Wireshark-dev: Re: [Wireshark-dev] Npcap 0.03 call for test

From: Jim Young <jyoung@xxxxxxx>
Date: Tue, 11 Aug 2015 03:43:24 +0000

Hello Yang,


I installed npcap-nmap-0.03-r6.exe but am still getting the IRQL_NOT_LESS_OR_EQUAL (a) BSoD on my Windows 8.1. system immediately when I start Wireshark.


I went back retested 0.03-r3, 0.03-r4 and 0.03-r5 to confirm that its only r5 and r6 that trigger the immediate BSoD on my system.  


Here's the last BSoD WinDbg output when using Npcap 0.03-r6.


---------


2: kd> .symfix C:\Symbols

2: kd> .reload

Loading Kernel Symbols

...............................................................

................................................................

........................................

Loading User Symbols

.....................................

Loading unloaded module list

........

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************


IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 000000000000a620, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000001, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: fffff8013ff660cc, address which referenced memory


Debugging Details:

------------------


*** ERROR: Module load completed but symbols could not be loaded for npf.sys

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for packet.dll - 


WRITE_ADDRESS: unable to get nt!MmNonPagedPoolStart

unable to get nt!MmSizeOfNonPagedPoolInBytes

 000000000000a620 


CURRENT_IRQL:  2


FAULTING_IP: 

nt!KeAcquireSpinLockRaiseToDpc+1c

fffff801`3ff660cc f0480fba2900    lock bts qword ptr [rcx],0


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT


BUGCHECK_STR:  AV


PROCESS_NAME:  dumpcap.exe


ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre


TRAP_FRAME:  ffffd00035417600 -- (.trap 0xffffd00035417600)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000002 rbx=0000000000000000 rcx=000000000000a620

rdx=ffffe001230a2900 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8013ff660cc rsp=ffffd00035417790 rbp=ffffd00035417b80

 r8=ffffe0011fed41a0  r9=000000000000000e r10=0000000000000801

r11=ffffe00122517440 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei pl zr na po nc

nt!KeAcquireSpinLockRaiseToDpc+0x1c:

fffff801`3ff660cc f0480fba2900    lock bts qword ptr [rcx],0 ds:00000000`0000a620=????????????????

Resetting default scope


LAST_CONTROL_TRANSFER:  from fffff8013ffea7e9 to fffff8013ffdeca0


STACK_TEXT:  

ffffd000`354174b8 fffff801`3ffea7e9 : 00000000`0000000a 00000000`0000a620 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx

ffffd000`354174c0 fffff801`3ffe903a : 00000000`00000001 00000000`00000000 00000000`00000000 ffffd000`35417730 : nt!KiBugCheckDispatch+0x69

ffffd000`35417600 fffff801`3ff660cc : 00000000`00000001 ffffc002`00000000 ffffc002`018bf601 00000000`00000000 : nt!KiPageFault+0x23a

ffffd000`35417790 fffff801`688d7186 : 00000000`00000000 ffffe001`230474c0 00000000`00000001 ffffd000`35417b80 : nt!KeAcquireSpinLockRaiseToDpc+0x1c

ffffd000`354177c0 fffff801`688d7a24 : 00000000`00001ef0 ffffe001`230a2900 00000000`00000000 ffffd000`00000000 : npf+0x3186

ffffd000`354177f0 fffff801`402b377f : 00000000`00000001 ffffe001`230a2900 ffffe001`230a2900 00000000`00000001 : npf+0x3a24

ffffd000`35417880 fffff801`402b2d22 : ffffd000`35417a38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`35417a20 fffff801`3ffea4b3 : ffffe001`21d2c080 ffffd000`001f0003 00000017`cb91ca98 00000017`00000000 : nt!NtDeviceIoControlFile+0x56

ffffd000`35417a90 00007ffe`449c123a : 00007ffe`41b65fe3 0000da4a`605d0f0d 00000000`00000003 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000017`cb91ca48 00007ffe`41b65fe3 : 0000da4a`605d0f0d 00000000`00000003 00000000`00000000 00000000`00000013 : ntdll!NtDeviceIoControlFile+0xa

00000017`cb91ca50 00007ffe`42151bb0 : 00000000`00001ef0 00007ffe`4496713a 00000000`00000020 00000000`00000000 : KERNELBASE!DeviceIoControl+0x121

00000017`cb91cac0 00007ffe`399f3d65 : 00000017`cba14960 00000017`cb91cdb0 ffffffff`ffffffff 00000017`cb91cdb0 : KERNEL32!DeviceIoControlImplementation+0x80

00000017`cb91cb10 00000017`cba14960 : 00000017`cb91cdb0 ffffffff`ffffffff 00000017`cb91cdb0 00000000`00000000 : packet+0x3d65

00000017`cb91cb18 00000017`cb91cdb0 : ffffffff`ffffffff 00000017`cb91cdb0 00000000`00000000 00000000`00000000 : 0x00000017`cba14960

00000017`cb91cb20 ffffffff`ffffffff : 00000017`cb91cdb0 00000000`00000000 00000000`00000000 00000017`cb91cb60 : 0x00000017`cb91cdb0

00000017`cb91cb28 00000017`cb91cdb0 : 00000000`00000000 00000000`00000000 00000017`cb91cb60 00000000`00000000 : 0xffffffff`ffffffff

00000017`cb91cb30 00000000`00000000 : 00000000`00000000 00000017`cb91cb60 00000000`00000000 00000017`cba14960 : 0x00000017`cb91cdb0



STACK_COMMAND:  kb


FOLLOWUP_IP: 

npf+3186

fffff801`688d7186 4032ff          xor     dil,dil


SYMBOL_STACK_INDEX:  4


SYMBOL_NAME:  npf+3186


FOLLOWUP_NAME:  MachineOwner


MODULE_NAME: npf


IMAGE_NAME:  npf.sys


DEBUG_FLR_IMAGE_TIMESTAMP:  55c878a8


FAILURE_BUCKET_ID:  AV_npf+3186


BUCKET_ID:  AV_npf+3186


ANALYSIS_SOURCE:  KM


FAILURE_ID_HASH_STRING:  km:av_npf+3186


FAILURE_ID_HASH:  {cd892a8a-243d-2266-f935-8db54b10ab51}


Followup: MachineOwner

---------


Best regards,


Jim Y.




From: wireshark-dev-bounces@xxxxxxxxxxxxx <wireshark-dev-bounces@xxxxxxxxxxxxx> on behalf of Yang Luo <hsluoyb@xxxxxxxxx>
Sent: Monday, August 10, 2015 06:40
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Npcap 0.03 call for test
 
Hi Jim, Pascal,

This IRQL_NOT_LESS_OR_EQUAL (a) BSoD seems to be caused by NdisAcquireSpinLock call in function NPF_StartUsingOpenInstance has referred to freed Open struct memory, I have tried to fix it in latest installer, you may try it at:

Cheers,
Yang