Nmap Development mailing list archives
Re: npcap and still the same issues
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 3 Oct 2016 21:11:01 +0800
Hi Mike, I found that this BSoD is because you used Process Explorer (procexp.exe) to end critical system processes like csrss.exe. As MSDN said: CRITICAL_OBJECT_TERMINATION (f4) A process or thread crucial to system operation has unexpectedly exited or been terminated. Several processes and threads are necessary for the operation of the system; when they are terminated (for any reason), the system can no longer function. So system is already malfunctioned, and running that script just pulls the trigger. The BSoD has nothing to do with Npcap driver. You REALLY need to re-install the OS I think. Cheers, Yang ---------------------- The entire report is here: 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_OBJECT_TERMINATION (f4) A process or thread crucial to system operation has unexpectedly exited or been terminated. Several processes and threads are necessary for the operation of the system; when they are terminated (for any reason), the system can no longer function. Arguments: Arg1: 00000003, Process Arg2: 84e93458, Terminating object Arg3: 84e935c4, Process image file name Arg4: 81c1beb0, Explanatory message (ascii) Debugging Details: ------------------ DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 7601.18247.x86fre.win7sp1_gdr.130828-1532 SYSTEM_MANUFACTURER: LENOVO SYSTEM_PRODUCT_NAME: 7659WAT SYSTEM_VERSION: ThinkPad T61 BIOS_VENDOR: LENOVO BIOS_VERSION: 7LETA9WW (2.09 ) BIOS_DATE: 12/27/2007 BASEBOARD_MANUFACTURER: LENOVO BASEBOARD_PRODUCT: 7659WAT BASEBOARD_VERSION: Not Available DUMP_TYPE: 1 BUGCHECK_P1: 3 BUGCHECK_P2: ffffffff84e93458 BUGCHECK_P3: ffffffff84e935c4 BUGCHECK_P4: ffffffff81c1beb0 PROCESS_NAME: csrss.exe CRITICAL_PROCESS: csrss.exe IMAGE_NAME: csrss.exe DEBUG_FLR_IMAGE_TIMESTAMP: 0 MODULE_NAME: csrss FAULTING_MODULE: 00000000 EXCEPTION_CODE: (Win32) 0x1 (1) - Incorrect function. ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1 CPU_COUNT: 2 CPU_MHZ: 703 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: f CPU_STEPPING: d CPU_MICROCODE: 6,f,d,0 (F,M,S,R) SIG: A3'00000000 (cache) A1'00000000 (init) DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0xF4 CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: AKISN0W-PC ANALYSIS_SESSION_TIME: 10-03-2016 19:48:56.0091 ANALYSIS_VERSION: 10.0.10586.567 amd64fre STACK_TEXT: a4c0fc9c 81ce13a7 000000f4 00000003 84e93458 nt!KeBugCheckEx+0x1e a4c0fcc0 81c5eff9 81c1beb0 84e935c4 84e936c8 nt!PspCatchCriticalBreak+0x71 a4c0fcf0 81c5ef3c 84e93458 85090d48 00000001 nt!PspTerminateAllThreads+0x2d a4c0fd24 81a408c6 000004ec 00000001 0024e800 nt!NtTerminateProcess+0x1a2 a4c0fd24 76f270f4 000004ec 00000001 0024e800 nt!KiSystemServicePostCall WARNING: Frame IP not in any known module. Following frames may be wrong. 0024e800 00000000 00000000 00000000 00000000 0x76f270f4 STACK_COMMAND: kb THREAD_SHA1_HASH_MOD_FUNC: d712f50ca072f1612c7a4fd1bf3073f1e303157e THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 7f2bcb48562de3a4aab0888136f4f1b11d49364a THREAD_SHA1_HASH_MOD: f08ac56120cad14894587db086f77ce277bfae84 FOLLOWUP_NAME: MachineOwner IMAGE_VERSION: FAILURE_BUCKET_ID: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_TERMINATED_BY_procexp.exe_1 BUCKET_ID: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_TERMINATED_BY_procexp.exe_1 PRIMARY_PROBLEM_CLASS: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_TERMINATED_BY_procexp.exe_1 TARGET_TIME: 2016-10-03T04:18:43.000Z OSBUILD: 7601 OSSERVICEPACK: 1000 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 784 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS Personal OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2013-08-29 08:58:30 BUILDDATESTAMP_STR: 130828-1532 BUILDLAB_STR: win7sp1_gdr BUILDOSVER_STR: 6.1.7601.18247.x86fre.win7sp1_gdr.130828-1532 ANALYSIS_SESSION_ELAPSED_TIME: 160eb ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xf4_csrss.exe_bugcheck_critical_process_terminated_by_procexp.exe_1 FAILURE_ID_HASH: {2b7c426f-9342-321c-9301-d9f30087fb66} Followup: MachineOwner --------- On Mon, Oct 3, 2016 at 4:24 PM, Mike . <dmciscobgp () hotmail com> wrote:
thanks. i am 100% on my machine being secure. i scan it each week or month and i am always watching it for anomolies. i think i caused the BSOD because i terminated a service that was housing connhost using process explorer. i did that because it kept looping that same cmd window over and over and freezing my screen! this DMP is all it gave me to look into> sending the dmp file to you through sendspace because i have a limit apparently on size of files sending through my email. even when zipped it is running past the designated size. so trust this link please https://www.sendspace.com/file/3rh1mn <https://www.sendspace.com/file/3rh1mn> MEMORY.zip (49.45MB) - SendSpace.com <https://www.sendspace.com/file/3rh1mn> www.sendspace.com Send, Receive, Track & Share Your Big Files with SendSpace file sharing! ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, October 3, 2016 5:02 AM *To:* Mike .; Nmap-dev *Subject:* Re: npcap and still the same issues Hi Mike, Clicking DiagReport.bat is the right way and definitely should not cause a BSoD. All the code is inside the DiagReport.ps1 which you can check, and it only reads information about OS, hardware, network, registry, etc instead of messing with anything. I'm really suspecting that your OS has been broken or even compromised somehow. Since you got a dump file, you can send it to me to see what causes that BSoD. Cheers, Yang On Mon, Oct 3, 2016 at 12:29 PM, Mike . <dmciscobgp () hotmail com> wrote:yes sorry. i figured that was what you wanted, the install log. well, something just happened that i hope does not happen again. so first off, does the bat file in question have to be run through PS? because when i clicked on it in non-PS mode, i got MANY console windows opening at once and spawning countless connhost.exe's which i could not kill off. this ended up in a BSOD (the first ever for my machine!) , then a core dump. this happened why??????? Mike ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, October 3, 2016 2:42 AM *To:* Mike .; Nmap-dev *Subject:* Re: npcap and still the same issues Well, you seem to give me the wrong file.. What I'm asking for is the DiagReport. Npcap has provided a diagnostic utility called DiagReport. It provides a lot of information including OS metadata, Npcap related files, install options, registry values, services, etc. You can simply click the C:\Program Files\Npcap\DiagReport.bat file to runDiagReport. It will pop up a text report via Notepad (it's stored in: C:\Program Files\Npcap\DiagReport.txt). Please always submit it to us if you encounter any issues. Please run that bat after you do the "borrow" trick. I just want to see if your registry modification is correct. The DiagReport file name should be something like: DiagReport-2016XXXX-XXXXXX.txt XXXX is your current time. On Mon, Oct 3, 2016 at 10:20 AM, Mike . <dmciscobgp () hotmail com> wrote:looks like a successful install to me....but here: ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, October 3, 2016 2:12 AM *To:* Mike .; Nmap-dev *Subject:* Re: npcap and still the same issues Please provide me your DiagReport (documented here: https://github.com/nmap/npcap#diagnostic-report), for me to tell if there's anything wrong. On Mon, Oct 3, 2016 at 1:05 AM, Mike . <dmciscobgp () hotmail com> wrote:i did EXACTLY as you say---the results speak for themselves: C:\Users\Tools>dumpcap -D 1. \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179} (Local Area Connection) that is the only adapter it finds for use. so i replaced the current values with your suggestion. basically taking my current working adapter and "borrowing" it for the npcap one. does it have to be a differerent adapter? anyway, nothing you said that would occur happened. still shows this 1 adapter and still no loopback/npcap ability: DEV WINDEVICE eth0 \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179} lo0 <none> lo0 <none> <none> \Device\NPF_{E2F8A220-AF88-446C-9A55-453E58DD3A33} <none> \Device\NPF_NdisWanIpv6 <none> \Device\NPF_NdisWanIp i'm stumped Mike ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Sunday, October 2, 2016 4:04 PM *To:* Mike .; Nmap-dev *Subject:* Re: npcap and still the same issues Here's how to do the trick to “borrow" an adapter to be Npcap Loopback Adapter. 1) Install Wireshark, and open a CMD in its installation folder. Because we need to use its dumpcap.exe tool. Run "dumpcap -D" C:\Program Files\Wireshark>dumpcap -D 1. \Device\NPF_{7C4E0476-D3F1-4F4C-9FE4-FA514710032A} (VMware Network Adapter VMnet1) 2. \Device\NPF_{385F30D0-9166-45D3-BBC6-F1D9C5300AF9} (Wi-Fi) 3. \Device\NPF_{2F6EC492-5488-42D4-BAF4-049CD820EB66} (VMware Network Adapter VMnet8) 4. \Device\NPF_{2A2FCEC4-C241-4B8B-8532-C901A74DC867} (Npcap Loopback Adapter) 5. \Device\NPF_{AC093F81-04F0-4B51-9137-18E7B8376782} (Ethernet 2) Let's say that your original 4. (Npcap Loopback Adapter) is broken, so we are going to use 2. (Wi-Fi) as the new Npcap Loopback Adapter. Copy out its GUID name: \Device\NPF_{385F30D0-9166-45D3-BBC6-F1D9C5300AF9} 2) Remove the "NPF_" in the above string, so it should be: \Device\{385F30D0-9166-45D3-BBC6-F1D9C5300AF9} Copy it to two places in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\L oopbackAdapter HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Npcap\LoopbackAdapter (the 2nd registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Npcap\LoopbackAdapter if you are using a 32-bit OS) 3) Restart the driver, by running two commands in CMD: net stop npcap net start npcap 4) Now, the "Wi-Fi" adapter should be gone and the new "Npcap Loopback Adapter" is generated. Capture with it. Cheers, Yang On Sun, Oct 2, 2016 at 11:42 PM, Mike . <dmciscobgp () hotmail com> wrote:my current adapter , after identifying , gives me this in my systray---44fac. how did it retreive that? apparently, that is what the "identifying" portion is looking for. does anyone elses' ISP do this or just mine? and now, how do i take my current WORKING adapter and turn it into the "NPCAP adapter"? ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Sunday, October 2, 2016 3:24 PM *To:* Mike . *Cc:* nmap-group *Subject:* Re: npcap and still the same issues Hi Mike, Npcap doesn't count on any MAC or IP on its adapters. It only relies on the miniports. And again: *Npcap does not necessarily rely on the "Microsoft Loopback Adapter"*. "Npcap Loopback Adapter" can be any adapter. Npcap just "borrows" the shell of an adapter. So if your "Microsoft Loopback Adapter" doesn't work out, you can just choose another workable adapter to be the "Npcap Loopback Adapter", like a bluetooth adapter, or a real physical ethernet adapter which is not in use. After you specify its GUID in the registry, Npcap will recognize it as "Npcap Loopback Adapter" and let all loopback traffic go through it. The original traffic will be gone. So this whole trick will sacrifice one of your normal adapters. So the question is very simple, *can you provide any working adapter to be the "Npcap Loopback Adapter"?* If the answer is NO, for example, all your adapters are in the middle of "identifying..", then I must acknowledge that no one could save your machine. Cheers, Yang On Sun, Oct 2, 2016 at 10:09 PM, Mike . <dmciscobgp () hotmail com> wrote:so i figured i would try out the latest npcap, hoping it would allow me to get past the issues i was having before. NOPE. as i can see it, after looking at the install log and all the files in place, i don't think it is npcap. i think it is just my network/ISP and the way it is set up and configured. i now am almost 100% convinced i have to somehow hard-code the DNS/GATEWAY/ETC to somehow get this to work. right now it is sitting on an autoconfiged 169 addy and a constant "identifying.." in my systray where my adapter icon sits. as long as it says that, i get nothing. so i just disable it. does anyone else out there have this "identifying..." issue? i am almost convinced it is sending out or trying to identify it's MAC for my ISP?? not sure but i can't come up with anything else. until i can get past this, or until npcap can allow hard coding addressing so it can be "seen" by my network-----------------npcap and all it's loopback wonder, is useless to me Mike (my npcap adapter does say 46 packets sent, if that is anything to anyone) _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- npcap and still the same issues Mike . (Oct 02)
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
- Message not available
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
- Message not available
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
- Message not available
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
- Message not available
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)
- Message not available
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 03)
- Message not available
- Re: npcap and still the same issues 食肉大灰兔V5 (Oct 02)