RE: NPCAP Blue screen

["Luff, Vince" <vince.luff () anite com>]

Hi Yang,

Thank you for the bug fix. When will this be in a release?

I am using Windows Virtual PC, 32 bit from Microsoft:  https://www.microsoft.com/en-gb/download/details.aspx?id=3702

We install the Microsoft Loopback Adaptor as follows:

public bool InstallNewMsLoopBackAdpt()
        {
            bool retVal = true;
            if (!File.Exists(Constants.File_DevconFile))    // File_DevconFile points to Devcon.exe 
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff544707(v=vs.85).aspx )
            {
                DebugLog.WriteLine("ERROR : Installation files not copied properly", true);
                return false;
            }
            ///
            string IniFilePath = Environment.GetFolderPath(Environment.SpecialFolder.Windows);
            IniFilePath = Path.Combine(IniFilePath, "Inf\\Netloop.inf");
            string parameter = "install " + IniFilePath + " *MSLOOP";

            string resp = ConsoleCmd.run(Constants.File_DevconFile, parameter, 2);
            if (!resp.Contains("Drivers updated successfully"))
            {
                DebugLog.WriteLine("ERROR : Failed to create loop back NIC ", true);
                return false;
            }

            return retVal;
        }



Regards,
Vince


From: 食肉大灰兔V5 [mailto:hsluoyz () gmail com]
Sent: 28 February 2016 15:31
To: Luff, Vince
Cc: dev () nmap org; Piekarski, Pawel
Subject: Re: NPCAP Blue screen

Hi Luff,

Using reverse engineering technique, I'm able to analyze those dump files now.

The 1st dump file is a KERNEL_MODE_EXCEPTION_NOT_HANDLED_M BSoD. It's caused by the NdisFOidRequest call in 
NPF_GetDeviceMTU function of Openclos.c. This is a known issue. I posted a question in stackoverflow: 
http://stackoverflow.com/questions/31869373/get-system-service-exception-bluescreen-when-starting-wireshark-on-win10-vmware.
 But still no answers. I want to know which virtual machine software you are using. VMware Workstation or VirtualBox, 
and its version? What are the exact steps you used to bind a Microsoft Loopback Adapter to your virtual machine? I know 
that virtualization softwares usually create some adapters for networking. But I didn't know that they can use 
Microsoft Loopback Adapter?

The 2nd and 3rd dump files points to the same issue, which is caused by a illegal memory read bug in the driver. I have 
fixed this bug in: https://github.com/nmap/npcap/commit/eafa222e8367024c96c6c17fb7f6db9a25658863.


Cheers,
Yang


On Sun, Feb 28, 2016 at 6:34 PM, 食肉大灰兔V5 <hsluoyz () gmail com<mailto:hsluoyz () gmail com>> wrote:
Hi Luff,

First thanks for the report!

Unfortunately Npcap has updated to VS2015 Update1, WDK 10 10586 and SDK 10 10586 since version 0.05 R11. Versions prior 
to 0.05 R11 needs to be built with the legacy WDK 10 10240 and SDK 10 10240, which I both already uninstalled (and I 
don't have those installers kept). Currently Microsoft only has the link to the latest WDK and SDK (which is 10586). So 
it's impossible for me to recompile that version's binaries for now. So without those built debug symbols I can't 
analyze the cause of the BSoD. So I wonder would you mind to reproduce the BSoD in a recent Npcap version? The latest 
0.05 R14 is best. But a version not prior than 0.05 R11 is also OK. Thanks!


Cheers,
Yang

On Tue, Feb 23, 2016 at 5:57 PM, Luff, Vince <vince.luff () anite com<mailto:vince.luff () anite com>> wrote:
Hello,

I am using Npcap on Windows7 32bit SP1, and have seen a blue screen 3 times over the past month. I’ve attached the .dmp 
files:

Date of crash                     NPCAP version                  DMP file                                               
Suspected file
29 Jan                                    0.05 r3                                   012916-15038-01.dmp                 
   npf.sys
4 Feb                                     0.05 r3                                   020416-15428-01.dmp                 
   npf.sys
10 Feb                                   0.05 r10                                curr021016-18252-01.dmp            
npcap.sys


When these crashes happened I was tracing two adaptors simultaneously using tshark. One of them was a Microsoft 
Loopback Adapter which is used for a virtual machine.
Since I got the third crash I disabled tracing on the Microsoft Loopback Adapter and have not had a blue screen since.

Please let me know if I should provide more information.

By the way, I work for telecoms company Anite Telecoms in the UK.

Regards,
Vince Luff.



Please refer to www.anite.com<http://www.anite.com/> for individual Anite company details. The contents of this e-mail 
and any attachments are for the intended recipient only. If you are not the intended recipient, you are not authorised 
to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which 
is confidential and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor 
legal service effected by email.

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom
VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast<http://www.mimecast.co.uk>.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/




Scanned for viruses by Mimecast<http://www.mimecast.co.uk/>.


Please refer to www.anite.com for individual Anite company details. The contents of this e-mail and any attachments are 
for the intended recipient only. If you are not the intended recipient, you are not authorised to and must not 
disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential 
and/or covered by legal professional or other privilege. Contracts cannot be concluded with us nor legal service 
effected by email.  

Anite Ltd.
Registered in England No.1798114
Registered Office: Ancells Business Park Fleet Hampshire GU51 2UZ United Kingdom VAT Registration No. GB 787 418187

Scanned for viruses by Mimecast.

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/