Wireshark · Wireshark-dev: Re: [Wireshark-dev] Npcap 0.03 call for test

[Pascal Quantin <pascal.quantin@xxxxxxxxx>]

2015-08-06 15:21 GMT+02:00 Yang Luo <hsluoyb@xxxxxxxxx>:

Hi Pascal,

This issue is because some parts of Npcap have been migrated to MSVC2010, however Win10 RTM lacks VC2010 redist package. I have changed to static link the libs, and tested on my Win10 RTM. Latest installer that has this bug fixed is:

https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r5.exe 

Cheers,

Yang

Hi Yang,

it now installs successfully. But I get a systematic crash when trying to laod Wireshark (while so far I was not facing BSoD on my Windows 10 virtual machine).

You will find the full memory dump here: https://www.dropbox.com/s/n9oq6oajv411n3c/MEMORY.7z?dl=0

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000000000a620, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80297ae252c, address which referenced memory

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for npf.sys
Page 9b25 not present in the dump file. Type ".hh dbgerr004" for details

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 000000000000a620

CURRENT_IRQL:  2

FAULTING_IP:
nt!KeAcquireSpinLockRaiseToDpc+1c
fffff802`97ae252c f0480fba2900    lock bts qword ptr [rcx],0

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  dumpcap.exe

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre

TRAP_FRAME:  ffffd000b8e1b580 -- (.trap 0xffffd000b8e1b580)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=000000000000a620
rdx=ffffe001d847d360 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80297ae252c rsp=ffffd000b8e1b710 rbp=ffffd000b8e1bb80
 r8=ffffe001d6c15180  r9=000000000000000e r10=0000000020206f49
r11=ffffe001d78b4840 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!KeAcquireSpinLockRaiseToDpc+0x1c:
fffff802`97ae252c f0480fba2900    lock bts qword ptr [rcx],0 ds:00000000`0000a620=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80297b6aba9 to fffff80297b60220

STACK_TEXT: 
ffffd000`b8e1b438 fffff802`97b6aba9 : 00000000`0000000a 00000000`0000a620 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
ffffd000`b8e1b440 fffff802`97b693c8 : 00000000`00000000 00000000`00000000 ffffe001`d8d4c010 ffff479f`55c28c80 : nt!KiBugCheckDispatch+0x69
ffffd000`b8e1b580 fffff802`97ae252c : 00000000`00000000 00000000`00000000 e001d78b`4c100001 ffffd000`b8e1b728 : nt!KiPageFault+0x248
ffffd000`b8e1b710 fffff801`2d55319a : e001d78b`4c100000 00000000`0012019f 00000000`00000001 ffffe001`d734f780 : nt!KeAcquireSpinLockRaiseToDpc+0x1c
ffffd000`b8e1b740 fffff801`2d553a38 : 00000000`00001ef0 ffffe001`d847d300 00000000`00000001 ffffd000`00000000 : npf+0x319a
ffffd000`b8e1b770 fffff802`97e4117d : 00000000`00000001 ffffe001`d847d360 ffffe001`d847d360 ffffe001`00000001 : npf+0x3a38
ffffd000`b8e1b800 fffff802`97e40a56 : 0000001d`2eebcbd8 ffffd000`b8e1bb80 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x71d
ffffd000`b8e1ba20 fffff802`97b6a863 : ffffe001`d8c8c080 0000001d`2eebcbb8 ffffd000`b8e1baa8 00000000`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`b8e1ba90 00007ffa`0669356a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
0000001d`2eebcb68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`0669356a


STACK_COMMAND:  kb

FOLLOWUP_IP:
npf+319a
fffff801`2d55319a 4032ff          xor     dil,dil

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  npf+319a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npf

IMAGE_NAME:  npf.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  55c32fb5

FAILURE_BUCKET_ID:  AV_npf+319a

BUCKET_ID:  AV_npf+319a

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_npf+319a

FAILURE_ID_HASH:  {bf4ae29b-3505-fe6e-b8b7-41bfb9d08cf8}

Followup: MachineOwner
---------

Pascal.