Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap v.9982 cause bsod on Stop #1678

Open
keithdg opened this issue Aug 5, 2019 · 1 comment

Comments

@keithdg
Copy link

commented Aug 5, 2019

Doing an sc stop npcap will cause a bsod if the npcap is in the middle of injecting a packet.
Best way to test is to run wireshark, quit wireshark while packets are moving from a browser
do a sc stop npcap.

The Classify code should be protect unregister of the WFP driver that happens in the middle of transmission of an FwpsInjectNetworkSendAsync

Here is the stack.

2: kd> !ANALYZE
Connected to Windows 8 15063 x64 target at (Mon Aug  5 15:24:02.603 2019 (UTC - 4:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
.........................................................
Loading User Symbols

Loading unloaded module list
...............Unable to enumerate user-mode unloaded modules, Win32 error 0n30
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {27, 2, 1, fffff80b4b812ca0}

*** ERROR: Module load completed but symbols could not be loaded for npcap.sys
Probably caused by : fwpkclnt.sys ( fwpkclnt!FwppInjectPrologue+94 )

Followup: MachineOwner
---------

2: kd> kb
RetAddr           : Args to Child                                                           : Call Site
fffff801`d7094232 : 00000000`00000027 00000000`0000000a ffffdf00`1c8e9380 fffff801`d6f6a2d0 : nt!DbgBreakPointWithStatus
fffff801`d7093ae2 : 00000000`00000003 ffffdf00`1c8e9380 fffff801`d71452e0 00000000`000000d1 : nt!KiBugCheckDebugBreak+0x12
fffff801`d7003667 : 00000000`00000000 00000000`00000000 00000000`00000001 ffffdf00`1c8e9a50 : nt!KeBugCheck2+0x922
fffff801`d700e8a9 : 00000000`0000000a 00000000`00000027 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx+0x107
fffff801`d700ce7d : 00000000`646e444e 00000000`00000060 00000001`00000001 ffffce07`439e00d0 : nt!KiBugCheckDispatch+0x69
fffff80b`4b812ca0 : ffffce07`416ceab0 fffff80b`4b4417d5 00000000`00000000 ffffce07`43405c00 : nt!KiPageFault+0x23d
fffff80b`4b81464b : 00000000`00000001 ffffdf00`1c8e9dd1 00000000`00000000 ffffce07`46141bd0 : fwpkclnt!FwppInjectPrologue+0x94
fffff80b`4dc215a2 : ffffffff`ffffffff 00000000`00000000 ffffdf00`1c8ea102 00000000`00000014 : fwpkclnt!FwpsInjectNetworkSendAsync0+0xdb
fffff80b`4b44fda1 : ffffce07`41f07e10 ffffdf00`1c8e9fe0 ffffdf00`1c8ea5e0 00000000`00000000 : npcap+0x15a2
fffff80b`4b44f1d7 : 00000000`00000000 ffffdf00`1c8ea590 ffffdf00`1c8ea5e0 ffffce07`43405c60 : NETIO!ProcessCallout+0x9b1
fffff80b`4b44d206 : 00000000`00000000 ffffdf00`1c8ea2a0 00000000`00000000 ffffce07`47e980d4 : NETIO!ArbitrateAndEnforce+0x497
fffff80b`4be502d0 : 00000000`00000000 ffffce07`475fc180 00000000`0000ff02 00000000`00000000 : NETIO!KfdClassify+0x316
fffff80b`4bd971f0 : 00000000`00000001 ffffce07`43405fc4 00000000`00000001 ffffce07`475fcb80 : tcpip!ShimIpPacketInV4+0xb8eac
fffff80b`4bd96841 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppReceiveHeadersHelper+0x2d0
fffff80b`4bd6e9a3 : 00000000`00000003 00000000`00000000 fffff80b`4bf34000 ffffdf00`1c8eaf20 : tcpip!IppReceiveHeaderBatch+0x91
fffff80b`4bd6e633 : 00000000`00004800 00000000`00000000 00000000`00000000 ffffce07`42244a01 : tcpip!IppLoopbackIndicatePackets+0x1c7
fffff801`d6ead20b : ffffdf00`1c8eb0f8 ffffce07`45208080 ffffdf00`1c8eb0f8 fffff80b`4bd6e540 : tcpip!IppLoopbackTransmitCalloutRoutine+0xf3
fffff80b`4bde8385 : 00000000`00000002 fffff80b`4bf386f0 fffff80b`4bf34000 fffff80b`4bf34001 : nt!KeExpandKernelStackAndCalloutInternal+0x8b
fffff80b`4bd95a0e : ffffce07`42244a78 ffffdf00`1c8eb180 00000000`00000000 ffffce07`4249d040 : tcpip!IppLoopbackEnqueue+0x185
fffff80b`4bd94dcf : fffff80b`4bf34000 00000000`00000000 ffffce07`42244a78 00000000`00006a02 : tcpip!IppDispatchSendPacketHelper+0x99e
fffff80b`4bd9406b : 00000000`00000000 ffffdf00`1c8eb810 ffffce07`42244a78 00000000`00000007 : tcpip!IppPacketizeDatagrams+0x2df
fffff80b`4bda2ff1 : ffffce07`47278c00 ffffce07`41908c40 fffff80b`4bf34000 ffffce07`42d73340 : tcpip!IppSendDatagramsCommon+0x4db
fffff80b`4bd9fc94 : 00000000`00418b00 00000000`00000001 ffffce07`43b66650 fffff80b`4bf34000 : tcpip!IpNlpFastSendDatagram+0xf51
fffff80b`4bd9923a : 00000000`00000000 00000000`00000080 00000000`00000002 00000009`fb68925a : tcpip!TcpTcbSend+0x5c4
fffff80b`4bd62e21 : ffffce07`42225900 00000000`00418bcb ffffce07`00000004 ffffce07`4222ecd0 : tcpip!TcpFlushDelay+0x1fa
fffff801`d6f09b6c : ffffdf00`1c8b9f80 00000000`00000000 ffffce07`4222ed88 ffffdf00`1c8b7180 : tcpip!TcpPeriodicTimeoutHandler+0x7f1
fffff801`d6f09477 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExecuteAllDpcs+0x1dc
fffff801`d7008635 : 00000000`00000000 ffffdf00`1c8b7180 ffffdf00`1fdff730 00000000`00000000 : nt!KiRetireDpcList+0xd7
fffff801`d7008440 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxRetireDpcList+0x5
fffff801`d7006d3a : 00000000`00000000 00000000`00000001 00000000`00000206 fffff801`d70086cf : nt!KiDispatchInterruptContinue
fffff801`d7009057 : ffffdf00`1c8b7ae0 fffff801`d711665c ffffce07`45208080 00000000`00000001 : nt!KiDpcInterrupt+0xca
fffff801`d711665c : ffffce07`45208080 00000000`00000001 ffffdf00`1fdffa00 ffffdf00`1fdffa08 : nt!ExpInterlockedPopEntrySListResume
fffff801`d6f730ed : ffffb3c6`3f0a245e fffff801`d72145bc 00000000`00000062 ffffdf00`1fdffa80 : nt!ExAllocatePoolWithTag+0x2bc
fffff801`d6f72fd1 : ffffce07`441a59b0 ffffce07`30526d73 00000000`00000000 00000000`00000002 : nt!SmFpAllocate+0x5d
fffff801`d6fa92a9 : ffffce07`441a59b0 ffffdf00`1fdffa50 00000000`00000001 00000000`00000001 : nt!SMKM_STORE_MGR<SM_TRAITS>::SmpPageEvict+0x79
fffff801`d6fec973 : 20000000`20026bcf 00000000`00026bcf fffff801`20026bcf 00000000`00000002 : nt!MiStoreEvictPageFile+0x95
fffff801`d6f73ac7 : 00000175`0000053c ffffce07`45208080 fffff801`d6fec810 ffffce07`4509d440 : nt!MiStoreEvictThread+0x163
fffff801`d70089e6 : ffffdf00`1c835180 ffffce07`45208080 fffff801`d6f73a80 54b4ae2d`00000b80 : nt!PspSystemThreadStartup+0x47
00000000`00000000 : ffffdf00`1fe00000 ffffdf00`1fdfa000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
@dmiller-nmap

This comment has been minimized.

Copy link

commented Aug 8, 2019

Thanks for the bug report! I'll take a look at it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.