Winsock 内核的 "WskSendTo" 函数在 Win7 SP1 上导致 "DRIVER_IRQL_NOT_LESS_OR_EQUAL" 蓝屏
Winsock Kernel's "WskSendTo" function causes "DRIVER_IRQL_NOT_LESS_OR_EQUAL" BSOD on Win7 SP1
我正在开发一个名为 Npcap 的 Windows 数据包捕获软件。并且它需要基于Windows内核发送环回原始IP套接字。但是 WskSocket->Dispatch->WskSendTo
在 Win7 SP1 上总是导致 DRIVER_IRQL_NOT_LESS_OR_EQUAL
蓝屏。奇怪的是,我的代码不会在 Win8、Win10 等其他系统上触发此 BSoD。它只发生在 Win7 上。所以我什至怀疑这是 Windows 本身的错误还是只是我的错误?谢谢!
重现步骤为:
- 使用默认选项安装 Npcap 0.07 r17
- 安装Nmap 7.20 Beta 5(不要安装附带的 Npcap)
- 在 CMD 中,运行
nmap -v -O -6 localhost
执行本地主机扫描(此功能由 Npcap 提供),您将在几秒钟内遇到 BSoD。
- 如果您想要故障驱动程序的调试符号,可以下载here。 x64系统参考
\npcap-DebugSymbols\win7\x64\npcap.pdb
,x86系统参考\npcap-DebugSymbols\win7\x86\npcap.pdb
。
WinDbg 的 BSOD 分析(我有完整的转储,如果需要请告诉我):
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode)
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Administrator\Desktop\New folder (2)\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode)
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode);SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
Machine Name:
Kernel base = 0xfffff800`02a0a000 PsLoadedModuleList = 0xfffff800`02c4f890
Debug session time: Thu Jun 23 13:50:07.660 2016 (UTC + 8:00)
System Uptime: 0 days 0:31:55.712
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
.....
Loading unloaded module list
..................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
............................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, 2, 8, 0}
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
Probably caused by : npcap.sys ( npcap!WSKSendTo_NBL+d4 )
Followup: MachineOwner
---------
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
.....
Loading unloaded module list
..................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
............................................
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: 0000000000000000, address which referenced memory
Debugging Details:
------------------
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 07/02/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 2
BUGCHECK_P3: 8
BUGCHECK_P4: 0
READ_ADDRESS: 0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
+0
00000000`00000000 ?? ???
PROCESS_NAME: nmap.exe
CPU_COUNT: 2
CPU_MHZ: a29
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 23'00000000 (cache) 23'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD1
ANALYSIS_SESSION_HOST: DESKTOP-AKQG651
ANALYSIS_SESSION_TIME: 06-23-2016 13:56:03.0297
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: fffff88006aa5680 -- (.trap 0xfffff88006aa5680)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa80018ede30 rbx=0000000000000000 rcx=fffffa8001a13390
rdx=fffffa800108de20 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=fffff88006aa5818 rbp=fffff88008565d06
r8=fffff880017684e8 r9=fffff8800164f030 r10=0000000000000000
r11=fffff88006aa5480 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
00000000`00000000 ?? ???
Resetting default scope
IP_IN_FREE_BLOCK: 0
LAST_CONTROL_TRANSFER: from fffff80002a7bfe9 to fffff80002a7ca40
FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???
STACK_TEXT:
fffff880`06aa5818 fffff880`0173d917 : fffffa80`0108df50 fffffa80`0108df50 00000000`00000018 00000000`00000018 : 0x0
fffff880`06aa5820 fffff880`0173fe02 : fffffa80`026cc080 fffffa80`01d89080 00000000`00000087 00000000`00000000 : tcpip!Ipv6pHandleNeighborSolicitation+0x257
fffff880`06aa58e0 fffff880`0165bf9e : 00000000`00000000 00000000`00000000 fffff880`01769800 fffffa80`026cc1c0 : tcpip!Icmpv6ReceiveDatagrams+0x342
fffff880`06aa5980 fffff880`0165baaa : 00000000`00000000 fffff880`01769800 fffff880`06aa5b30 00000000`00000001 : tcpip!IppDeliverListToProtocol+0xfe
fffff880`06aa5a40 fffff880`0165b0a9 : 00000000`00000003 fffffa80`026cc100 fffff880`06aa5a03 fffff880`06aa5b30 : tcpip!IppProcessDeliverList+0x5a
fffff880`06aa5ae0 fffff880`0163e28f : fffff880`01769800 00000000`00000000 00000000`00000000 fffff880`06aa5c78 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`06aa5bc0 fffff800`02a893d8 : fffff880`01769800 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppLoopbackTransmit+0x38f
fffff880`06aa5c70 fffff880`0163e92f : fffff880`016916fc fffffa80`01a0f490 fffff880`06aa5e02 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`06aa5d50 fffff880`0165d4ca : fffffa80`026cc1c0 00000000`00000000 fffffa80`01a0f400 fffffa80`0195e820 : tcpip!IppLoopbackEnqueue+0x22f
fffff880`06aa5e00 fffff880`0165ebf5 : 00000000`00000000 fffffa80`036f4900 fffffa80`019ae400 00000000`000000fa : tcpip!IppDispatchSendPacketHelper+0x38a
fffff880`06aa5ec0 fffff880`0165de7e : fffffa80`019ae4fa fffff880`06aa6200 00000000`00000028 fffffa80`00000000 : tcpip!IppPacketizeDatagrams+0x2d5
fffff880`06aa5fe0 fffff880`0166079e : 00000000`00000000 fffffa80`019b4204 fffff880`01623790 fffffa80`0195e820 : tcpip!IppSendDatagramsCommon+0x87e
fffff880`06aa6180 fffff880`01624248 : fffffa80`019b42f0 fffff880`06aa6700 00000000`00000000 00000000`000007ff : tcpip!IpNlpSendDatagrams+0x3e
fffff880`06aa61c0 fffff880`0162462d : 00000000`00000103 fffff880`01730470 fffffa80`0279c0e0 fffff880`00000001 : tcpip!RawSendMessagesOnPathCreation+0x238
fffff880`06aa63f0 fffff880`03afe69e : fffffa80`00ebc8a0 00000000`00000001 fffffa80`031ea580 fffff880`05a0a7e8 : tcpip!RawSendMessages+0x2bd
fffff880`06aa66e0 fffff880`05a01fb0 : fffffa80`02c77d48 00000025`02a80f78 fffff880`05a0a7e8 00000000`00000000 : afd!WskProIRPSendTo+0x11e
fffff880`06aa6790 fffff880`05a01bdb : 00000000`c0000001 fffffa80`033d8350 fffffa80`03cede20 fffffa80`03cede20 : npcap!WSKSendTo_NBL+0xd4 [j:\npcap\packetwin7\npf\npf\lo_send.c @ 858]
fffff880`06aa6820 fffff880`05a06a0c : fffffa80`03cede20 fffffa80`033d8420 00000000`00000001 fffffa80`03e49318 : npcap!NPF_WSKSendPacket_NBL+0x93 [j:\npcap\packetwin7\npf\npf\lo_send.c @ 366]
fffff880`06aa6860 fffff880`05a06e4b : 00000000`00000000 fffffa80`033d8350 fffffa80`03e40000 00000000`00000000 : npcap!NPF_LoopbackSendNetBufferLists+0x18 [j:\npcap\packetwin7\npf\npf\write.c @ 1019]
fffff880`06aa6890 fffff800`02d8530b : 00000000`00000001 fffffa80`00000000 fffffa80`033d8420 fffffa80`033d8350 : npcap!NPF_Write+0x243 [j:\npcap\packetwin7\npf\npf\write.c @ 328]
fffff880`06aa6900 fffff800`02d90b13 : fffffa80`033d8468 00000000`00000000 fffffa80`0269c9b0 fffffa80`033d8468 : nt!IopSynchronousServiceTail+0xfb
fffff880`06aa6970 fffff800`02a7bcd3 : 00000000`75192401 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x7e2
fffff880`06aa6a70 00000000`75192e09 : 00000000`751929f5 00000000`778201b4 00000000`74ea0023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
00000000`0010e4f8 00000000`751929f5 : 00000000`778201b4 00000000`74ea0023 00000000`00000246 00000000`0030f8fc : wow64cpu!CpupSyscallStub+0x9
00000000`0010e500 00000000`74ead286 : 00000000`00000000 00000000`75191920 ffffffff`fc630000 00000000`7765e021 : wow64cpu!ReadWriteFileFault+0x31
00000000`0010e5c0 00000000`74eac69e : 00000000`00000000 00000000`00000000 00000000`74ea4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0010e610 00000000`77671736 : 00000000`00472e50 00000000`00000000 00000000`7775d670 00000000`77730920 : wow64!Wow64LdrpInitialize+0x42a
00000000`0010eb60 00000000`776cca90 : 00000000`00000000 00000000`77670e41 00000000`0010f110 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0010f050 00000000`7765b69e : 00000000`0010f110 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x25cf0
00000000`0010f0c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
STACK_COMMAND: .trap 0xfffff88006aa5680 ; kb
THREAD_SHA1_HASH_MOD_FUNC: dbfd1c8718001d6bf1bf4c8614036f99d76c5b23
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: bb2b8033b6c74e4069a0f00b4027a4e6f51f03e3
THREAD_SHA1_HASH_MOD: b7fd3d0a19cb3a2bbc48aa7b577ad71c3bba8ecf
FOLLOWUP_IP:
npcap!WSKSendTo_NBL+d4 [j:\npcap\packetwin7\npf\npf\lo_send.c @ 858]
fffff880`05a01fb0 3d03010000 cmp eax,103h
FAULT_INSTR_CODE: 1033d
FAULTING_SOURCE_LINE: j:\npcap\packetwin7\npf\npf\lo_send.c
FAULTING_SOURCE_FILE: j:\npcap\packetwin7\npf\npf\lo_send.c
FAULTING_SOURCE_LINE_NUMBER: 858
FAULTING_SOURCE_CODE:
854: RemoteAddress,
855: 0,
856: NULL,
857: Irp);
> 858: if (Status == STATUS_PENDING)
859: {
860: KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
861: Status = Irp->IoStatus.Status;
862: }
863:
SYMBOL_STACK_INDEX: 10
SYMBOL_NAME: npcap!WSKSendTo_NBL+d4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npcap
IMAGE_NAME: npcap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5767b816
FAILURE_BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
PRIMARY_PROBLEM_CLASS: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
TARGET_TIME: 2016-06-23T05:50:07.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2015-03-17 12:02:04
BUILDDATESTAMP_STR: 150316-1654
BUILDLAB_STR: win7sp1_gdr
BUILDOSVER_STR: 6.1.7601.18798.amd64fre.win7sp1_gdr.150316-1654
ANALYSIS_SESSION_ELAPSED_TIME: 124e
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0xd1_code_av_null_ip_npcap!wsksendto_nbl+d4
FAILURE_ID_HASH: {4a65a334-abd9-00b8-4b67-6fff67ae90f0}
Followup: MachineOwner
---------
原始套接字是在NPF_WSKInitSockets
函数中创建的。
从堆栈视图来看 - 您将 Icmpv6 数据报发送到 in6LoopbackAddr - 这里所有内容都是正确的,没有错误。因为它对in6LoopbackAddr tcpip.sys 只是调用了Icmpv6ReceiveDatagrams。在函数 Icmpv6ReceiveDatagrams 中存在开关,如何处理数据包,基于来自数据包的 1 个字节:
switch (cl)
{
case 0x80: Icmpv6pHandleEchoRequest();break;
case 0x81: Icmpv6pHandleEchoReplyAndError();break;
case 0x82: Ipv6pHandleMldQuery();break;
case 0x83: Ipv6pHandleMldReport();break;
case 0x85: Ipv6pHandleRouterSolication();break;
case 0x86: Ipv6pHandleRouterAdvertisement();break;
case 0x87: Ipv6pHandleNeighborSolicitation();break;
case 0x89: Ipv6pHandleRedirect();break;
}
我们的案例是 (87) - Ipv6pHandleNeighborSolicitation(x,y) 。并且在下一行的 Ipv6pHandleNeighborSolicitation 崩溃 -
call qword ptr [r8+50h] // 0 at r8+50h
所以 tcpip 尝试调用一些回调,但它是零。我看,r8 指向哪个内存,这里有一些回调 table。来自 tcpip.sys 的所有函数(因此这不是您的 WSK 回调):
08 FllQueryInterface
10 WfpInbuiltCalloutNotifyNull
18 FlQuerySubInterface
20 WfpInbuiltCalloutNotifyNull
28 IppCleanupNlp
30 FllMapAddress
38 FllSendPackets
40 FllFastSendPackets
48 FllCancelSendPackets
50 0 - and this 0 and called !
这是在 win7 上。但如果在同一个地方查看 win8.1 和 win10 - 已经没有调用任何回调 - 此代码将被删除。所以我想这比你的 win7 错误更快 - 没有内存损坏,错误调用,不是 init 结构..但是相同的零回调,并且认为不是你必须初始化它。在以后的 windows 版本中没有这个回调。从另一边 - 我不确定,是 Ipv6pHandleNeighborSolicitation() - 函数,你想在数据包上被调用。可能是icmp数据包格式不对?
当然这不是完整的回应,而是一些东西
win8.1上的某个地方
在 win10 上
我正在开发一个名为 Npcap 的 Windows 数据包捕获软件。并且它需要基于Windows内核发送环回原始IP套接字。但是 WskSocket->Dispatch->WskSendTo
在 Win7 SP1 上总是导致 DRIVER_IRQL_NOT_LESS_OR_EQUAL
蓝屏。奇怪的是,我的代码不会在 Win8、Win10 等其他系统上触发此 BSoD。它只发生在 Win7 上。所以我什至怀疑这是 Windows 本身的错误还是只是我的错误?谢谢!
重现步骤为:
- 使用默认选项安装 Npcap 0.07 r17
- 安装Nmap 7.20 Beta 5(不要安装附带的 Npcap)
- 在 CMD 中,运行
nmap -v -O -6 localhost
执行本地主机扫描(此功能由 Npcap 提供),您将在几秒钟内遇到 BSoD。 - 如果您想要故障驱动程序的调试符号,可以下载here。 x64系统参考
\npcap-DebugSymbols\win7\x64\npcap.pdb
,x86系统参考\npcap-DebugSymbols\win7\x86\npcap.pdb
。
WinDbg 的 BSOD 分析(我有完整的转储,如果需要请告诉我):
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode)
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Administrator\Desktop\New folder (2)\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode)
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: J:\npcap\packetWin7\npf\x64\Win7 Release(WinPcap Mode);SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
Machine Name:
Kernel base = 0xfffff800`02a0a000 PsLoadedModuleList = 0xfffff800`02c4f890
Debug session time: Thu Jun 23 13:50:07.660 2016 (UTC + 8:00)
System Uptime: 0 days 0:31:55.712
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
.....
Loading unloaded module list
..................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
............................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, 2, 8, 0}
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
Probably caused by : npcap.sys ( npcap!WSKSendTo_NBL+d4 )
Followup: MachineOwner
---------
************* Symbol Path validation summary **************
Response Time (ms) Location
OK J:\npcap\packetWin7\npf\x64\Win7 Release
Deferred SRV*J:\Symbols*http://msdl.microsoft.com/download/symbols
0: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
.....
Loading unloaded module list
..................Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
Loading Wow64 Symbols
............................................
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: 0000000000000000, address which referenced memory
Debugging Details:
------------------
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 7601.18798.amd64fre.win7sp1_gdr.150316-1654
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 07/02/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 0
BUGCHECK_P1: 0
BUGCHECK_P2: 2
BUGCHECK_P3: 8
BUGCHECK_P4: 0
READ_ADDRESS: 0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
+0
00000000`00000000 ?? ???
PROCESS_NAME: nmap.exe
CPU_COUNT: 2
CPU_MHZ: a29
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 23'00000000 (cache) 23'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD1
ANALYSIS_SESSION_HOST: DESKTOP-AKQG651
ANALYSIS_SESSION_TIME: 06-23-2016 13:56:03.0297
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: fffff88006aa5680 -- (.trap 0xfffff88006aa5680)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa80018ede30 rbx=0000000000000000 rcx=fffffa8001a13390
rdx=fffffa800108de20 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=fffff88006aa5818 rbp=fffff88008565d06
r8=fffff880017684e8 r9=fffff8800164f030 r10=0000000000000000
r11=fffff88006aa5480 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
00000000`00000000 ?? ???
Resetting default scope
IP_IN_FREE_BLOCK: 0
LAST_CONTROL_TRANSFER: from fffff80002a7bfe9 to fffff80002a7ca40
FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???
STACK_TEXT:
fffff880`06aa5818 fffff880`0173d917 : fffffa80`0108df50 fffffa80`0108df50 00000000`00000018 00000000`00000018 : 0x0
fffff880`06aa5820 fffff880`0173fe02 : fffffa80`026cc080 fffffa80`01d89080 00000000`00000087 00000000`00000000 : tcpip!Ipv6pHandleNeighborSolicitation+0x257
fffff880`06aa58e0 fffff880`0165bf9e : 00000000`00000000 00000000`00000000 fffff880`01769800 fffffa80`026cc1c0 : tcpip!Icmpv6ReceiveDatagrams+0x342
fffff880`06aa5980 fffff880`0165baaa : 00000000`00000000 fffff880`01769800 fffff880`06aa5b30 00000000`00000001 : tcpip!IppDeliverListToProtocol+0xfe
fffff880`06aa5a40 fffff880`0165b0a9 : 00000000`00000003 fffffa80`026cc100 fffff880`06aa5a03 fffff880`06aa5b30 : tcpip!IppProcessDeliverList+0x5a
fffff880`06aa5ae0 fffff880`0163e28f : fffff880`01769800 00000000`00000000 00000000`00000000 fffff880`06aa5c78 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`06aa5bc0 fffff800`02a893d8 : fffff880`01769800 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppLoopbackTransmit+0x38f
fffff880`06aa5c70 fffff880`0163e92f : fffff880`016916fc fffffa80`01a0f490 fffff880`06aa5e02 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`06aa5d50 fffff880`0165d4ca : fffffa80`026cc1c0 00000000`00000000 fffffa80`01a0f400 fffffa80`0195e820 : tcpip!IppLoopbackEnqueue+0x22f
fffff880`06aa5e00 fffff880`0165ebf5 : 00000000`00000000 fffffa80`036f4900 fffffa80`019ae400 00000000`000000fa : tcpip!IppDispatchSendPacketHelper+0x38a
fffff880`06aa5ec0 fffff880`0165de7e : fffffa80`019ae4fa fffff880`06aa6200 00000000`00000028 fffffa80`00000000 : tcpip!IppPacketizeDatagrams+0x2d5
fffff880`06aa5fe0 fffff880`0166079e : 00000000`00000000 fffffa80`019b4204 fffff880`01623790 fffffa80`0195e820 : tcpip!IppSendDatagramsCommon+0x87e
fffff880`06aa6180 fffff880`01624248 : fffffa80`019b42f0 fffff880`06aa6700 00000000`00000000 00000000`000007ff : tcpip!IpNlpSendDatagrams+0x3e
fffff880`06aa61c0 fffff880`0162462d : 00000000`00000103 fffff880`01730470 fffffa80`0279c0e0 fffff880`00000001 : tcpip!RawSendMessagesOnPathCreation+0x238
fffff880`06aa63f0 fffff880`03afe69e : fffffa80`00ebc8a0 00000000`00000001 fffffa80`031ea580 fffff880`05a0a7e8 : tcpip!RawSendMessages+0x2bd
fffff880`06aa66e0 fffff880`05a01fb0 : fffffa80`02c77d48 00000025`02a80f78 fffff880`05a0a7e8 00000000`00000000 : afd!WskProIRPSendTo+0x11e
fffff880`06aa6790 fffff880`05a01bdb : 00000000`c0000001 fffffa80`033d8350 fffffa80`03cede20 fffffa80`03cede20 : npcap!WSKSendTo_NBL+0xd4 [j:\npcap\packetwin7\npf\npf\lo_send.c @ 858]
fffff880`06aa6820 fffff880`05a06a0c : fffffa80`03cede20 fffffa80`033d8420 00000000`00000001 fffffa80`03e49318 : npcap!NPF_WSKSendPacket_NBL+0x93 [j:\npcap\packetwin7\npf\npf\lo_send.c @ 366]
fffff880`06aa6860 fffff880`05a06e4b : 00000000`00000000 fffffa80`033d8350 fffffa80`03e40000 00000000`00000000 : npcap!NPF_LoopbackSendNetBufferLists+0x18 [j:\npcap\packetwin7\npf\npf\write.c @ 1019]
fffff880`06aa6890 fffff800`02d8530b : 00000000`00000001 fffffa80`00000000 fffffa80`033d8420 fffffa80`033d8350 : npcap!NPF_Write+0x243 [j:\npcap\packetwin7\npf\npf\write.c @ 328]
fffff880`06aa6900 fffff800`02d90b13 : fffffa80`033d8468 00000000`00000000 fffffa80`0269c9b0 fffffa80`033d8468 : nt!IopSynchronousServiceTail+0xfb
fffff880`06aa6970 fffff800`02a7bcd3 : 00000000`75192401 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x7e2
fffff880`06aa6a70 00000000`75192e09 : 00000000`751929f5 00000000`778201b4 00000000`74ea0023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
00000000`0010e4f8 00000000`751929f5 : 00000000`778201b4 00000000`74ea0023 00000000`00000246 00000000`0030f8fc : wow64cpu!CpupSyscallStub+0x9
00000000`0010e500 00000000`74ead286 : 00000000`00000000 00000000`75191920 ffffffff`fc630000 00000000`7765e021 : wow64cpu!ReadWriteFileFault+0x31
00000000`0010e5c0 00000000`74eac69e : 00000000`00000000 00000000`00000000 00000000`74ea4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0010e610 00000000`77671736 : 00000000`00472e50 00000000`00000000 00000000`7775d670 00000000`77730920 : wow64!Wow64LdrpInitialize+0x42a
00000000`0010eb60 00000000`776cca90 : 00000000`00000000 00000000`77670e41 00000000`0010f110 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0010f050 00000000`7765b69e : 00000000`0010f110 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x25cf0
00000000`0010f0c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
STACK_COMMAND: .trap 0xfffff88006aa5680 ; kb
THREAD_SHA1_HASH_MOD_FUNC: dbfd1c8718001d6bf1bf4c8614036f99d76c5b23
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: bb2b8033b6c74e4069a0f00b4027a4e6f51f03e3
THREAD_SHA1_HASH_MOD: b7fd3d0a19cb3a2bbc48aa7b577ad71c3bba8ecf
FOLLOWUP_IP:
npcap!WSKSendTo_NBL+d4 [j:\npcap\packetwin7\npf\npf\lo_send.c @ 858]
fffff880`05a01fb0 3d03010000 cmp eax,103h
FAULT_INSTR_CODE: 1033d
FAULTING_SOURCE_LINE: j:\npcap\packetwin7\npf\npf\lo_send.c
FAULTING_SOURCE_FILE: j:\npcap\packetwin7\npf\npf\lo_send.c
FAULTING_SOURCE_LINE_NUMBER: 858
FAULTING_SOURCE_CODE:
854: RemoteAddress,
855: 0,
856: NULL,
857: Irp);
> 858: if (Status == STATUS_PENDING)
859: {
860: KeWaitForSingleObject(&CompletionEvent, Executive, KernelMode, FALSE, NULL);
861: Status = Irp->IoStatus.Status;
862: }
863:
SYMBOL_STACK_INDEX: 10
SYMBOL_NAME: npcap!WSKSendTo_NBL+d4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: npcap
IMAGE_NAME: npcap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5767b816
FAILURE_BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
PRIMARY_PROBLEM_CLASS: X64_0xD1_CODE_AV_NULL_IP_npcap!WSKSendTo_NBL+d4
TARGET_TIME: 2016-06-23T05:50:07.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2015-03-17 12:02:04
BUILDDATESTAMP_STR: 150316-1654
BUILDLAB_STR: win7sp1_gdr
BUILDOSVER_STR: 6.1.7601.18798.amd64fre.win7sp1_gdr.150316-1654
ANALYSIS_SESSION_ELAPSED_TIME: 124e
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0xd1_code_av_null_ip_npcap!wsksendto_nbl+d4
FAILURE_ID_HASH: {4a65a334-abd9-00b8-4b67-6fff67ae90f0}
Followup: MachineOwner
---------
原始套接字是在NPF_WSKInitSockets
函数中创建的。
从堆栈视图来看 - 您将 Icmpv6 数据报发送到 in6LoopbackAddr - 这里所有内容都是正确的,没有错误。因为它对in6LoopbackAddr tcpip.sys 只是调用了Icmpv6ReceiveDatagrams。在函数 Icmpv6ReceiveDatagrams 中存在开关,如何处理数据包,基于来自数据包的 1 个字节:
switch (cl)
{
case 0x80: Icmpv6pHandleEchoRequest();break;
case 0x81: Icmpv6pHandleEchoReplyAndError();break;
case 0x82: Ipv6pHandleMldQuery();break;
case 0x83: Ipv6pHandleMldReport();break;
case 0x85: Ipv6pHandleRouterSolication();break;
case 0x86: Ipv6pHandleRouterAdvertisement();break;
case 0x87: Ipv6pHandleNeighborSolicitation();break;
case 0x89: Ipv6pHandleRedirect();break;
}
我们的案例是 (87) - Ipv6pHandleNeighborSolicitation(x,y) 。并且在下一行的 Ipv6pHandleNeighborSolicitation 崩溃 -
call qword ptr [r8+50h] // 0 at r8+50h
08 FllQueryInterface
10 WfpInbuiltCalloutNotifyNull
18 FlQuerySubInterface
20 WfpInbuiltCalloutNotifyNull
28 IppCleanupNlp
30 FllMapAddress
38 FllSendPackets
40 FllFastSendPackets
48 FllCancelSendPackets
50 0 - and this 0 and called !
这是在 win7 上。但如果在同一个地方查看 win8.1 和 win10 - 已经没有调用任何回调 - 此代码将被删除。所以我想这比你的 win7 错误更快 - 没有内存损坏,错误调用,不是 init 结构..但是相同的零回调,并且认为不是你必须初始化它。在以后的 windows 版本中没有这个回调。从另一边 - 我不确定,是 Ipv6pHandleNeighborSolicitation() - 函数,你想在数据包上被调用。可能是icmp数据包格式不对? 当然这不是完整的回应,而是一些东西
win8.1上的某个地方