[Winpcap-users] Winpcap in Intanium machine
Renato Araújo Ferreira
marina.peixe at terra.com.br
Thu Oct 8 18:36:34 PDT 2009
OK... I tried to combine the npf.sys, npf.pdb and the source directory for a more complete result:
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffff80000002, The exception code that was not handled
Arg2: e00001626df00834, The address that the exception occurred at
Arg3: e000016276387410, Trap Frame
Arg4: 0000000000000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Page 3fd00 not present in the dump file. Type ".hh dbgerr004" for details
Page 3fd00 not present in the dump file. Type ".hh dbgerr004" for details
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: NPF
FAULTING_MODULE: e000000084000000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4ace37f1
EXCEPTION_CODE: (HRESULT) 0x80000002 (2147483650) - Ran out of memory
FAULTING_IP:
NPF!GetTimeKQPC+794 [c:\users\renato\desktop\winpcap\packetntx\driver\time_calls.h @ 373]
e0000162`6df00834 st4 [r30] = r31
TRAP_FRAME: e000016276387410 -- (.trap 0xe000016276387410)
f6 (ft0) = 000000000001003e 000000000000023e
f7 (ft1) = 0000000000010008 8f8db03a52f34168
f8 (ft2) = 0000000000010024 d5e94d8bdc000000
f9 (ft3) = 000000000001001b bebc1ff800000000
f10 (ft3) = 000000000000fff5 c244f70d0b400000
f11 (ft4) = 000000000000ffe7 ac822513595d0800
f12 (ft5) = 0000000000010029 b2cccc9999999aa6
f13 (ft6) = 000000000001003e 000005966664cccc
f14 (ft7) = 0000000000010013 c9dff80000000000
f15 (ft8) = 000000000001003e 0000000000000001
unat = 0000000000000000 ccv = 0000000000000041
dcr = 0000000000000000 preds = 0000000000004845
rsc = 000000b800000003 rnat = ???????? ????????
bspstore=???????? ????????
bsp = e000016276388700 Real bsp = e0000162763886d0
r1 (gp) = e00001626e10e000 r2 (t0) = e0f0e0f0e0f00202
r3 (t1) = e0f0e0f0e0f00202 r8 (v0) = 000000357a5362f7
r9 (t2) = 0000000000000002 r10 (t3) = e0000162de95e9f0
r11 (t4) = e0000162dee55910 r12 (sp) = e000016276387750
r13 (teb) = 0000000000000000 r14 (t5) = e0000162763877e0
r15 (t6) = e0000162763878e0 r16 (t7) = 0000000000000000
r17 (t8) = e0000162deeddcf0 r18 (t9) = 0000000000000094
r19 (t10) = e0000162de95e9d0 r20 (t11) = e0000162de95ea70
r21 (t12) = 0000000000000006 r22 (t13) = 0000000000000000
r23 (t14) = 0000000080000100 r24 (t15) = 0000000080000100
r25 (t16) = 0000000000000000 r26 (t17) = 0000000000000000
r27 (t18) = 0000000000000002 r28 (t19) = e0000162dd65ff60
r29 (t20) = 0000000017d783ff r30 (t21) = e0000162dd1cb213
r31 (t22) = 000000004ace3f09
r32 = e0000162dd1cb213 r33 = e00001626df106d0
r34 = e00001626df02370 r35 = 00000000000092ab
r36 = e00001626e10e000 r37 = e000016276387768
b0 (brrp) = e00001626df00100
b6 (brt0) = e0000000846c62c0
b7 (brt1) = e0000000840079a0
nats = 0000000000000000
pfs = 0000000000000286
ipsr = 00001210086a6018
isr = 00000a0200000000
ifa = e0000162dd1cb213
iip = e00001626df00830
iipa = e00001626df00830
ifs = 8000000000000286
iim = 0000000000080014
iha = 0000000000009102
fpsr = 8270033f
oldirql = 00000000
previousmode = 00000000
trapframe = 00000000
Trap Type: exception
NPF!GetTimeKQPC+0x794
e0000162`6df00834 st4 [r30] = r31
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from e0000000840aaee0 to e000000084118c20
STACK_TEXT:
e0000162`76385bf0 e0000162`763887e8 e0000000`840aaee0 : 00000000`0000008e e0000162`76386690 e0000000`846b5558 e0000000`846beea0 : nt!LsaDeregisterLogonProcess+0x7b130
e0000162`76386710 e0000162`76388730 e0000000`84006530 : e0000162`76387698 e0000162`76387280 e0000162`76387410 00000000`00000000 : nt!LsaDeregisterLogonProcess+0xd3f0
e0000162`76387270 e0000162`76388708 e0000000`84004160 : e0000162`76387410 00000000`00000000 e0000162`76387410 e0000000`84004160 : nt+0x6530
e0000162`76387410 e0000162`76388700 e0000162`6df00834 : e0000162`76387528 e0000162`76387410 00000000`00000000 e0000162`76387410 : nt+0x4160
e0000162`76387750 e0000162`763886d0 e0000162`6df02370 : e0000162`dd1cb213 e0000162`6df106d0 e0000162`6df02370 00000000`000092ab : NPF!GetTimeKQPC+0x794 [c:\users\renato\desktop\winpcap\packetntx\driver\time_calls.h @ 373]
e0000162`76387790 e0000162`763885a0 e0000162`75179310 : e0000162`dd65e000 e0000162`dea8b8b0 e0000162`dea9440a 00000000`0000000e : NPF!NPF_tap+0x5d0 [c:\users\renato\desktop\winpcap\packetntx\driver\read.c @ 607]
e0000162`763877a0 e0000162`763883a0 e0000162`714cbdd0 : e0000162`dec0ca98 00000000`00000000 00000000`00000001 e0000162`dea8b8d4 : NDIS!NdisGetProcessorInformation+0x677e0
e0000162`763877b0 e0000162`76388260 e0000162`71503e70 : e0000162`deb06000 00000000`00000001 e0000162`deb06054 e0000162`deb0604c : b57xp64+0x15dd0
e0000162`76387e00 e0000162`763881d8 e0000162`714c9320 : e0000162`deb06000 00000000`00000001 00000000`00000000 00000000`00000000 : b57xp64+0x4de70
e0000162`76387e00 e0000162`76388150 e0000162`75158e90 : e0000162`deb06000 e0000162`deb0f654 e0000162`deb0dd48 e0000162`deb0e2cc : b57xp64+0x13320
e0000162`76387e00 e0000162`76388110 e0000000`8400da00 : e0000162`deb021b8 e0000162`deb02148 e0000162`deb02158 e0000162`dec0cb08 : NDIS!NdisGetProcessorInformation+0x47360
e0000162`76387e00 e0000162`76388040 e0000000`84093610 : e0000162`769a0000 00000000`00000000 e0000162`deb02148 00000000`00000000 : nt+0xda00
e0000162`76387e20 e0000162`76388010 00000000`00000000 : 00000000`00000189 00000000`00000000 e0000162`769a1f08 e0000162`769a233b : nt+0x93610
STACK_COMMAND: kb
FOLLOWUP_IP:
NPF!GetTimeKQPC+794 [c:\users\renato\desktop\winpcap\packetntx\driver\time_calls.h @ 373]
e0000162`6df00834 st4 [r30] = r31
FAULTING_SOURCE_CODE:
369: }
370: }
371: else
372: { //it should be only the normal case i.e. TIMESTAMPMODE_SINGLESYNCHRONIZATION
> 373: dst->tv_sec = data->start[0].tv_sec + tmp;
374: dst->tv_usec = data->start[0].tv_usec + (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart);
375:
376: if (dst->tv_usec >= 1000000)
377: {
378: dst->tv_sec ++;
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: NPF!GetTimeKQPC+794
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: NPF.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
On Qui 08/10/09 21:29 , "Gianluca Varenni" gianluca.varenni at cacetech.com sent:
> You cannot debug with Visual Studio. You need to use Windbg.
>
>
>
> In windbg you can use the watch window to watch the contents of a variable.
>
> What is the bugcheck code?
>
>
>
> If you have used "analyze -v" after the crash, please post the entire
> output
> of !analyze -v
>
>
>
> GV
>
>
>
>
>
>
>
> ----- Original Message -----
>
> From: " Renato Araújo Ferreira" mar
> ina.peixe at terra.com.br>
> To: users at winpc
> ap.org>
> Sent: Thursday, October 08, 2009 1:54 PM
>
> Subject: Re: [Winpcap-users] Winpcap in Intanium machine
>
>
>
>
>
> > the rigth stack:
>
> >
>
> > NPF!GetTimeKQPC [time_calls.h @ 373]
>
> > NPF!NPF_tap [read.c @ 607]
>
> > NDIS
>
> >
>
> > this line of time_calls.h:
>
> >
>
> > dst->tv_usec = data->start[0].tv_usec +
>
> > (LONG)((PTime.QuadPart%TimeFreq.QuadPart)*1000000/TimeFreq.QuadPart);
> >
>
> > I will look for an way to read the content of variable. Is there any
> known
> > way to run this dump in visual studio and see the content of these
>
> > variables?
>
> >
>
> > Thanks,
>
> >
>
> > Renato A. Ferreira
>
> >
>
> > On Qui 08/10/09 16:56 , Renato Araújo Ferreira mar
> ina.peixe at terra.com.br
> > sent:
>
> >> The smalldump combined with the npf.pdb generated a stack trace like
> >> follow
>
> >> GetTimeKQPC
>
> >> NPF_tap
>
> >> NDIS
>
> >>
>
> >> with a memory exaust error.... I don't remember the correct spelling
> >> because it did not make sense in source code so I didn't care to copy
> the
> >> information...
>
> >> I think that because the pdb file was not the same from the sys file
> >> build,
>
> >> as I compiled too many times before combine them. After I recompiled
> >> again
>
> >> to be sure to use the sys/pdb generate at same build and analyse the
> >> rigth
>
> >> infromation, but is not generating the symbols anymore and I don't
> know
> >> why.
>
> >> Now I'm trying a kernel dump option, that takes a long time to be
>
> >> generated. The small dump is fast and take a few kilobytes. There are
>
> >> only
>
> >> this two options.
>
> >>
>
> >> On Qui 08/10/09 11:28 , "Gianluca Varenni" gianluca.varenni at cacetech.com
> >> sent:>
>
> >> >
>
> >> > ----- Original Message -----
>
> >> >
>
> >> > From: " Renato Araújo Ferreira" mar
>
> >> > ina.pe
>
> >> ixe at terra.co
> m.br>> To: users at winpc
> >> > ap.org>
>
> >> > Sent: Wednesday, October 07, 2009 9:21 PM
>
> >> >
>
> >> > Subject: Re: [Winpcap-users] Winpcap in Intanium machine>
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> > > After send that last message I tried to run windump again without
> any
> >> > > parameter (that make It dump first interface of list) and this
>
> >> machine>
>
> >> > > crashed again, but with another error from another SYS file (I
>
> >> didn't> save
>
> >> > > the information). At this second try the crash dump was disabled
> by
> >> me> due
>
> >> > > to 36GB of ram size (a long time to dump), but I still have the
> first
> >> one>
>
> >> > > that generated the message that in last message.>
>
> >> > >
>
> >> >
>
> >> >
>
> >> >
>
> >> > If you enable just kernel memory dump, the memory dump is much
> smaller
> >> than>
>
> >> > 36GB. On a normal x86/x64 machine freshly booted, it's usually
>
> >> below> 100MB.
>
> >> >
>
> >> >
>
> >> > > I used before the gdb tool to debug core files under solaris, but
> I
> >> never>
>
> >> > > did something like it under windows. I will try to start with
>
> >> debuging>
>
> >> > > tools tomorow. Do you have any tip?
>
> >> >
>
> >> >
>
> >> >
>
> >> > Well, the first thing you do is loading the memory dump and issue
> >> >
>
> >> > "!analyze -v" on the windbg command line.
>
> >> >
>
> >> >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > But I'm still afraid about DLL's. Why a wrong/problematic DLL
> could
> >> not>
>
> >> > > crash a driver that it need to access?
>
> >> >
>
> >> >
>
> >> >
>
> >> > Because a driver should protect itself against bogus input from
> user
> >> level>
>
> >> > DLLs. A driver should never ever trust any data coming from user
> mode
> >> and>
>
> >> > should always validate it.
>
> >> >
>
> >> > So in the case of some problematic DLL, if the driver receives some
> >> bogus>
>
> >> > data from the DLL, it must just fail the I/O request.>
>
> >> >
>
> >> >
>
> >> > GV
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > Thanks,
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > Renato A. Ferreira
>
> >> >
>
> >> > >
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > On Qua 07/10/09 17:43 , "Gianluca Varenni"
>
> >> > > gianluca.varenni at cacetech.com > > sent:
> >> >
>
> >> > >> The crash is due to the driver, not to mismatching DLLs. Now you
> >> will>
>
> >> > >> need
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> windbg and probably a second machine to debug the issue.>
>
> >> > >>
>
> >> >
>
> >> > >> I would start loading the crash dump in windbg and understanding
> >> what>
>
> >> > >> went
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> wrong.
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> GV
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> ----- Original Message -----
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> From: " Renato Araújo Ferreira" mar
>
> >> >
>
> >> > >> ina.pe
>
> >> > ixe at terra.co
>
> >> m.br>> >> To: users at winpc
>
> >> >
>
> >> > >> ap.org>
>
> >> >
>
> >> > >> Sent: Wednesday, October 07, 2009 1:07 PM>
>
> >> > >>
>
> >> >
>
> >> > >> Subject: Re: [Winpcap-users] Winpcap in Intanium machine>
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I added the reference to IA64 in NPF.RC VERSIONINFO
>
> >> with:>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #elif defined(_IA64_)
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > VALUE "FileDescription", "npf.sys (NT5/6 IA64) Kernel
>
> >> Driver"> >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > After I changed the refferences to AMD64 (appear only two
> times
> >> and> >> refers
>
> >> >
>
> >> > >> > to hUserEvent32Bit) from:
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #ifdef _AMD64_
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > To:
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > #if defined(_AMD64_) || defined(_IA64_)>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > The compilation was sucessful, the "net start npf" works fine
> >> and> the
>
> >> > >> > interfaces is now appearing in return of "windump -D". But
> when
> >> I> tried
>
> >> > >> to
>
> >> >
>
> >> > >> > open wireshark, the interface list was OK showing all of then,
> but
> >> > >> > before
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I click at buttom to start capture (i think that was when it
> >> started> to
>
> >> > >>
>
> >> >
>
> >> > >> > count packets) the server went down with this message:>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > *** STOP: 0x0000008E
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >>
> (0xFFFFFFFF80000002,0xE00001626B738834,0xE000016276387410,0x000000000000000
>
> >> >
>
> >> > >> 0)
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > *** NPF.sys - Address E00001626B738834 base at>
>
> >> > >> > E00001626B730000,
>
> >> > >>
>
> >> >
>
> >> > >> > DateStamp 4acce5bf
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I'm still trying with the DLL's (wpcap.dll and packet.dll)
> that
> >> I> got
>
> >> > >> > unpacking the installer, but they has the same name and I dont
>
> >> > >> > know
>
> >> if>
>
> >> > >> > I
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > choose the right one between vista, 2000 or amd64.>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > I will now try to compile these DLL's before try again.>
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Thanks,
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Renato A. Ferreira
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> >
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > _______________________________________________>
>
> >> > >>
>
> >> >
>
> >> > >> > Winpcap-users mailing list
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >> > Winpcap-users at winpc
>
> >> >
>
> >> > >> ap.org
>
> >> >
>
> >> > >> > https://www.winpcap.org/mailman/listinfo/winpcap-users>
> >>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >>
>
> >> >
>
> >> > >
>
> >> >
>
> >> > > _______________________________________________>
>
> >> > > Winpcap-users mailing list
>
> >> >
>
> >> > > Winpcap-users at winpc
>
> >> > ap.org
>
> >> > > https://www.winpcap.org/mailman/listinfo/winpcap-users>
> >
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >> >
>
> >>
>
> >> _______________________________________________
>
> >> Winpcap-users mailing list
>
> >> Winpcap-users at winpc
>
> >> ap.orghttps://www.winpcap.org/mailman/listinfo/winpcap-users
> >>
>
> >
>
> > _______________________________________________
>
> > Winpcap-users mailing list
>
> > Winpcap-users at winpc
> ap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
>
>
>
>
>
More information about the Winpcap-users
mailing list