Nmap Development mailing list archives
Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys)
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Fri, 26 Feb 2016 14:51:26 +0800
Hi yyjdelete,
Thanks for the report first! Currently I only analyzed the 3 dump files you
attached. Havn't tried to reproduce this issue yet. But I have some
questions.
The 1st 022616-53187-01.dmp result is as below:
It seems that this BSoD was caused by liebaonat64.sys, a LWF driver
from 猎豹免费WiFi. In fact, Npcap is also a LWF driver. I don't know if this
BSoD is merely because of 猎豹免费WiFi, or the coexisting problem with Npcap.
Sometimes LWF drivers do conflict with each other. So I suggest you
uninstall the product named 猎豹免费WiFi before you test with Npcap.
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory. The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffaf06162c85b0, Virtual address for the attempted execute.
Arg2: 80000001432009e3, PTE contents.
Arg3: ffffc28005c7b140, (reserved)
Arg4: 0000000000000003, (reserved)
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 14267.1000.amd64fre.rs1_release.160213-0213
DUMP_TYPE: 2
BUGCHECK_P1: ffffaf06162c85b0
BUGCHECK_P2: 80000001432009e3
BUGCHECK_P3: ffffc28005c7b140
BUGCHECK_P4: 3
CPU_COUNT: 4
CPU_MHZ: c79
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3a
CPU_STEPPING: 9
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xFC
PROCESS_NAME: EapolLogin.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: AKISN0W-PC
ANALYSIS_SESSION_TIME: 02-26-2016 12:32:34.0528
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: ffffc28005c7b140 -- (.trap 0xffffc28005c7b140)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffaf06162c85b0 rbx=0000000000000000 rcx=ffffaf0624004000
rdx=ffffaf061a4fa580 rsi=0000000000000000 rdi=0000000000000000
rip=ffffaf06162c85b0 rsp=ffffc28005c7b2d8 rbp=ffffc28005c7b349
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
ffffaf06`162c85b0 0501900300 add eax,39001h
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff803241eb311 to fffff8032415d240
STACK_TEXT:
ffffc280`05c7aed8 fffff803`241eb311 : 00000000`000000fc ffffaf06`162c85b0
80000001`432009e3 ffffc280`05c7b140 : nt!KeBugCheckEx
ffffc280`05c7aee0 fffff803`24197765 : ffffc280`05c7b0c8 00000000`00000011
ffffaf06`162c85b0 00000000`00000000 : nt!MiCheckSystemNxFault+0x69
ffffc280`05c7af20 fffff803`24055957 : 00000980`00000000 ffffc280`05c7b070
00000000`00000011 fffff80f`7ca682de : nt! ?? ::FNODOBFM::`string'+0x2b405
ffffc280`05c7af70 fffff803`241668fc : 00000000`00000001 00000201`00000000
00000000`00000000 fffff80f`7d4734c4 : nt!MmAccessFault+0x137
ffffc280`05c7b140 ffffaf06`162c85b0 : fffff80f`7ca6170b ffffaf06`19662080
ffffc280`05c7b6ec 00000000`00000001 : nt!KiPageFault+0x13c
ffffc280`05c7b2d8 fffff80f`7ca6170b : ffffaf06`19662080 ffffc280`05c7b6ec
00000000`00000001 ffffc280`05c7b6f0 : 0xffffaf06`162c85b0
ffffc280`05c7b2e0 fffff80f`7ca70d4a : ffffaf06`0f65c100 fffff80f`7ca70c02
00000000`00000000 ffffaf06`1a4fa500 :
ndis!ndisMSendCompleteNetBufferListsInternal+0x13b
ffffc280`05c7b3b0 fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000
ffffaf06`1a4fa580 fffff803`2404e92c :
ndis!ndisInvokeNextSendCompleteHandler+0x4a
ffffc280`05c7b490 fffff80f`7d4f2703 : 000000a7`800ab2d3 00000000`00000000
ffffaf06`1521f550 00000000`00000000 :
ndis!NdisFSendNetBufferListsComplete+0x1f8a8
ffffc280`05c7b510 fffff80f`7ca7f8de : fffff80f`7d4b53b8 ffffaf06`1521f550
00000002`00000000 ffffaf06`19662080 :
pacer!PcFilterSendNetBufferListsComplete+0x7f3
ffffc280`05c7b780 fffff803`240c0b15 : ffffc280`05c7b8e9 ffffc280`05c7b8d0
ffffaf06`1a4fa580 fffff80f`7d3a6b11 :
ndis!ndisDataPathExpandStackCallback+0x3e
ffffc280`05c7b7d0 fffff80f`7ca72cc1 : ffffaf06`1a4fa580 ffffaf06`0e086a60
ffffaf06`162c85b0 00000000`00000001 :
nt!KeExpandKernelStackAndCalloutInternal+0x85
ffffc280`05c7b820 fffff80f`7ca70e31 : ffffaf06`1521f550 fffff80f`7ca6ed14
00000000`00000001 fffff80f`7d3a80e2 : ndis!ndisExpandStack+0x19
ffffc280`05c7b860 fffff80f`7ca8d1f8 : 00000000`00000000 00000000`00000000
ffffaf06`1a4fa580 00000000`00000002 :
ndis!ndisInvokeNextSendCompleteHandler+0x131
ffffc280`05c7b940 fffff80f`7d472326 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 :
ndis!NdisFSendNetBufferListsComplete+0x1f8a8
ffffc280`05c7b9c0 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 ffffc280`05c7bb40 : liebaonat64+0x2326
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: b89ff1e6e8deed938c2205c7eb357ea90ab3d631
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 817eb332e7333a1e17472167496047c5f0f112cf
THREAD_SHA1_HASH_MOD: b1e13271be08c5ceb3e69961f060ecbebf6f698c
FOLLOWUP_IP:
pacer!PcFilterSendNetBufferListsComplete+7f3
fffff80f`7d4f2703 e9d5fbffff jmp
pacer!PcFilterSendNetBufferListsComplete+0x3cd (fffff80f`7d4f22dd)
FAULT_INSTR_CODE: fffbd5e9
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: pacer!PcFilterSendNetBufferListsComplete+7f3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pacer
IMAGE_NAME: pacer.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 56bf284a
IMAGE_VERSION: 10.0.14267.1000
BUCKET_ID_FUNC_OFFSET: 7f3
FAILURE_BUCKET_ID: 0xFC_pacer!PcFilterSendNetBufferListsComplete
BUCKET_ID: 0xFC_pacer!PcFilterSendNetBufferListsComplete
PRIMARY_PROBLEM_CLASS: 0xFC_pacer!PcFilterSendNetBufferListsComplete
TARGET_TIME: 2016-02-26T02:07:14.000Z
OSBUILD: 14267
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-02-13 20:56:11
BUILDDATESTAMP_STR: 160213-0213
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14267.1000.amd64fre.rs1_release.160213-0213
ANALYSIS_SESSION_ELAPSED_TIME: dd56
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xfc_pacer!pcfiltersendnetbufferlistscomplete
FAILURE_ID_HASH: {58376b4a-2e7b-a663-6625-e3b6176db5e4}
Followup: MachineOwner
The 2nd 022616-50812-01.dmp result is as below: (the
3rd 022616-50296-01.dmp result is the same with the 2nd, so I won't post
the 3rd result here)
This BSoD is caused by Npcap driver. WinDbg points the error to
numSentPackets ++;
numSentPackets is a variable used as sending packets in multiple times.
The repetition times are controled by the user software through the
BIOCSWRITEREP IOCTL call. Do you specify Npcap in this way to send packets
for multiple times?
Also something I wanna ask is does your adapter a "Npcap Loopback Adapter",
or specified as a "Send-To-Rx" adapter? or just ordinary physical Ethernet
adapter?
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80745e9de30, Address of the instruction which caused the bugcheck
Arg3: ffffa38002702de0, Address of the context record for the exception
that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for npf.sys
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 14267.1000.amd64fre.rs1_release.160213-0213
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: OptiPlex 7010
SYSTEM_SKU: OptiPlex 7010
SYSTEM_VERSION: 01
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: A14
BIOS_DATE: 06/10/2013
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 09PR9H
BASEBOARD_VERSION: A01
DUMP_TYPE: 2
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff80745e9de30
BUGCHECK_P3: ffffa38002702de0
BUGCHECK_P4: 0
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
memory at 0x%p. The memory could not be %s.
FAULTING_IP:
ndis!NdisFSendNetBufferLists+c0
fffff807`45e9de30 4c8b5818 mov r11,qword ptr [rax+18h]
CONTEXT: ffffa38002702de0 -- (.cxr 0xffffa38002702de0)
rax=6b49534e02130018 rbx=6b49534e02130019 rcx=0000000000000001
rdx=0000000000000000 rsi=ffffd50728240030 rdi=ffffd5072c4ac8d0
rip=fffff80745e9de30 rsp=ffffa380027037e0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000060001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010206
ndis!NdisFSendNetBufferLists+0xc0:
fffff807`45e9de30 4c8b5818 mov r11,qword ptr [rax+18h]
ds:002b:6b49534e`02130030=????????????????
Resetting default scope
CPU_COUNT: 4
CPU_MHZ: c79
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3a
CPU_STEPPING: 9
CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 1B'00000000 (cache) 1B'00000000
(init)
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: EapolLogin.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: AKISN0W-PC
ANALYSIS_SESSION_TIME: 02-26-2016 13:42:06.0762
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
LAST_CONTROL_TRANSFER: from fffff807476f67f8 to fffff80745e9de30
STACK_TEXT:
ffffa380`027037e0 fffff807`476f67f8 : 00000000`00000000 00000000`00000000
00000000`00000001 ffffd507`3a613570 : ndis!NdisFSendNetBufferLists+0xc0
ffffa380`02703860 fffff803`8c698c05 : ffffd507`3a6134a0 00000000`00000000
00000000`00000001 fffff680`00003140 : npf!NPF_Write+0x214
[j:\npcap\packetwin7\npf\npf\write.c @ 324]
ffffa380`027038d0 fffff803`8c69840a : ffffd507`39edba60 ffffd507`3a6134a0
ffffd507`2871aef0 ffffa380`02703b80 : nt!IopSynchronousServiceTail+0x1a5
ffffa380`02703990 fffff803`8c3d2f83 : ffff8208`1164b160 00000000`00000000
00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x67a
ffffa380`02703a90 00007fff`94c21034 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0014e248 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : 0x00007fff`94c21034
THREAD_SHA1_HASH_MOD_FUNC: 8de63a100febe6f9f89153a5a9abc9ba86d452de
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c12fe9b8d789ae102dec8036452ef91cdcd180b3
THREAD_SHA1_HASH_MOD: bccfea03237cfde6486a55b63bb95e3341833378
FOLLOWUP_IP:
npf!NPF_Write+214 [j:\npcap\packetwin7\npf\npf\write.c @ 324]
fffff807`476f67f8 8b6c2478 mov ebp,dword ptr [rsp+78h]
FAULT_INSTR_CODE: 78246c8b
FAULTING_SOURCE_LINE: j:\npcap\packetwin7\npf\npf\write.c
FAULTING_SOURCE_FILE: j:\npcap\packetwin7\npf\npf\write.c
FAULTING_SOURCE_LINE_NUMBER: 324
FAULTING_SOURCE_CODE:
320: NDIS_DEFAULT_PORT_NUMBER,
321: SendFlags);
322: }
323:
324: numSentPackets ++;
325: }
326: else
327: {
328: //
329: // no packets are available in the Transmit pool, wait some time.
The
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: npf!NPF_Write+214
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npf
IMAGE_NAME: npf.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 56c2d58e
STACK_COMMAND: .cxr 0xffffa38002702de0 ; kb
BUCKET_ID_FUNC_OFFSET: 214
FAILURE_BUCKET_ID: 0x3B_npf!NPF_Write
BUCKET_ID: 0x3B_npf!NPF_Write
PRIMARY_PROBLEM_CLASS: 0x3B_npf!NPF_Write
TARGET_TIME: 2016-02-26T02:30:30.000Z
OSBUILD: 14267
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-02-13 20:56:11
BUILDDATESTAMP_STR: 160213-0213
BUILDLAB_STR: rs1_release
BUILDOSVER_STR: 10.0.14267.1000.amd64fre.rs1_release.160213-0213
ANALYSIS_SESSION_ELAPSED_TIME: 127c9
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x3b_npf!npf_write
FAILURE_ID_HASH: {2eb5e15e-9853-313b-618d-2ac277a2bfb5}
Followup: MachineOwner
On Fri, Feb 26, 2016 at 11:23 AM, yyjdelete () 126 com <yyjdelete () 126 com>
wrote:
Step: 1. Get the eth list 2. disabled an eth(you can also disable and reenable it) 3. send pkg to the eth 4. see bluescreen with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) I'm an C# programmer and use SharpPcap.4.2.0 to wrap npacp, so I'm not sure what it actually do, maybe an call to pcap_sendpacket. PS: The capture don't stop after disabled the eth as it done before(can't remember the version). Sorry for my poor English, ask me if more info is needed. ---- Test Envirment: npcap-nmap-0.05-r13 Win10(14267) ---- I'm not sure if it's an bug of npcap or win10, for that 14267 is an insyder preview version. Could someone test on other version of windows? _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) yyjdelete () 126 com (Feb 25)
- Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 25)
- Message not available
- Re: Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 27)
- Re: Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 29)
- Message not available
- Re: npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) 食肉大灰兔V5 (Feb 25)
- <Possible follow-ups>
- npcap crash win10(14267) when send package to an disabled eth with ATTEMPED_EXECUTE_OF_NOEXECUTE_MEMORY or SYSTEM_SERVICE_EXCEPTION(ndis.sys) yyjdelete () 126 com (Mar 03)