BSOD BAD_POOL_CALLER Windows 10 / ESET Internet Security 11

[ValdikSS]

GoodbyeDPI user reported crash with WinDivert 1.3 (MinGW) and ESET Internet Security 11 on Windows 10 x64 Pro.
See here: ValdikSS/GoodbyeDPI#74

[basil00]

This looks very similar to the Avast BSOD (#110), i.e., BAD_POOL_CALLER, caused by Avast's "unusual" driver design. However, WinDivert versions 1.3 and 1.4 should not be affected, so the ESET issue is probably a different issue. It should be reported to the ESET devs.

[basil00]

From ValdikSS/GoodbyeDPI/issues/74 it appears the issue might be resolved. Presumably it was fixed by the latest update of ESET Internet Security?

Issue #129 was caused by a bug in third-party a driver named ipeaklwf.sys, so is probably not related to this issue.

[basil00]

Closing this issue since there are no more updates and the user reported that the problem had resolved itself.

[ValdikSS]

I managed to reproduce this issue (or a very similar one) with WinDivert 1.4.3 passthru.exe and latest ESET Antivirus 11.2.49.0 on Windows 10 x64 Enterprise 1803.

The incompatibility is introduced by ESET "HTTPS Scanner" (Setup → Advanced setup → Web and email → Web access protection → Web protocols → Enable HTTPS checking; enabled by default)
With GoodbyeDPI it works fine until you go to ebay.com and try to login, with passthru.exe it instantly crashes when you open the browser.

Passthru.exe is started with the following command: passthru.exe tcp 1
Please reopen this ticket.

[ValdikSS]

Here you can find minidumps and a screenshot:
ValdikSS/GoodbyeDPI#91

[ValdikSS]

@basil00
WinDivert64.sys is from 1.4.3 -A package.

Microsoft (R) Windows Debugger Version 10.0.17134.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 17134 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff801`3d401000 PsLoadedModuleList = 0xfffff801`3d7bc1f0
Debug session time: Sun Jul 29 20:35:53.547 2018 (UTC + 3:00)
System Uptime: 0 days 0:02:03.653
Loading Kernel Symbols
...............................................................
........Page 1027bf not present in the dump file. Type ".hh dbgerr004" for details
............Page 101e6a not present in the dump file. Type ".hh dbgerr004" for details
............................................
...........................................................
Loading User Symbols

Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C4, {2002, fffff8013bd223ee, 10, 0}

*** ERROR: Module load completed but symbols could not be loaded for WinDivert64.sys
Probably caused by : WinDivert64.sys ( WinDivert64+23ee )

Followup:     MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002002, Code Integrity Issue: The caller specified an executable MDL mapping. (Expected: MdlMappingNoExecute)
Arg2: fffff8013bd223ee, The address in the driver's code where the error was detected.
Arg3: 0000000000000010, Page Priority (MM_PAGE_PRIORITY logically OR'd with MdlMapping*).
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1


TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  4286CTO

SYSTEM_VERSION:  ThinkPad X220

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  8DET76WW (1.46 )

BIOS_DATE:  06/21/2018

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  4286CTO

BASEBOARD_VERSION:  Not Available

DUMP_TYPE:  1

BUGCHECK_P1: 2002

BUGCHECK_P2: fffff8013bd223ee

BUGCHECK_P3: 10

BUGCHECK_P4: 0

BUGCHECK_STR:  0xc4_2002

CPU_COUNT: 4

CPU_MHZ: 8f5

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2a

CPU_STEPPING: 7

CPU_MICROCODE: 6,2a,7,0 (F,M,S,R)  SIG: 2E'00000000 (cache) 2E'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DESKTOP-OLDFVEK

ANALYSIS_SESSION_TIME:  07-29-2018 20:39:08.0079

ANALYSIS_VERSION: 10.0.17134.1 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8013dc2d483 to fffff8013d599560

STACK_TEXT:  
fffffa06`2bfee858 fffff801`3dc2d483 : 00000000`000000c4 00000000`00002002 fffff801`3bd223ee 00000000`00000010 : nt!KeBugCheckEx
fffffa06`2bfee860 fffff801`3d6b64cb : fffff801`3d7ac164 00000000`00002002 fffff801`3bd223ee 00000000`00000010 : nt!VerifierBugCheckIfAppropriate+0xdf
fffffa06`2bfee8a0 fffff801`3dc252d0 : 00000000`00000010 00000000`00000010 fffff801`3d7ac164 00000000`00000000 : nt!VfReportIssueWithOptions+0x103
fffffa06`2bfee8f0 fffff801`3dc41b93 : ffff8003`0ead6990 00007ffc`f1e92198 00000000`000002dc fffff801`3dc366b5 : nt!VfCheckPagePriority+0x70
fffffa06`2bfee930 fffff801`3bd223ee : fffffb0d`4711cfb0 00000000`000002dc 00007ffc`f1e92198 00000000`00000000 : nt!VerifierMmMapLockedPagesSpecifyCache+0x43
fffffa06`2bfee980 fffff801`3bd2261d : fffffb0d`4711cfb0 00000000`000002dc ffff8003`0ead6990 ffff8003`0af31900 : WinDivert64+0x23ee
fffffa06`2bfee9c0 fffff801`3bd23ca9 : 00007ffc`f1e92198 00000000`000002c5 ffff8003`0af31920 fffffb0d`4711cfb0 : WinDivert64+0x261d
fffffa06`2bfeea20 fffff803`3336863a : ffff8003`0e3aff00 ffff8003`0cd4d720 ffff8003`0d120080 00000000`0000000a : WinDivert64+0x3ca9
fffffa06`2bfeea90 fffff803`3336a619 : fffff801`3d877200 ffff8003`0e3aff00 00000000`00000000 00000000`00000100 : Wdf01000!FxWorkItem::WorkItemHandler+0x7e [minkernel\wdf\framework\shared\core\fxworkitem.cpp @ 374] 
fffffa06`2bfeead0 fffff801`3d4963fc : fffffb0d`46e00fa0 fffffb0d`46e00fa0 ffff8003`0cd4d720 00000000`0000000a : Wdf01000!FxWorkItem::WorkItemThunk+0x29 [minkernel\wdf\framework\shared\core\fxworkitem.cpp @ 439] 
fffffa06`2bfeeb10 fffff801`3d443455 : 00000000`00000100 ffff8003`095d8040 fffff801`3d4962d0 00000000`0000000a : nt!IopProcessWorkItem+0x12c
fffffa06`2bfeeb80 fffff801`3d4e5d87 : ffff8003`095d8040 00000000`00000080 ffff8003`076b9440 ffff8003`095d8040 : nt!ExpWorkerThread+0xf5
fffffa06`2bfeec10 fffff801`3d5a0a06 : ffffb380`aaa80180 ffff8003`095d8040 fffff801`3d4e5d40 00000000`00000000 : nt!PspSystemThreadStartup+0x47
fffffa06`2bfeec60 00000000`00000000 : fffffa06`2bfef000 fffffa06`2bfe9000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


THREAD_SHA1_HASH_MOD_FUNC:  788d3c00931c4b7885f6eaa3194c36f2efc4ec2e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e924ce9ee44300820226e0faaf030293f08419bb

THREAD_SHA1_HASH_MOD:  cb5410c05fa288cdc1caf7b181df6c0bd33fcf6c

FOLLOWUP_IP: 
WinDivert64+23ee
fffff801`3bd223ee 488b4c2450      mov     rcx,qword ptr [rsp+50h]

FAULT_INSTR_CODE:  244c8b48

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  WinDivert64+23ee

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WinDivert64

IMAGE_NAME:  WinDivert64.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5a5de415

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  23ee

FAILURE_BUCKET_ID:  0xc4_2002_VRF_WinDivert64!unknown_function

BUCKET_ID:  0xc4_2002_VRF_WinDivert64!unknown_function

PRIMARY_PROBLEM_CLASS:  0xc4_2002_VRF_WinDivert64!unknown_function

TARGET_TIME:  2018-07-29T17:35:53.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-07-14 06:53:27

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  1c20

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc4_2002_vrf_windivert64!unknown_function

FAILURE_ID_HASH:  {2275aae8-9a94-c1ec-a665-95a8d846e315}

Followup:     MachineOwner
---------

3: kd> !verifier

Verify Flags Level 0x03afefbf

  STANDARD FLAGS:
    [X] (0x00000000) Automatic Checks
    [X] (0x00000001) Special pool
    [X] (0x00000002) Force IRQL checking
    [X] (0x00000008) Pool tracking
    [X] (0x00000010) I/O verification
    [X] (0x00000020) Deadlock detection
    [X] (0x00000080) DMA checking
    [X] (0x00000100) Security checks
    [X] (0x00000800) Miscellaneous checks
    [X] (0x00020000) DDI compliance checking

  ADDITIONAL FLAGS:
    [X] (0x00000004) Randomized low resources simulation
    [X] (0x00000200) Force pending I/O requests
    [X] (0x00000400) IRP logging
    [X] (0x00002000) Invariant MDL checking for stack
    [X] (0x00004000) Invariant MDL checking for driver
    [X] (0x00008000) Power framework delay fuzzing
    [X] (0x00010000) Port/miniport interface checking
    [X] (0x00040000) Systematic low resources simulation
    [X] (0x00080000) DDI compliance checking (additional)
    [X] (0x00200000) NDIS/WIFI verification
    [X] (0x00800000) Kernel synchronization delay fuzzing
    [X] (0x01000000) VM switch verification
    [X] (0x02000000) Code integrity checks

    [X] Indicates flag is enabled


Summary of All Verifier Statistics

  RaiseIrqls           0xd4a7
  AcquireSpinLocks     0x1368e
  Synch Executions     0x2e3c
  Trims                0x23c2

  Pool Allocations Attempted             0x85106
  Pool Allocations Succeeded             0x85106
  Pool Allocations Succeeded SpecialPool 0x85106
  Pool Allocations With NO TAG           0x0
  Pool Allocations Failed                0x0

  Current paged pool allocations         0xed for 0000588A bytes
  Peak paged pool allocations            0xf1 for 0000648A bytes
  Current nonpaged pool allocations      0x353a for 00BA6754 bytes
  Peak nonpaged pool allocations         0x353b for 011ABF2A bytes

  Execute pool type count                0x0
  Execute page protection count          0x0
  Execute page mapping count             0x0
  Execute-Write section count            0x0
  Section alignment failures             0x0
  IAT Executable Section failures:       0x0

[TechnikEmpire]

@ValdikSS any chance re-running that analysis with the pdb file for WinDivert64.sys placed next to WinDivert64.sys so the debugger can fully resolve the symbols?

[ValdikSS]

@TechnikEmpire Where can I find it? It's not inside the archive and not on the website. I understand that it's not very useful without function names.

[TechnikEmpire]

@ValdikSS I'll see if the people who sign variant B have their pdb files for the sys kicking around. They are required for the windows portal signing process, not sure how/why they don't wind up in the release packages.

[ValdikSS]

@basil00, Website source code for 1.4.3 is linked to 1.4.2 source code archive.

[ValdikSS]

Microsoft (R) Windows Debugger Version 10.0.17134.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 17134 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff801`6b8a9000 PsLoadedModuleList = 0xfffff801`6bc641f0
Debug session time: Sun Jul 29 22:33:45.822 2018 (UTC + 3:00)
System Uptime: 0 days 0:08:18.674
Loading Kernel Symbols
...............................................................
........Page 1008a6 not present in the dump file. Type ".hh dbgerr004" for details
............Page 101c9d not present in the dump file. Type ".hh dbgerr004" for details
............................................
...........................................................
Loading User Symbols

Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {ffffffff80000003, fffff8016ba49208, ffff8300b75e74a8, ffff8300b75e6cf0}

Probably caused by : WinDivert64.sys ( WinDivert64!windivert_read_service_request+7b )

Followup:     MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffff80000003, The exception code that was not handled
Arg2: fffff8016ba49208, The address that the exception occurred at
Arg3: ffff8300b75e74a8, Exception Record Address
Arg4: ffff8300b75e6cf0, Context Record Address

Debugging Details:
------------------


KEY_VALUES_STRING: 1


TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  4286CTO

SYSTEM_VERSION:  ThinkPad X220

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  8DET76WW (1.46 )

BIOS_DATE:  06/21/2018

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  4286CTO

BASEBOARD_VERSION:  Not Available

DUMP_TYPE:  1

BUGCHECK_P1: ffffffff80000003

BUGCHECK_P2: fffff8016ba49208

BUGCHECK_P3: ffff8300b75e74a8

BUGCHECK_P4: ffff8300b75e6cf0

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

FAULTING_IP: 
nt!DebugPrompt+18
fffff801`6ba49208 c3              ret

EXCEPTION_RECORD:  ffff8300b75e74a8 -- (.exr 0xffff8300b75e74a8)
ExceptionAddress: fffff8016ba49208 (nt!DebugPrompt+0x0000000000000018)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 0000000000000002

CONTEXT:  ffff8300b75e6cf0 -- (.cxr 0xffff8300b75e6cf0)
rax=0000000000000002 rbx=fffff8016bc54164 rcx=fffff8016ba55f80
rdx=ffff8300b75e0031 rsi=fffff8016aed3c6b rdi=0000000000000010
rip=fffff8016ba49207 rsp=ffff8300b75e76e8 rbp=0000000000002002
 r8=ffff8300b75e77b8  r9=0000000000000002 r10=ffff8300b75e7550
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=00000000000000c4 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
nt!DebugPrompt+0x17:
fffff801`6ba49207 cc              int     3
Resetting default scope

CPU_COUNT: 4

CPU_MHZ: 8f5

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2a

CPU_STEPPING: 7

CPU_MICROCODE: 6,2a,7,0 (F,M,S,R)  SIG: 2E'00000000 (cache) 2E'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE_STR:  80000003

EXCEPTION_PARAMETER1:  0000000000000002

ANALYSIS_SESSION_HOST:  DESKTOP-OLDFVEK

ANALYSIS_SESSION_TIME:  07-29-2018 22:38:48.0958

ANALYSIS_VERSION: 10.0.17134.1 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8016bb39b75 to fffff8016ba49207

STACK_TEXT:  
ffff8300`b75e76e8 fffff801`6bb39b75 : 00000000`00002002 fffff801`6bb5d122 fffff801`6bc54164 fffff801`6aed3c6b : nt!DebugPrompt+0x17
ffff8300`b75e76f0 fffff801`6bb5e462 : fffff801`6ba55fc0 00000000`00002001 fffff801`6aed3c6b 00000000`00000010 : nt!DbgPrompt+0x35
ffff8300`b75e7740 fffff801`6c0cd2d0 : 00000000`00000010 00000000`00000010 fffff801`6bc54164 ffff8300`b75e7868 : nt!VfReportIssueWithOptions+0x9a
ffff8300`b75e7790 fffff801`6c0e9b93 : ffffc304`2a59b9e0 ffffc304`258a1080 00000000`00000000 fffff801`6aed1915 : nt!VfCheckPagePriority+0x70
ffff8300`b75e77d0 fffff801`6aed3c6b : ffffc304`270ae620 ffffc304`25868af0 ffffc304`258a1080 ffff8300`b75e7938 : nt!VerifierMmMapLockedPagesSpecifyCache+0x43
ffff8300`b75e7820 fffff801`6aed4214 : fffff18e`772cafb0 00003cfb`da792198 00000000`00222960 00000000`00000005 : WinDivert64!windivert_read_service_request+0x7b [c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c @ 1421] 
ffff8300`b75e78c0 fffff801`6aed6b51 : ffffc304`25869320 fffff18e`772cafb0 00000000`00222960 fffff801`6c0de6b5 : WinDivert64!windivert_read_service+0x1c4 [c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c @ 1534] 
ffff8300`b75e7990 fffff801`6aed64f1 : ffffc304`25869320 fffff18e`772cafb0 00000000`00000000 00000000`00000000 : WinDivert64!windivert_queue_packet+0x2a1 [c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c @ 2722] 
ffff8300`b75e7a20 fffff801`dee2863a : 00003cfb`d8f519d8 00000000`00000246 ffff8300`b75e7ab0 00000000`0000000c : WinDivert64!windivert_worker+0xc1 [c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c @ 2553] 
ffff8300`b75e7a90 fffff801`dee2a619 : fffff801`6bd1f200 ffffc304`270ae620 00000000`00000000 00000000`00000000 : Wdf01000!FxWorkItem::WorkItemHandler+0x7e [minkernel\wdf\framework\shared\core\fxworkitem.cpp @ 374] 
ffff8300`b75e7ad0 fffff801`6b93e3fc : fffff18e`78e88fa0 fffff18e`78e88fa0 ffffc304`25868af0 00000000`0000000c : Wdf01000!FxWorkItem::WorkItemThunk+0x29 [minkernel\wdf\framework\shared\core\fxworkitem.cpp @ 439] 
ffff8300`b75e7b10 fffff801`6b8eb455 : 00000000`00000000 ffffc304`25c08040 fffff801`6b93e2d0 00000000`0000000c : nt!IopProcessWorkItem+0x12c
ffff8300`b75e7b80 fffff801`6b98dd87 : ffffc304`25c08040 00000000`00000080 ffffc304`234b9440 ffffc304`25c08040 : nt!ExpWorkerThread+0xf5
ffff8300`b75e7c10 fffff801`6ba48a06 : fffff801`6a841180 ffffc304`25c08040 fffff801`6b98dd40 00000000`00000000 : nt!PspSystemThreadStartup+0x47
ffff8300`b75e7c60 00000000`00000000 : ffff8300`b75e8000 ffff8300`b75e2000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


THREAD_SHA1_HASH_MOD_FUNC:  ce95abe82ad602baa5704fa75049332f4f95bf5e

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  d16386f02fa6e7944d1c43d791739865c0f5979e

THREAD_SHA1_HASH_MOD:  cdf003336fad37e33f57ad8d6080843b560f3770

FOLLOWUP_IP: 
WinDivert64!windivert_read_service_request+7b [c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c @ 1421]
fffff801`6aed3c6b 4889442468      mov     qword ptr [rsp+68h],rax

FAULT_INSTR_CODE:  24448948

FAULTING_SOURCE_LINE:  c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c

FAULTING_SOURCE_FILE:  c:\users\xxx\desktop\windivert-1.4.3-source\sys\windivert.c

FAULTING_SOURCE_LINE_NUMBER:  1421

FAULTING_SOURCE_CODE:  
  1417:     {
  1418:         DEBUG_ERROR("failed to retrieve output MDL", status);
  1419:         goto windivert_read_service_request_exit;
  1420:     }
> 1421:     dst = MmGetSystemAddressForMdlSafe(dst_mdl, NormalPagePriority);
  1422:     if (dst == NULL)
  1423:     {
  1424:         status = STATUS_INSUFFICIENT_RESOURCES;
  1425:         DEBUG_ERROR("failed to get address of output MDL", status);
  1426:         goto windivert_read_service_request_exit;


SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  WinDivert64!windivert_read_service_request+7b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WinDivert64

IMAGE_NAME:  WinDivert64.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5b5e0ece

STACK_COMMAND:  .cxr 0xffff8300b75e6cf0 ; kb

BUCKET_ID_FUNC_OFFSET:  7b

FAILURE_BUCKET_ID:  AV_VRF_WinDivert64!windivert_read_service_request

BUCKET_ID:  AV_VRF_WinDivert64!windivert_read_service_request

PRIMARY_PROBLEM_CLASS:  AV_VRF_WinDivert64!windivert_read_service_request

TARGET_TIME:  2018-07-29T19:33:45.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-07-14 06:53:27

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  2039

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_windivert64!windivert_read_service_request

FAILURE_ID_HASH:  {31cd8edd-504a-f738-ddb2-96c2dbfbdf6a}

Followup:     MachineOwner
---------

[TechnikEmpire]

Nice! I wasn't sure if simply compiling from source would yeild a compatible pdb file (since it's from a different compilation).

[ValdikSS]

I used self-signed certificate and testsigning.

[basil00]

It seems that @ValdikSS's two traces are for an unrelated issue. Namely, the "kernel has enabled substantial checking of this driver" and there is an assertion failure regarding MmGetSystemAddressForMdlSafe. For Windows 10, it seems that the driver should pass the MdlMappingNoExecute flag to this macro. I will fix this later.

The ESET+BAD_POOL_CALLER is probably a different issue. Based on experience, such errors are caused by the other driver handling the reference count correctly, meaning that the packet is free'ed prematurely or when in an invalid state, causing crashes. Does the problem affect inbound-only, outbound-only, or both?

Has the problem been reported to ESET?

[ValdikSS]

@basil00,

"kernel has enabled substantial checking of this driver"

That is because I enabled it with Driver Verifier for WinDiver and ESET drivers, I believe. Should I make a dump without it?

Has the problem been reported to ESET?

No, I was waiting for you because the crash is inside WinDivert, not inside ESET drivers (contrary to what was with Avast issue).

[ValdikSS]

Does the problem affect inbound-only, outbound-only, or both?

I tried outbound-only and it crashed. Didn't test inbound-only.

[ValdikSS]

@basil00, just to clarify: the first trace is with Driver Verifier enabled and with WinDivert64.sys from compiled -A package, and the second is (what should be) the same bug with manually compiled WinDivert 1.4.3 with pdb. It seems that Driver Verifier hasn't been activated for the second trace, that's strange. Should I check and make another one with Driver Verifier?

[basil00]

Should I make a dump without it?

Yes, I think you inadvertently found a different issue. Windows is complaining that memory is executable when it shouldn't be, which is a possible security issue. However, it should not be a problem (in terms of functionality) unless driver verifier is enabled.

No, I was waiting for you because the crash is inside WinDivert

It probably doesn't mean much. The the problem appears to be a double/invalid free error, meaning that the heap gets corrupted causing a crash later in unrelated code. I wouldn't rule out a bug in WinDivert either, but it definitely worth investigating at the ESET end.

It seems that Driver Verifier hasn't been activated for the second trace, that's strange.

I assumed it had since it is at the same location, although the bug check is different. I will investigate more closely later.

Just to be clear, with ESET+WinDivert the bug check is always BAD_POOL_CALLER or can it be something else? I will try to reproduce the issue later.

[ValdikSS]

@basil00, you're right, it looks like memory corruption/double free.
Here's a backtrace without Driver Verifier, and now it looks more like I was getting before and what other people have in their minidumps in the goodbyedpi issue.

the bug check is always BAD_POOL_CALLER or can it be something else?

Only BAD_POOL_CALLER, in either ndis.sys or fwpkclnt.sys. Reproducible only with outbound filter, everything is fine with inbound only.

Microsoft (R) Windows Debugger Version 10.0.17134.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 17134 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff801`45ea3000 PsLoadedModuleList = 0xfffff801`4625e1f0
Debug session time: Mon Jul 30 05:28:17.892 2018 (UTC + 3:00)
System Uptime: 0 days 0:05:42.677
Loading Kernel Symbols
...............................................................
.......Page c5c1 not present in the dump file. Type ".hh dbgerr004" for details
.........................................................
..........................................................
Loading User Symbols

Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {4, 0, 8de3a, ffff918cb3a98da8}

Page 61f1f not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : NETIO.SYS ( NETIO!NetioFreeMdl+1a380 )

Followup:     MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000004, Pool header has been corrupted
Arg2: 0000000000000000, Pointer to pool header
Arg3: 000000000008de3a, First part of pool header contents
Arg4: ffff918cb3a98da8, 0

Debugging Details:
------------------


KEY_VALUES_STRING: 1


TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  4286CTO

SYSTEM_VERSION:  ThinkPad X220

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  8DET76WW (1.46 )

BIOS_DATE:  06/21/2018

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  4286CTO

BASEBOARD_VERSION:  Not Available

DUMP_TYPE:  1

BUGCHECK_P1: 4

BUGCHECK_P2: 0

BUGCHECK_P3: 8de3a

BUGCHECK_P4: ffff918cb3a98da8

FAULTING_IP: 
NETIO!NetioFreeMdl+1a380
fffff808`21a08800 90              nop

BUGCHECK_STR:  0xc2_4

CPU_COUNT: 4

CPU_MHZ: 8f5

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 2a

CPU_STEPPING: 7

CPU_MICROCODE: 6,2a,7,0 (F,M,S,R)  SIG: 2E'00000000 (cache) 2E'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  2

ANALYSIS_SESSION_HOST:  DESKTOP-OLDFVEK

ANALYSIS_SESSION_TIME:  07-30-2018 05:32:54.0752

ANALYSIS_VERSION: 10.0.17134.1 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8014619a473 to fffff8014603b560

STACK_TEXT:  
fffff801`4825f198 fffff801`4619a473 : 00000000`000000c2 00000000`00000004 00000000`00000000 00000000`0008de3a : nt!KeBugCheckEx
fffff801`4825f1a0 fffff808`21a08800 : ffff918c`b712e1b0 ffff918c`b3034150 ffff918c`b712e030 00000000`00000001 : nt!ExFreePoolWithTag+0x1413
fffff801`4825f280 fffff808`22c562bb : ffff918c`b712e1b0 fffff808`229fc5b8 ffff918c`b712e030 00000000`00000000 : NETIO!NetioFreeMdl+0x1a380
fffff801`4825f2b0 fffff808`219dcfb6 : ffff918c`b712e030 ffff918c`b3937721 00000000`00000000 00000000`00000001 : fwpkclnt!FwppInjectComplete+0x5b
fffff801`4825f2f0 fffff808`219dc883 : 00000000`00000000 00000000`00000000 00000000`00000000 ffff918c`b44c0dd0 : NETIO!NetioDereferenceNetBufferList+0x166
fffff801`4825f330 fffff808`229f7428 : 00000000`00000000 ffff918c`b2f84301 00000000`00000000 fffff801`45ecd8a2 : NETIO!NetioDereferenceNetBufferListChain+0x2a3
fffff801`4825f3b0 fffff808`21881da0 : ffff918c`b466c820 fffff801`4825f449 ffff918c`b426b620 00000000`00000001 : tcpip!FlSendNetBufferListChainComplete+0x58
fffff801`4825f3e0 fffff808`21881b8e : ffff918c`b29641a0 ffff918c`b44c0dd0 ffff918c`00000001 ffff918c`b4299500 : ndis!ndisMSendCompleteNetBufferListsInternal+0x120
fffff801`4825f4b0 fffff808`23644090 : ffff918c`b29641a0 fffff801`4825f609 00000001`00000000 fffff801`4825f702 : ndis!NdisMSendNetBufferListsComplete+0x20e
fffff801`4825f5a0 fffff808`2364c9e7 : ffff918c`b281ceb0 00000001`00000000 00000040`4366d401 00000001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x710
fffff801`4825f670 fffff808`2364e701 : 00000001`00000000 fffff808`00000000 fffff801`4825f730 ffff918c`b463f000 : e1i63x64!INTERRUPT::IntInterruptDPC+0x1db
fffff801`4825f6e0 fffff808`2364ddb8 : ffff918c`b46282d0 00000000`00000000 ffffffff`00000000 00000000`00000000 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x1ed
fffff801`4825f770 fffff808`21883f05 : ffff918c`b46286f8 00000000`00000000 ffff918c`b46285e8 00000000`00000002 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff801`4825f7b0 fffff801`45f3d137 : 00000000`00000000 fffff801`4825fa10 00000000`00007ca6 fffff801`00000002 : ndis!ndisInterruptDpc+0x185
fffff801`4825f910 fffff801`45f3c78b : 00000000`0000000e fffff801`45e1a4e6 00000000`00222968 00000000`00000019 : nt!KiExecuteAllDpcs+0x2e7
fffff801`4825fa50 fffff801`4603ecba : 00000000`00000000 fffff801`44f21180 00000000`001a6560 fffff801`4631b400 : nt!KiRetireDpcList+0x1db
fffff801`4825fc60 00000000`00000000 : fffff801`48260000 fffff801`4825a000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a


THREAD_SHA1_HASH_MOD_FUNC:  c452c964f52aca392e3fa9258b5eba9d1d90a79f

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  1f93b99b157c4bcb72461f1084f5e99ec3999d5b

THREAD_SHA1_HASH_MOD:  69b7412afe5681d3c24e77182e4c7dd65e249b50

FOLLOWUP_IP: 
NETIO!NetioFreeMdl+1a380
fffff808`21a08800 90              nop

FAULT_INSTR_CODE:  5c98e990

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  NETIO!NetioFreeMdl+1a380

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  62e4197b

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  1a380

FAILURE_BUCKET_ID:  0xc2_4_NETIO!NetioFreeMdl

BUCKET_ID:  0xc2_4_NETIO!NetioFreeMdl

PRIMARY_PROBLEM_CLASS:  0xc2_4_NETIO!NetioFreeMdl

TARGET_TIME:  2018-07-30T02:28:17.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-07-14 06:53:27

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  a10

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_4_netio!netiofreemdl

FAILURE_ID_HASH:  {006d0537-1574-56d7-62b1-38ed7a5796f3}

Followup:     MachineOwner
---------

[ValdikSS]

@basil00 does it looks like ESET issue for you? Should I contact them?

[basil00]

Yes please report. Since, afaik, the BAD_POOL_CALLER crash only occurs with the ESET driver and no other AV drivers, it may indicate a problem with their driver. As mentioned above, the symptoms can be explained by the ESET driver mishandling reference counts, modifying non-blocked packets out-of-band, or something similar. Even if this is a WinDivert bug, the ESET devs might be able to provide new insights since they have access to the ESET driver source code, which we do not.

[TechnikEmpire]

I can't reproduce this on Windows 7 professional 64 bit in a virtual machine.

[ValdikSS]

Try with Windows 10.

[TechnikEmpire]

I will but I'm wondering what logic would explain a bug in ESET that only causes a bsod on a specific version of Windows. Seems that the current theory falls apart under this scenario.

[ValdikSS]

What are you doing exactly? For me it crashes when I click on ebay login page.
To reproduce the issue, download WinDivert 1.4.3 binaries and run passthru.exe test program as administrator:
https://reqrypt.org/download/WinDivert-1.4.3-A.zip

passthru.exe true 1

Navigate to ebay.com, press "My eBay" in the top right corner of the page, wait several seconds and get BSOD.

[TechnikEmpire]

@ValdikSS Are you authenticated on Ebay or does it happen when redirected to the login screen? I'm trying it now.

[ValdikSS]

Not authenticated, happens on login screen or sometimes it's faster to begin type random credentials into login/password fields. It usually crashes when you type password or press login button, but most of the time it will crash instantly.

[TechnikEmpire]

@ValdikSS Ah ok, I think something is wrong with Eset actually. HTTP/S scanning is enabled but I'm not seeing it inject its own certificate authority into secure sites I'm visiting so maybe that's why it's not crashing.

[TechnikEmpire]

For people who are testing this, you need to disable SSL/TLS bypass in ESET for "trusted domains" like so:

But yeah, still not BSOD'ing for me.

[ValdikSS]

Worked with stock settings for me, maybe they has changed something already. Let me try.

[ValdikSS]

Indeed, it does not BSOD anymore, that's probably because eBay changed the login page.

[TechnikEmpire]

I visited via the wayback machine and couldn't get a BSOD that way either. Do we know if ESET modified their binaries?

[ValdikSS]

The version is the same, 11.2.49.0.
It doesn't crash with old login page either (https://signin.ebay.com/ws/eBayISAPI.dll)

[TechnikEmpire]

@ValdikSS A windows update maybe?

[TechnikEmpire]

https://borncity.com/win/2018/07/21/stop-error-0xd1-in-july-2018-updates-explained/

[basil00]

If the bsod is gone I guess this issue is resolved, probably by a Windows update.

[ValdikSS]

@basil00, @Ka6an4eG reports BSoD which occurred several days ago.
ValdikSS/GoodbyeDPI#91 (comment)
I've asked him to reproduce the issue and post the steps.

[TechnikEmpire]

That's my guess. All of July there were a total of 3 critical updates rolled out to all versions of windows that addressed BSOD's in the tcpip pipeline, including what was linked above as well as wireless related stuff and they all cause resource mismanagement issues in network drivers.

[basil00]

@ValdikSS Do they have Windows update on?

[ValdikSS]

@basil00 I don't know, let's wait for reply.

[ValdikSS]

Just installed Eset Antivirus in a Windows 10 VM which was last updated on 26.07.2018, and it doesn't crash on ebay.com anymore. Let's assume this is due to changes on ebay.com for now and wait for @Ka6an4eG reply.

[TechnikEmpire]

I can't get papa johns .ru to bsod on windows 7 and I'm downloading a 10 enterprise image from here to test it. I didn't know Microsoft gave away dev vm's for free.

[ValdikSS]

I couldn't make it crash too.

Here are some more links for free trial Windows 10 images:

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
https://www.microsoft.com/ru-ru/software-download/windows10ISO/
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines