The KMDF driver crashes with no useful information from !analyze -v - windows

I am trying to debug Hello World KMDF driver from MSDN in Virtual Box. Symbols loads and everything looks fine. But when I am trying to debug the code the following happens:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Starting New Debugger Session
-----------------------------------------------------------------------
-----------------------------------------------------------------------
[debug session data]
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff807`0d262390 cc int 3
I don't know what that breakpoint is. Moreover it remains when I am debugging another example driver.
The following message the only message I recieve when I run the driver and hit Break All button regardless of another breakpoints setted or not.
kd> g
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run console kernel debugger) or, *
* CTRL+BREAK (if you run GUI kernel debugger), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!DbgBreakPointWithStatus:
fffff807`0d262390 cc int 3
And adress of the breakpont is always the same. Also the debugger does not pick up the source code and local variables.
The !analyze -v response is hard to interpret because it almost has no specific information:
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 0
BUGCHECK_P3: 0
BUGCHECK_P4: 0
PROCESS_NAME: svchost.exe
FAULTING_IP:
nt!DbgBreakPointWithStatus+0
fffff807`0d262390 cc int 3
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 0000000000000000
CPU_COUNT: 1
CPU_MHZ: e10
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 9e
CPU_STEPPING: 9
CPU_MICROCODE: 6,9e,9,0 (F,M,S,R) SIG: 0'00000000 (cache) 0'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x0
CURRENT_IRQL: d
ANALYSIS_SESSION_HOST: DESKTOP-7FEEGEP
ANALYSIS_SESSION_TIME: 05-17-2019 13:39:22.0086
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
STACK_TEXT:
fffff807`0f46db78 fffff807`0d27721e : fffff807`0ce14180 00000000`00000001 ffffd087`89a36080 00000000`0000806c : nt!DbgBreakPointWithStatus
fffff807`0f46db80 fffff807`0d2d3c04 : ffffd087`84602020 00000000`00000000 00000000`0000806b fffff807`0d01446f : nt!KdCheckForDebugBreak+0x90e66
fffff807`0f46dbb0 fffff807`0d18bdf4 : 00000000`00000000 00000000`00000000 00000000`0000806c fffff807`0ce14180 : nt!KeAccumulateTicks+0x144cd4
fffff807`0f46dc10 fffff807`0d011332 : 00000000`00000000 fffff807`0d074be8 fffff903`28437b80 00000000`00000000 : nt!KeClockInterruptNotify+0x604
fffff807`0f46df30 fffff807`0d1da195 : 000000b9`9e48c277 fffff807`0d077850 fffff807`0d077900 fffff903`28437b80 : hal!HalpTimerClockInterrupt+0xf2
fffff807`0f46df60 fffff807`0d25c12a : fffff903`28437b80 fffff807`0d077850 00000000`000000bc fffff807`0d077850 : nt!KiCallInterruptServiceRoutine+0xa5
fffff807`0f46dfb0 fffff807`0d25c677 : 00000127`1c58e310 fffff903`28437b80 ffffba01`a64f3c80 ffffd087`00001680 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
fffff903`28437b00 00007ffe`6d921d90 : 00007ffe`63c76dc9 00000000`00000030 00000127`1c58e310 00000127`1cf29fc6 : nt!KiInterruptDispatchNoLockNoEtw+0x37
0000001b`4ddfda48 00007ffe`63c76dc9 : 00000000`00000030 00000127`1c58e310 00000127`1cf29fc6 00000000`00000086 : ntdll!RtlLeaveCriticalSection
0000001b`4ddfda50 00007ffe`63c75c4a : 00000127`1c58e310 00000000`00000000 00000127`1cf29fc6 00000000`00000001 : StateRepository_Core!dbMallocRawFinish+0xf9
0000001b`4ddfda80 00007ffe`63c74318 : 0000001b`4ddfdc90 00000127`218eaab5 0000001b`4ddfdad0 0000001b`4ddfe500 : StateRepository_Core!sqlite3ExprListAppend+0x10a
0000001b`4ddfdab0 00007ffe`63c73f4f : 00000127`218eaab5 00000000`0000003b 0000001b`4ddfe600 00000127`218eaab5 : StateRepository_Core!yy_reduce+0x138
0000001b`4ddfdb60 00007ffe`63c714d0 : 00000000`0000000b 00000127`1d48d4c0 00000127`17a60000 00000127`1c58e310 : StateRepository_Core!sqlite3RunParser+0x18f
0000001b`4ddfe5a0 00007ffe`63c7fad6 : 00000127`0000000b 00000127`210c9e50 00000127`1d48d4c0 00000127`1c58e310 : StateRepository_Core!sqlite3Prepare+0x140
0000001b`4ddfe8a0 00007ffe`63c77470 : 00000000`00000000 00000000`00000001 00000127`227c5620 00000127`1c58e310 : StateRepository_Core!sqlite3Reprepare+0xa6
0000001b`4ddfe910 00007ffe`5baa75ed : 0000001b`4ddfea40 00000000`00000000 0000001b`4ddfeb30 00000000`00000001 : StateRepository_Core!sqlite3_step+0x1e0
0000001b`4ddfe940 0000001b`4ddfea40 : 00000000`00000000 0000001b`4ddfeb30 00000000`00000001 00000127`227c5620 : appxdeploymentserver+0x1975ed
0000001b`4ddfe948 00000000`00000000 : 0000001b`4ddfeb30 00000000`00000001 00000127`227c5620 00000000`00000000 : 0x0000001b`4ddfea40
THREAD_SHA1_HASH_MOD_FUNC: 7624d44a362bc09f63010be40dd2f10b30164688
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 116dd5b296cb899eb0af37455673964c028141de
THREAD_SHA1_HASH_MOD: eeaa9c3cd71569b57a2e0c61a2a59028a432624c
FOLLOWUP_IP:
nt!DbgBreakPointWithStatus+0
fffff807`0d262390 cc int 3
FAULT_INSTR_CODE: ccccc3cc
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!DbgBreakPointWithStatus+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 438ffec3
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID: MANUAL_BREAKIN
PRIMARY_PROBLEM_CLASS: MANUAL_BREAKIN
FAILURE_BUCKET_ID: MANUAL_BREAKIN
TARGET_TIME: 2019-05-17T10:34:32.000Z
OSBUILD: 17763
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2005-12-02 00:58:59
BUILDDATESTAMP_STR: 180914-1434
BUILDLAB_STR: rs5_release
BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434
ANALYSIS_SESSION_ELAPSED_TIME: 69b
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:manual_breakin
FAILURE_ID_HASH: {30cbeaaa-35e3-de0f-a585-406cd241c851}
Followup: MachineOwner
---------
I confused a little by DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT line because I build the driver for Windows 10. And also by IMAGE_NAME: ntkrnlmp.exe. Looks like something happens in nt module. Googling gave no results.
Same things happens with another driver samples I tried to debug.
How can I handle this problem or at least to get more information about it?
Host: Windows 10 x64 build 17134.765, VS Community 2017 build 15.9.11, WDK 10.0.17740.1000
Target: Virtual Box build 6.0.4r128413, Windows 10 x64 build 17763.437

Related

Analyzing this Procdump .dmp file - from Apache httpd.exe

Recently my server's Apache httpd.exe has been crashing like crazy (posted to server fault thread here https://serverfault.com/questions/998227/windows-server-2008-r2-apache-2-4-constant-crashing-with-faulting-module-nam).
I tried all solutions I found on the web but it still happen. Finally, I used Procdump to monitor httpd.exe process and get this dump file when it crashes. But how to analyze the result is out of my knowledge. I need help on this.
Opening the .dmp file using WinDbg:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Zenn\Desktop\httpd.exe_200111_125801.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Comment: '
*** procdump64 -t -e 7052
*** Unhandled exception: C0000005.ACCESS_VIOLATION'
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Machine Name:
Debug session time: Sat Jan 11 12:58:01.000 2020 (UTC + 8:00)
System Uptime: not available
Process Uptime: 0 days 0:50:59.000
................................................................
................................................
Loading unloaded module list
............................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1b8c.10a0): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!RtlAnsiStringToUnicodeString+0x12c:
00000000`777cf23c 488b7b08 mov rdi,qword ptr [rbx+8] ds:000005d2`ac238618=????????????????
After running !analyze -v:
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
ntdll!RtlAnsiStringToUnicodeString+12c
00000000`777cf23c 488b7b08 mov rdi,qword ptr [rbx+8]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000777cf23c (ntdll!RtlAnsiStringToUnicodeString+0x000000000000012c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000005d2ac238618
Attempt to read from address 000005d2ac238618
PROCESS_NAME: httpd.exe
FAULTING_MODULE: 0000000077780000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000005d2ac238618
READ_ADDRESS: 000005d2ac238618
FOLLOWUP_IP:
ntdll!RtlAnsiStringToUnicodeString+12c
00000000`777cf23c 488b7b08 mov rdi,qword ptr [rbx+8]
MOD_LIST: <ANALYSIS/>
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Enable Pageheap/AutoVerifer
FAULTING_THREAD: 00000000000010a0
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER: from 00000000773d1a0a to 00000000777cf23c
STACK_TEXT:
00000000`5904eb20 00000000`773d1a0a : 00000003`67cb5f10 00000001`0e2bc328 00000000`01fd89e0 00000003`42541b01 : ntdll!RtlAnsiStringToUnicodeString+0x12c
00000000`5904eba0 000007fe`ee296338 : 00000003`4b1038f0 00000000`00000002 00000003`00000000 00000000`00000002 : kernel32!HeapFree+0xa
00000000`5904ebd0 00000003`4b1038f0 : 00000000`00000002 00000003`00000000 00000000`00000002 00000003`4281e670 : msvcr110+0x66338
00000000`5904ebd8 00000000`00000002 : 00000003`00000000 00000000`00000002 00000003`4281e670 000007fe`daf5ea98 : 0x3`4b1038f0
00000000`5904ebe0 00000003`00000000 : 00000000`00000002 00000003`4281e670 000007fe`daf5ea98 00000003`3bb260c0 : 0x2
00000000`5904ebe8 00000000`00000002 : 00000003`4281e670 000007fe`daf5ea98 00000003`3bb260c0 00000001`0e2a8d50 : 0x3`00000000
00000000`5904ebf0 00000003`4281e670 : 000007fe`daf5ea98 00000003`3bb260c0 00000001`0e2a8d50 00000001`0e2bc328 : 0x2
00000000`5904ebf8 000007fe`daf5ea98 : 00000003`3bb260c0 00000001`0e2a8d50 00000001`0e2bc328 000007fe`db4d1370 : 0x3`4281e670
00000000`5904ec00 00000003`3bb260c0 : 00000001`0e2a8d50 00000001`0e2bc328 000007fe`db4d1370 00000001`0e2fe6b8 : php5ts+0xbea98
00000000`5904ec08 00000001`0e2a8d50 : 00000001`0e2bc328 000007fe`db4d1370 00000001`0e2fe6b8 000007fe`daf3e4cc : 0x3`3bb260c0
00000000`5904ec10 00000001`0e2bc328 : 000007fe`db4d1370 00000001`0e2fe6b8 000007fe`daf3e4cc 00000000`5e1955d9 : 0x1`0e2a8d50
00000000`5904ec18 000007fe`db4d1370 : 00000001`0e2fe6b8 000007fe`daf3e4cc 00000000`5e1955d9 00000000`00000001 : 0x1`0e2bc328
00000000`5904ec20 00000001`0e2fe6b8 : 000007fe`daf3e4cc 00000000`5e1955d9 00000000`00000001 00000000`00000001 : php5ts+0x631370
00000000`5904ec28 000007fe`daf3e4cc : 00000000`5e1955d9 00000000`00000001 00000000`00000001 00000003`4281e670 : 0x1`0e2fe6b8
00000000`5904ec30 00000000`5e1955d9 : 00000000`00000001 00000000`00000001 00000003`4281e670 00000003`3bb260f8 : php5ts+0x9e4cc
00000000`5904ec38 00000000`00000001 : 00000000`00000001 00000003`4281e670 00000003`3bb260f8 000007fe`daf42a71 : 0x5e1955d9
00000000`5904ec40 00000000`00000001 : 00000003`4281e670 00000003`3bb260f8 000007fe`daf42a71 00000001`0e323030 : 0x1
00000000`5904ec48 00000003`4281e670 : 00000003`3bb260f8 000007fe`daf42a71 00000001`0e323030 00000000`00000000 : 0x1
00000000`5904ec50 00000003`3bb260f8 : 000007fe`daf42a71 00000001`0e323030 00000000`00000000 00000003`42541b10 : 0x3`4281e670
00000000`5904ec58 000007fe`daf42a71 : 00000001`0e323030 00000000`00000000 00000003`42541b10 00000000`00000001 : 0x3`3bb260f8
00000000`5904ec60 00000001`0e323030 : 00000000`00000000 00000003`42541b10 00000000`00000001 00000003`42541b10 : php5ts+0xa2a71
00000000`5904ec68 00000000`00000000 : 00000003`42541b10 00000000`00000001 00000003`42541b10 00000000`5904ec90 : 0x1`0e323030
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
STACK_COMMAND: ~110s; .ecxr ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: X64_APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_FILL_PATTERN_ffffffff_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/httpd_exe/2_4_38_0/5c45ba66/ntdll_dll/6_1_7601_23677/589c99e1/c0000005/0004f23c.htm?Retriage=1
Followup: MachineOwner
---------
EDIT:
I monitored another occasion of crash and this is the outcome after running !analyze -v:
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
ntdll!RtlAnsiStringToUnicodeString+12c
00000000`777cf23c 488b7b08 mov rdi,qword ptr [rbx+8]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000777cf23c (ntdll!RtlAnsiStringToUnicodeString+0x000000000000012c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000072502404c18
Attempt to read from address 0000072502404c18
PROCESS_NAME: httpd.exe
FAULTING_MODULE: 0000000077780000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 5098826e
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000072502404c18
READ_ADDRESS: 0000072502404c18
FOLLOWUP_IP:
msvcr110+66338
000007fe`ee296338 ?? ???
MOD_LIST: <ANALYSIS/>
LAST_CONTROL_TRANSFER: from 00000000773d1a0a to 00000000777cf23c
FAULTING_THREAD: ffffffffffffffff
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD] ; Enable Pageheap/AutoVerifer
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_WRONG_SYMBOLS_FILL_PATTERN_ffffffff
STACK_TEXT:
00000000`00000000 00000000`00000000 msvcr110+0x0
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: msvcr110+66338
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcr110
IMAGE_NAME: msvcr110.dll
STACK_COMMAND: ** Pseudo Context ** ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_msvcr110.dll!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/httpd_exe/2_4_38_0/5c45ba66/ntdll_dll/6_1_7601_23677/589c99e1/c0000005/0004f23c.htm?Retriage=1
Followup: MachineOwner
---------

Windbg Kernel Debugger shows wrong usermode stack for C++ x64 apps compiled in VS2015 and VS2017

I am not able to get the right stack for on my own C++ x64 compiled apps. I tried multiple versions of Visual Studio (VS2013, VS2015, VS2017). VS2013 worked fine, stacks were correct in Windbg KD, but VS2015 and VS2017 stacks were incorrect in Windbg KD.
To simply reproduce this
[optional] Enable windows debugging and restart PC
bcdedit -debug on
Open Visual Studio.
Create new console app project. Replace main with this:
#include "stdafx.h"
#include <Windows.h>
class CSymbolTest
{
public:
void TestSymbols(const char* param1, unsigned int param2)
{
printf("%s %u\n", param1, param2);
system("PAUSE");
}
};
int main()
{
CSymbolTest o;
o.TestSymbols("Hello world is ", 0);
return 0;
}
Compile x64/debug
Run app
Run Windbg (I have latest 10.0.17134.12) with admin rights
File->Kernel Debug...->Local (must be lokal kernel debugging enabled - step 1.)
Here are Windbg commands and output of my testing app (SymbolTest.exe)
lkd> !process 0 0 SymbolTest.exe
PROCESS ffffc68d3f536580
SessionId: 1 Cid: 1cc8 Peb: 2371da000 ParentCid: 2ba4
DirBase: 264500000 ObjectTable: ffffa30237269540 HandleCount: 43.
Image: SymbolTest.exe
lkd> .process /P ffffc68d3f536580
Implicit process is now ffffc68d`3f536580
lkd> .reload /user
Loading User Symbols
.......
lkd> !process ffffc68d3f536580 7
PROCESS ffffc68d3f536580
SessionId: 1 Cid: 1cc8 Peb: 2371da000 ParentCid: 2ba4
DirBase: 264500000 ObjectTable: ffffa30237269540 HandleCount: 43.
Image: SymbolTest.exe
VadRoot ffffc68d3dbc3890 Vads 22 Clone 0 Private 118. Modified 2. Locked 0.
DeviceMap ffffa3022c2669b0
Token ffffa3023bbdc060
ElapsedTime 00:00:51.609
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 24064
QuotaPoolUsage[NonPagedPool] 3256
Working Set Sizes (now,min,max) (712, 50, 345) (2848KB, 200KB, 1380KB)
PeakWorkingSetSize 690
VirtualSize 4141 Mb
PeakVirtualSize 4148 Mb
PageFaultCount 777
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 147
Job ffffc68d3eb26600
THREAD ffffc68d3f161080 Cid 1cc8.23e0 Teb: 00000002371db000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
ffffc68d3c3cb580 ProcessObject
Not impersonating
DeviceMap ffffa3022c2669b0
Owning Process ffffc68d3f536580 Image: SymbolTest.exe
Attached Process N/A Image: N/A
Wait Start TickCount 493631 Ticks: 3333 (0:00:00:52.078)
Context Switch Count 56 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
*** WARNING: Unable to verify checksum for c:\users\petr.pospisil\documents\visual studio 2015\Projects\SymbolTest\x64\Debug\SymbolTest.exe
Win32 Start Address SymbolTest!ILT+260(mainCRTStartup) (0x00007ff737361109)
Stack Init fffff60366c81c90 Current fffff60366c816c0
Base fffff60366c82000 Limit fffff60366c7c000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
GetContextState failed, 0x80004001
Unable to get current machine context, HRESULT 0x80004001
Child-SP RetAddr : Args to Child : Call Site
fffff603`66c81700 fffff802`2e2fbd76 : fffff603`00000000 ffffc68d`3f161080 fffff603`66c818d0 fffff603`00000000 : nt!KiSwapContext+0x76
fffff603`66c81840 fffff802`2e2fb56b : ffffc68d`3ddfd0f0 00000000`00000000 00000000`00000000 fffff802`2e77194d : nt!KiSwapThread+0x2c6
fffff603`66c81910 fffff802`2e2fac8f : 00000000`000000b4 fffff802`00000000 00007ffe`71eb8800 ffffc68d`3f1611c0 : nt!KiCommitThreadWait+0x13b
fffff603`66c819b0 fffff802`2e7887bc : ffffc68d`3c3cb580 fffff802`00000006 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x1ff
fffff603`66c81a90 fffff802`2e455223 : ffffc68d`3f161080 00000000`00000000 00000000`00000000 ffffc68d`3c3cb580 : nt!NtWaitForSingleObject+0xfc
fffff603`66c81b00 00007ffe`74d8a014 : 00007ffe`71e8e0e2 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame # fffff603`66c81b00)
00000002`372ff918 00007ffe`71e8e0e2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000002`372ffa50 : ntdll!NtWaitForSingleObject+0x14
00000002`372ff920 00007ffe`35edf728 : 00000000`000000ac 00000002`372ffa30 00000002`00000000 00000000`000000a4 : KERNELBASE!WaitForSingleObjectEx+0xa2
00000002`372ff9c0 00007ffe`35edef6b : 00000132`4df81d20 00000002`372ffa10 00000002`372ffb98 00000000`00000000 : ucrtbased!execute_command<char>+0x264 [minkernel\crts\ucrt\src\desktopcrt\exec\spawnv.cpp # 247]
00000002`372ffb00 00007ffe`35ee0969 : 00000000`00000000 00000132`4df81d20 00000000`00000000 00000000`00000000 : ucrtbased!common_spawnv<char>+0x233 [minkernel\crts\ucrt\src\desktopcrt\exec\spawnv.cpp # 328]
(Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : ucrtbased!_spawnve+0x14 (Inline Function # 00007ffe`35ee0969) [minkernel\crts\ucrt\src\desktopcrt\exec\spawnv.cpp # 405]
(Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : ucrtbased!__crt_char_traits<char>::tspawnve+0x14 (Inline Function # 00007ffe`35ee0969) [minkernel\crts\ucrt\inc\corecrt_internal_traits.h # 106]
00000002`372ffb60 00007ff7`3736175b : 00007ff7`37369ca4 00000000`00000000 00000000`00000000 00000002`372ffcb8 : ucrtbased!common_system<char>+0x101 [minkernel\crts\ucrt\src\desktopcrt\exec\system.cpp # 58]
00000002`372ffbd0 00007ff7`37369ca4 : 00000000`00000000 00000000`00000000 00000002`372ffcb8 cccccccc`cccccccc : SymbolTest!CSymbolTest::TestSymbols+0x5b [c:\users\petr.pospisil\documents\visual studio 2015\projects\symboltest\symboltest\symboltest.cpp # 14]
00000002`372ffbd8 00000000`00000000 : 00000000`00000000 00000002`372ffcb8 cccccccc`cccccccc cccccccc`cccccccc : SymbolTest!`string'
As you can see the stack ends with the SymbolTest!`string', which is wrong because windbg did not take SymbolTest!CSymbolTest::TestSymbols function param count into account to get next right stack function.
I tried almost any configuration in the C++ compiler and linker in VS2015 to find an workaround for this. There must be something because VS2013 pdb symbols work fine for me.
Any idea what compiler/VS option to use to fix this to workaround this?
Thx in advance.

Windows 7 Remote Desktop stopped crash

I have a problem with the remote desktop connection on Windows 7 professional 64 bits (6.1 version 7601).
When I type the password of the server and click on connect button, it crashs.
I know that if the printers checkbox is checked, it causes this type of problems but I disable all local resources.
Here is the dump files :
https://www.dropbox.com/s/xvthjbldyr1ncl2/LocalDumps.zip?dl=0
Thanks.
The debug symbols are now online and I see in Windbg that the BLEtokenCredentialProvider.dll from CSR Harmony Wireless Software Stack causes your crash:
APPLICATION_VERIFIER_HEAPS_CORRUPTED_HEAP_BLOCK_EXCEPTION_RAISED_FOR_PROBING (c)
Exception raised while verifying the heap block.
This situation happens if we really cannot determine any particular
type of corruption for the block. For instance you will get this if
during a heap free operation you pass an address that points to a
non-accessible memory area.
This can also happen for double free situations if we do not find the
block among full page heap blocks and we probe it as a light page heap block.
Arguments:
Arg1: 0000000025701000, Heap handle used in the call.
Arg2: f0f0f0f0f0f0f0f0, Heap block involved in the operation.
Arg3: 0000000000000000, Size of the heap block.
Arg4: 00000000c0000005, Reserved.
DUMP_QUALIFIER: 400
CONTEXT: (.ecxr)
rax=000000000d65cee0 rbx=0000000000000001 rcx=000007fffff94000
rdx=000000000000fffd rsi=0000000000000000 rdi=000000000000000c
rip=000007fee9f9a668 rsp=000000001a20d9a0 rbp=0000000000000000
r8=000000001a203000 r9=0000000040010006 r10=0000000000000000
r11=000000001a20c528 r12=0000000000000000 r13=000000000000005d
r14=f0f0f0f0f0f0f0f0 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
verifier!VerifierStopMessage+0x1f0:
000007fe`e9f9a668 cc int 3
Resetting default scope
FAULTING_IP:
verifier!VerifierStopMessage+1f0
000007fe`e9f9a668 cc int 3
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 000007fee9f9a668 (verifier!VerifierStopMessage+0x00000000000001f0)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
DEFAULT_BUCKET_ID: BREAKPOINT_AVRF
PROCESS_NAME: mstsc.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {AUSNAHME} Haltepunkt Im Quellprogramm wurde ein Haltepunkt erreicht.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Mindestens ein Argument ist ung ltig.
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 0000000000000000
WATSON_BKT_PROCSTAMP: 524b5b3d
WATSON_BKT_PROCVER: 6.3.9600.16415
BUILD_VERSION_STRING: 6.1.7601.24000 (win7sp1_ldr.171231-1547)
THREAD_ATTRIBUTES:
OS_LOCALE: FRA
PROBLEM_CLASSES:
ID: [0n300]
Type: [#APPLICATION_FAULT_STRING]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Omit
Data: Add
String: [BREAKPOINT]
PID: [Unspecified]
TID: [Unspecified]
Frame: [0]
ID: [0n92]
Type: [AVRF]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x2fe0]
TID: [0x1c98]
Frame: [0] : verifier!VerifierStopMessage
BUGCHECK_STR: BREAKPOINT_AVRF
PRIMARY_PROBLEM_CLASS: BREAKPOINT
LAST_CONTROL_TRANSFER: from 000007fee9f994f2 to 000007fee9f9a668
STACK_TEXT:
00000000`1a20d9a0 000007fe`e9f994f2 : 00000000`1a20ea28 000007fe`e9f91988 000007fe`fd649270 000007fe`e9f91610 : verifier!VerifierStopMessage+0x1f0
00000000`1a20da50 000007fe`e9fb5863 : 000007fe`e9fb6604 00000000`1a20e9f0 000007fe`fd470000 00000000`1a20e9f0 : verifier!AVrfpDphReportCorruptedBlock+0x32a
00000000`1a20db10 00000000`76d67398 : 00000000`1a20dc70 00000000`1a20dc40 00000000`00000000 00000000`76d58468 : verifier!_chkstk+0xf3
00000000`1a20db40 00000000`76d7bf9d : 00000000`1a210000 00000000`1a20e9f0 00000000`1a20e9f0 000007fe`e9fde0fc : ntdll!_C_specific_handler+0x8c
00000000`1a20dbb0 00000000`76d504ca : 00000000`1a210000 00000000`01001002 000007fe`00001950 00000000`02991710 : ntdll!RtlpExecuteHandlerForException+0xd
00000000`1a20dbe0 00000000`76d7b63e : 00000000`1a20e7b0 00000000`1a20e2c0 00000000`00000000 00000000`00000000 : ntdll!RtlDispatchException+0x45a
00000000`1a20e2c0 000007fe`e9f96be1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!KiUserExceptionDispatch+0x2e
00000000`1a20e9f0 000007fe`e9f98b87 : 00000000`25701000 f0f0f0f0`f0f0f0f0 00000000`00000000 00000000`00000000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x91
00000000`1a20ea50 00000000`76dd4a14 : 00000000`25700000 00000000`1a20f2e0 00000000`01001002 00000000`00000000 : verifier!AVrfDebugPageHeapSize+0x5b
00000000`1a20ea90 00000000`76d9427f : 00000000`25700000 00000000`00000000 00000000`25700000 f0f0f0f0`f0f0f0f0 : ntdll!RtlDebugSizeHeap+0x34
00000000`1a20eae0 000007fe`e9fb093f : 00000000`00000000 f0f0f0f0`f0f0f0f0 00000000`02a80000 000007fe`d87e9a63 : ntdll! ?? ::FNODOBFM::`string'+0xd26f
00000000`1a20eb30 000007fe`d87eed84 : 00000000`25700000 00000000`00000000 f0f0f0f0`f0f0f0f0 00000000`76c11a00 : verifier!AVrfpHeapFree+0x57
00000000`1a20ebc0 00000000`25700000 : 00000000`00000000 f0f0f0f0`f0f0f0f0 00000000`76c11a00 00000000`00000000 : BLEtokenCredentialProvider+0xed84
00000000`1a20ebc8 00000000`00000000 : f0f0f0f0`f0f0f0f0 00000000`76c11a00 00000000`00000000 000007fe`d87e6b46 : 0x25700000
SYMBOL_NAME: bletokencredentialprovider+ed84
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: BLEtokenCredentialProvider
IMAGE_NAME: BLEtokenCredentialProvider.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4f686c3b
STACK_COMMAND: .ecxr ; kb
BUCKET_ID: X64_BREAKPOINT_AVRF_bletokencredentialprovider+ed84
FAILURE_EXCEPTION_CODE: 80000003
FAILURE_IMAGE_NAME: BLEtokenCredentialProvider.dll
BUCKET_ID_IMAGE_STR: BLEtokenCredentialProvider.dll
FAILURE_ID_HASH_STRING: um:breakpoint_avrf_80000003_bletokencredentialprovider.dll!unknown
FAILURE_ID_HASH: {2a6d23c0-cb20-73ec-3d92-f208d9f741cc}
Followup: MachineOwner
---------
0:020> lmvm BLEtokenCredentialProvider
Browse full module list
start end module name
000007fe`d87e0000 000007fe`d885d000 BLEtokenCredentialProvider T (no symbols)
Loaded symbol image file: BLEtokenCredentialProvider.dll
Image path: C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BLEtokenCredentialProvider.dll
Image name: BLEtokenCredentialProvider.dll
Browse all global symbols functions data
Timestamp: Tue Mar 20 12:38:35 2012 (4F686C3B)
CheckSum: 000826D1
ImageSize: 0007D000
File version: 2.1.63.0
Product version: 2.1.63.0
Look for an update and if there is no one, remove this tool.

Winsock Kernel's "WskSendTo" function causes "DRIVER_IRQL_NOT_LESS_OR_EQUAL" BSOD on Win7 SP1

I'm developing a Windows packet capture software called Npcap. And it needs to send loopback raw IP sockets based on Windows Kernel. But the WskSocket->Dispatch->WskSendTo always causes DRIVER_IRQL_NOT_LESS_OR_EQUAL BSOD on Win7 SP1. The strange thing is that my code doesn't trigger this BSoD on other systems like Win8, Win10. It only happens on Win7. So I even doubt that is this a bug of Windows itself or only my bug? Thanks!
The reproduce steps are:
Install Npcap 0.07 r17 with default options
Install Nmap 7.20 Beta 5 (don't install the shipped Npcap)
In CMD, run nmap -v -O -6 localhost to perform a localhost scan (this functionality is provided by Npcap), you will encounter the BSoD in a couple of seconds.
If you want the faulty driver's debug symbols, it can be downloaded here. Refer to \npcap-DebugSymbols\win7\x64\npcap.pdb for x64 system and \npcap-DebugSymbols\win7\x86\npcap.pdb for x86 system.
The BSOD analysis from WinDbg (I have the full dump, tell me if needed):
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode)
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Administrator\Desktop\New folder (2)\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode)
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode);SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
Machine Name:
Kernel base = 0xfffff800`02a0a000 PsLoadedModuleList = 0xfffff800`02c4f890
Debug session time: Thu Jun 23 13:50:07.660 2016 (UTC + 8:00)
System Uptime: 0 days 0:31:55.712
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
.....
Loading unloaded module list
..................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
............................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, 2, 8, 0}
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
Probably caused by : npcap.sys ( npcap!WSKSendTo_NBL+d4 )
Followup: MachineOwner
---------
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
.....
Loading unloaded module list
..................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
............................................
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: 0000000000000000, address which referenced memory
Debugging Details:
------------------
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 07/02/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 2
BUGCHECK_P3: 8
BUGCHECK_P4: 0
READ_ADDRESS: 0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
+0
00000000`00000000 ?? ???
PROCESS_NAME: nmap.exe
CPU_COUNT: 2
CPU_MHZ: a29
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 23'00000000 (cache) 23'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD1
ANALYSIS_SESSION_HOST: DESKTOP-AKQG651
ANALYSIS_SESSION_TIME: 06-23-2016 13:56:03.0297
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: fffff88006aa5680 -- (.trap 0xfffff88006aa5680)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa80018ede30 rbx=0000000000000000 rcx=fffffa8001a13390
rdx=fffffa800108de20 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=fffff88006aa5818 rbp=fffff88008565d06
r8=fffff880017684e8 r9=fffff8800164f030 r10=0000000000000000
r11=fffff88006aa5480 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
00000000`00000000 ?? ???
Resetting default scope
IP_IN_FREE_BLOCK: 0
LAST_CONTROL_TRANSFER: from fffff80002a7bfe9 to fffff80002a7ca40
FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???
STACK_TEXT:
fffff880`06aa5818 fffff880`0173d917 : fffffa80`0108df50 fffffa80`0108df50 00000000`00000018 00000000`00000018 : 0x0
fffff880`06aa5820 fffff880`0173fe02 : fffffa80`026cc080 fffffa80`01d89080 00000000`00000087 00000000`00000000 : tcpip!Ipv6pHandleNeighborSolicitation+0x257
fffff880`06aa58e0 fffff880`0165bf9e : 00000000`00000000 00000000`00000000 fffff880`01769800 fffffa80`026cc1c0 : tcpip!Icmpv6ReceiveDatagrams+0x342
fffff880`06aa5980 fffff880`0165baaa : 00000000`00000000 fffff880`01769800 fffff880`06aa5b30 00000000`00000001 : tcpip!IppDeliverListToProtocol+0xfe
fffff880`06aa5a40 fffff880`0165b0a9 : 00000000`00000003 fffffa80`026cc100 fffff880`06aa5a03 fffff880`06aa5b30 : tcpip!IppProcessDeliverList+0x5a
fffff880`06aa5ae0 fffff880`0163e28f : fffff880`01769800 00000000`00000000 00000000`00000000 fffff880`06aa5c78 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`06aa5bc0 fffff800`02a893d8 : fffff880`01769800 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppLoopbackTransmit+0x38f
fffff880`06aa5c70 fffff880`0163e92f : fffff880`016916fc fffffa80`01a0f490 fffff880`06aa5e02 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`06aa5d50 fffff880`0165d4ca : fffffa80`026cc1c0 00000000`00000000 fffffa80`01a0f400 fffffa80`0195e820 : tcpip!IppLoopbackEnqueue+0x22f
fffff880`06aa5e00 fffff880`0165ebf5 : 00000000`00000000 fffffa80`036f4900 fffffa80`019ae400 00000000`000000fa : tcpip!IppDispatchSendPacketHelper+0x38a
fffff880`06aa5ec0 fffff880`0165de7e : fffffa80`019ae4fa fffff880`06aa6200 00000000`00000028 fffffa80`00000000 : tcpip!IppPacketizeDatagrams+0x2d5
fffff880`06aa5fe0 fffff880`0166079e : 00000000`00000000 fffffa80`019b4204 fffff880`01623790 fffffa80`0195e820 : tcpip!IppSendDatagramsCommon+0x87e
fffff880`06aa6180 fffff880`01624248 : fffffa80`019b42f0 fffff880`06aa6700 00000000`00000000 00000000`000007ff : tcpip!IpNlpSendDatagrams+0x3e
fffff880`06aa61c0 fffff880`0162462d : 00000000`00000103 fffff880`01730470 fffffa80`0279c0e0 fffff880`00000001 : tcpip!RawSendMessagesOnPathCreation+0x238
fffff880`06aa63f0 fffff880`03afe69e : fffffa80`00ebc8a0 00000000`00000001 fffffa80`031ea580 fffff880`05a0a7e8 : tcpip!RawSendMessages+0x2bd
fffff880`06aa66e0 fffff880`05a01fb0 : fffffa80`02c77d48 00000025`02a80f78 fffff880`05a0a7e8 00000000`00000000 : afd!WskProIRPSendTo+0x11e
fffff880`06aa6790 fffff880`05a01bdb : 00000000`c0000001 fffffa80`033d8350 fffffa80`03cede20 fffffa80`03cede20 : npcap!WSKSendTo_NBL+0xd4 [j:\npcap\packetwin7\npf\npf\lo_send.c # 858]
fffff880`06aa6820 fffff880`05a06a0c : fffffa80`03cede20 fffffa80`033d8420 00000000`00000001 fffffa80`03e49318 : npcap!NPF_WSKSendPacket_NBL+0x93 [j:\npcap\packetwin7\npf\npf\lo_send.c # 366]
fffff880`06aa6860 fffff880`05a06e4b : 00000000`00000000 fffffa80`033d8350 fffffa80`03e40000 00000000`00000000 : npcap!NPF_LoopbackSendNetBufferLists+0x18 [j:\npcap\packetwin7\npf\npf\write.c # 1019]
fffff880`06aa6890 fffff800`02d8530b : 00000000`00000001 fffffa80`00000000 fffffa80`033d8420 fffffa80`033d8350 : npcap!NPF_Write+0x243 [j:\npcap\packetwin7\npf\npf\write.c # 328]
fffff880`06aa6900 fffff800`02d90b13 : fffffa80`033d8468 00000000`00000000 fffffa80`0269c9b0 fffffa80`033d8468 : nt!IopSynchronousServiceTail+0xfb
fffff880`06aa6970 fffff800`02a7bcd3 : 00000000`75192401 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x7e2
fffff880`06aa6a70 00000000`75192e09 : 00000000`751929f5 00000000`778201b4 00000000`74ea0023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
00000000`0010e4f8 00000000`751929f5 : 00000000`778201b4 00000000`74ea0023 00000000`00000246 00000000`0030f8fc : wow64cpu!CpupSyscallStub+0x9
00000000`0010e500 00000000`74ead286 : 00000000`00000000 00000000`75191920 ffffffff`fc630000 00000000`7765e021 : wow64cpu!ReadWriteFileFault+0x31
00000000`0010e5c0 00000000`74eac69e : 00000000`00000000 00000000`00000000 00000000`74ea4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0010e610 00000000`77671736 : 00000000`00472e50 00000000`00000000 00000000`7775d670 00000000`77730920 : wow64!Wow64LdrpInitialize+0x42a
00000000`0010eb60 00000000`776cca90 : 00000000`00000000 00000000`77670e41 00000000`0010f110 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0010f050 00000000`7765b69e : 00000000`0010f110 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x25cf0
00000000`0010f0c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
STACK_COMMAND: .trap 0xfffff88006aa5680 ; kb
THREAD_SHA1_HASH_MOD_FUNC: dbfd1c8718001d6bf1bf4c8614036f99d76c5b23
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: bb2b8033b6c74e4069a0f00b4027a4e6f51f03e3
THREAD_SHA1_HASH_MOD: b7fd3d0a19cb3a2bbc48aa7b577ad71c3bba8ecf
FOLLOWUP_IP:
npcap!WSKSendTo_NBL+d4 [j:\npcap\packetwin7\npf\npf\lo_send.c # 858]
fffff880`05a01fb0 3d03010000 cmp eax,103h
FAULT_INSTR_CODE: 1033d
FAULTING_SOURCE_LINE: j:\npcap\packetwin7\npf\npf\lo_send.c
FAULTING_SOURCE_FILE: j:\npcap\packetwin7\npf\npf\lo_send.c
FAULTING_SOURCE_LINE_NUMBER: 858
FAULTING_SOURCE_CODE:
854: RemoteAddress,
855: 0,
856: NULL,
857: Irp);
> 858: if (Status == STATUS_PENDING)
859: {
860: KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
861: Status = Irp->IoStatus.Status;
862: }
863:
SYMBOL_STACK_INDEX: 10
SYMBOL_NAME: npcap!WSKSendTo_NBL+d4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npcap
IMAGE_NAME: npcap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5767b816
FAILURE_BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
PRIMARY_PROBLEM_CLASS: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
TARGET_TIME: 2016-06-23T05:50:07.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2015-03-17 12:02:04
BUILDDATESTAMP_STR: 150316-1654
BUILDLAB_STR: win7sp1_gdr
BUILDOSVER_STR: 6.1.7601.18798.amd64fre.win7sp1_gdr.150316-1654
ANALYSIS_SESSION_ELAPSED_TIME: 124e
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0xd1_code_av_null_ip_npcap!wsksendto_nbl+d4
FAILURE_ID_HASH: {4a65a334-abd9-00b8-4b67-6fff67ae90f0}
Followup: MachineOwner
---------
The faulty code line is here:
https://github.com/nmap/npcap/blob/4325bdac9e8434186dca295f3b2ae893047b818f/packetWin7/npf/npf/Lo_send.c#L850-L857
The raw socket is created in the NPF_WSKInitSockets function.
from stack view - you send Icmpv6 datagram to in6LoopbackAddr - and all here correct, no mistakes. because it to in6LoopbackAddr tcpip.sys just Icmpv6ReceiveDatagrams called. in function Icmpv6ReceiveDatagrams exist switch, how packet process, based on 1 byte from packet:
switch (cl)
{
case 0x80: Icmpv6pHandleEchoRequest();break;
case 0x81: Icmpv6pHandleEchoReplyAndError();break;
case 0x82: Ipv6pHandleMldQuery();break;
case 0x83: Ipv6pHandleMldReport();break;
case 0x85: Ipv6pHandleRouterSolication();break;
case 0x86: Ipv6pHandleRouterAdvertisement();break;
case 0x87: Ipv6pHandleNeighborSolicitation();break;
case 0x89: Ipv6pHandleRedirect();break;
}
our case is (87) - Ipv6pHandleNeighborSolicitation(x,y) . and in Ipv6pHandleNeighborSolicitation crash at next line -
call qword ptr [r8+50h] // 0 at r8+50h
so tcpip try call some callback, but it is zero. i look, what at memory to which r8 point, here some callbacks table. all functions from tcpip.sys (so this not your WSK callbacks):
08 FllQueryInterface
10 WfpInbuiltCalloutNotifyNull
18 FlQuerySubInterface
20 WfpInbuiltCalloutNotifyNull
28 IppCleanupNlp
30 FllMapAddress
38 FllSendPackets
40 FllFastSendPackets
48 FllCancelSendPackets
50 0 - and this 0 and called !
this is on win7. but if look on win8.1 and win10 in same place - already no any callback called - this code is removed. so i guess this is faster win7 bug than your - no memory corruption, wrong calls, not init structs.. but same zero callback, and think not you must init it. and no this callbacks on later windows versions. from another side - i dont sure, are Ipv6pHandleNeighborSolicitation() - function,that you want to be called on packet. may be wrong icmp packet format ?
of course this not full response, but something
some place on win8.1
and on win10

Windows Driver BugCheck 7E On driver load

This one is stumping me.
My driver works perfectly fine in all of the guest virtual systems (Windows xp/7 both x86 and x64), as well as a few certain hosts.
However, on my PC I'm receiving a 0x7E stop code right as I start up the driver in OSRLoader.
Yes, Testsigning and debug mode are both enabled.
Here is some dump information (warning, huge):
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffff80000003, The exception code that was not handled
Arg2: fffff88000c0af0f, The address that the exception occurred at
Arg3: fffff88002fb1d78, Exception Record Address
Arg4: fffff88002fb15e0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
FAULTING_IP:
CI!CiValidateImageHeader+167
fffff880`00c0af0f cc int 3
EXCEPTION_RECORD: fffff88002fb1d78 -- (.exr 0xfffff88002fb1d78)
ExceptionAddress: fffff88000c0af0f (CI!CiValidateImageHeader+0x0000000000000167)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
CONTEXT: fffff88002fb15e0 -- (.cxr 0xfffff88002fb15e0)
rax=0000000000000000 rbx=00000000000000ff rcx=1748c3f2dac60000
rdx=0000000000000008 rsi=fffff88002fb2100 rdi=00000000c0000428
rip=fffff88000c0af0f rsp=fffff88002fb1fb0 rbp=0000000000000000
r8=0000000000000001 r9=fffff80002d0bbe0 r10=fffff80002e4a900
r11=fffff88002fb1fa8 r12=0000000000006000 r13=fffff98018700000
r14=fffffa8002621520 r15=0000000000000001
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
CI!CiValidateImageHeader+0x167:
fffff880`00c0af0f cc int 3
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x7E
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_PARAMETER1: 0000000000000000
LAST_CONTROL_TRANSFER: from fffff80002f35b18 to fffff88000c0af0f
STACK_TEXT:
fffff880`02fb1fb0 fffff800`02f35b18 : 00000000`00000006 00000000`000fffff fffffa80`02621520 00000000`00000000 : CI!CiValidateImageHeader+0x167
fffff880`02fb2090 fffff800`02f3591a : 00000000`00000000 00000000`01000000 fffffa80`055e6010 00000000`00000000 : nt!SeValidateImageHeader+0x58
fffff880`02fb20d0 fffff800`0302dea2 : fffffa80`02621520 fffffa80`055e6010 00000000`00000001 00000000`00000006 : nt!MiValidateImageHeader+0x21a
fffff880`02fb21a0 fffff800`02fba3cf : fffff880`02fb2400 00000000`00000000 fffff880`02fb26b8 fffff880`02fb23f8 : nt! ?? ::NNGAKEGL::`string'+0x4e3e3
fffff880`02fb23b0 fffff800`02cce293 : fffffa80`02505b60 fffff880`02fb2658 fffff880`02fb2448 00000000`00000000 : nt!NtCreateSection+0x162
fffff880`02fb2430 fffff800`02cca830 : fffff800`030a7f16 00000000`00000000 fffff800`02fbc607 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x13
fffff880`02fb2638 fffff800`030a7f16 : 00000000`00000000 fffff800`02fbc607 00000000`00000001 fffffa80`0254c518 : nt!KiServiceLinkage
fffff880`02fb2640 fffff800`030a82dc : ffffffff`80000ea4 fffffa80`00100000 fffffa80`0254c518 00000000`00000000 : nt!MmCheckSystemImage+0x96
fffff880`02fb2770 fffff800`030a84f7 : ffffffff`80000ea4 fffff800`00000001 fffff8a0`0b36c500 00000000`00000000 : nt!MiCreateSectionForDriver+0xcc
fffff880`02fb2820 fffff800`030b3d9a : 00000000`00000000 fffff880`02fb29f8 fffffa80`02505b60 fffff800`02e48e00 : nt!MiObtainSectionForDriver+0xd7
fffff880`02fb2880 fffff800`030b69bd : fffff880`02fb29f8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmLoadSystemImage+0x23a
fffff880`02fb29a0 fffff800`030b7375 : 00000000`00000001 00000000`00000000 00000000`00000000 fffffa80`02829388 : nt!IopLoadDriver+0x44d
fffff880`02fb2c70 fffff800`02cdc1e1 : fffff8a0`00000000 ffffffff`80000e90 fffff800`030b7320 fffffa80`02505b60 : nt!IopLoadUnloadDriver+0x55
fffff880`02fb2cb0 fffff800`02f6e6e6 : b9ce705b`ee973fcb fffffa80`02505b60 00000000`00000080 fffffa80`024ef5f0 : nt!ExpWorkerThread+0x111
fffff880`02fb2d40 fffff800`02cad566 : fffff880`009eb180 fffffa80`02505b60 fffff880`009f5f40 50320c1b`3fdc0847 : nt!PspSystemThreadStartup+0x5a
fffff880`02fb2d80 00000000`00000000 : fffff880`02fb3000 fffff880`02fad000 fffff880`02fb13f0 00000000`00000000 : nt!KiStartSystemThread+0x16
FOLLOWUP_IP:
CI!CiValidateImageHeader+167
fffff880`00c0af0f cc int 3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CI!CiValidateImageHeader+167
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CI
IMAGE_NAME: CI.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5be01d
STACK_COMMAND: .cxr 0xfffff88002fb15e0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_CI!CiValidateImageHeader+167
BUCKET_ID: X64_0x7E_CI!CiValidateImageHeader+167
Followup: MachineOwner
---------
As the little bit at the top states, I have booted with /DEBUG on and it shows nothing more than I already have.
The first log in my code doesn't even get hit:
/*
* DriverEntry
* Driver entry point
*/
NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver, IN PUNICODE_STRING path)
{
// Setup vars
UNICODE_STRING devLink, devName;
PDEVICE_OBJECT devObj = NULL;
NTSTATUS ntsReturn;
// Log Entry
LOG("Driver Entry");
// Setup driver unload function
driver->DriverUnload = DrvUnload;
WinDbg shows nothing of the sort in its view.
How do I know what is causing this? The breakpoint causes a BSOD when windbg isn't attached, and (obviously) freezes my computer when it is attached, giving me no real usable data.
It looks like you hit a debug assert in CI.dll. You can just type g from the debugger and continue loading your driver.
That is the default behavior of x64 builds of Windows. If you don't want to see that assertion you have to F8 at boot time and select "Disable Driver Signature Enforcement" which is valid per boot. (You have to do it every time you restart). Or, you can use 32-bit Windows and 32-bit version of your driver for debugging.
Here is more info:
http://msdn.microsoft.com/en-us/library/ff547565(v=vs.85).aspx

Resources