sure but i can't come up with anything else. until i can get past
this, or until npcap can allow hard coding addressing so it can be "seen"
by my network-----------------npcap and all it's loopback wonder, is
useless to me



Mike


(my npcap adapter does say 46 packets sent, if that is anything to
anyone)

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

npcap and still the same issues Mike . (Oct 02)
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
  - Message not available
    - Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
    - Message not available
    - Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
    - Message not available
    - Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
    - Message not available
    - Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
    - Message not available
    - Re: npcap and still the same issues 食肉大灰兔V5 (Oct 03)