WFP callout driver is crashing; I have the stack trace

not sure what’s going on here…I am blocking HTTP packets and re-injecting from the stream layer

Child-SP RetAddr Call Site

00 fffff800f8902f08 fffff800f6ffb98e nt!DbgBreakPointWithStatus
01 fffff800f8902f10 fffff800f6ffb29f nt!KiBugCheckDebugBreak+0x12
02 fffff800f8902f70 fffff800f6f6c3a4 nt!KeBugCheck2+0x8ab
03 fffff800f8903680 fffff800f6f77de9 nt!KeBugCheckEx+0x104
04 fffff800f89036c0 fffff800f6f7663a nt!KiBugCheckDispatch+0x69
05 fffff800f8903800 fffff801590d3192 nt!KiPageFault+0x23a
06 fffff800f8903990 fffff801590d1e52 tcpip!TcpBeginTcbSend+0x732
07 fffff800f8903c70 fffff801590f44ab tcpip!TcpTcbSend+0x226
08 fffff800f8903fc0 fffff801590c991c tcpip!TcpFlushDelay+0x20a
09 fffff800f8904070 fffff801590c3423 tcpip!TcpPreValidatedReceive+0x3cc
0a fffff800f8904170 fffff801590f6e32 tcpip!IpFlcReceivePreValidatedPackets+0x649
0b fffff800f8904350 fffff800f6ec5fc3 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x102
0c fffff800f8904480 fffff801590f7076 nt!KeExpandKernelStackAndCalloutInternal+0xf3
0d fffff800f8904570 fffff80158eaea53 tcpip!FlReceiveNetBufferListChain+0xb6
0e fffff800f89045f0 fffff80158eaee7f ndis!ndisMIndicateNetBufferListsToOpen+0x123
0f fffff800f89046b0 fffff80158eaf6b2 ndis!ndisMTopReceiveNetBufferLists+0x22f
10 fffff800f8904740 fffff80159da11c4 ndis!NdisMIndicateReceiveNetBufferLists+0x732
11 fffff800f8904930 fffff80159da1a9d e1i63x64!RECEIVE::RxIndicateNBLs+0xd4
12 fffff800f8904970 fffff80159d94150 e1i63x64!RECEIVE::RxProcessInterrupts+0x19d
13 fffff800f89049f0 fffff80159d9457e e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x1c0
14 fffff800f8904a60 fffff80159d93b78 e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
15 fffff800f8904ac0 fffff80158eb0e12 e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
16 fffff800f8904b00 fffff800f6e56910 ndis!ndisInterruptDpc+0x1a3
17 fffff800f8904be0 fffff800f6e55c57 nt!KiExecuteAllDpcs+0x1b0
18 fffff800f8904d30 fffff800f6f6f3d5 nt!KiRetireDpcList+0xd7
19 fffff800f8904fb0 fffff800f6f6f1d9 nt!KxRetireDpcList+0x5
1a ffffd000d7570970 fffff800f6f712fa nt!KiDispatchInterruptContinue
1b ffffd000d75709a0 fffff800f6ed6519 nt!KiDpcInterrupt+0xca
1c ffffd000d7570b30 fffff800f6ed5f69 nt!KiSwapThread+0x179
1d ffffd000d7570bd0 fffff800f6ed273d nt!KiCommitThreadWait+0x129
1e ffffd000d7570c50 fffff800f6f18c10 nt!ExpWorkerThread+0x3ad
1f ffffd000d7570d00 fffff800f6f728c6 nt!PspSystemThreadStartup+0x58
20 ffffd000d7570d60 0000000000000000 nt!KiStartSystemThread+0x16

“!analyze -v” command output would be more helpful and !pte command on the invalid virtual address that CPU tried to access.

Also, the crash happened at DPC IRQL so be sure you are not injecting something allocated from PagedPool and not locked by MmProbeAndLockPages or smth.

hi…

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000003c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff801590d3192, address which referenced memory

Debugging Details:

“KERNELBASE.dll” was not found in the image list.
Debugger will attempt to load “KERNELBASE.dll” at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=,.
Unable to add module at 0000000000000000<br><br>BUGCHECK_P1: 3c<br><br>BUGCHECK_P2: 2<br><br>BUGCHECK_P3: 1<br><br>BUGCHECK_P4: fffff801590d3192<br><br>WRITE_ADDRESS: 000000000000003c <br><br>CURRENT_IRQL: 2<br><br>FAULTING_IP: <br>tcpip!TcpBeginTcbSend+732<br>fffff801590d3192 f0ff403c lock inc dword ptr [rax+3Ch]

CPU_COUNT: 1

CPU_MHZ: 6a0

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 45

CPU_STEPPING: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: chrome.exe

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

DPC_STACK_BASE: FFFFF800F8904FB0

TRAP_FRAME: 0000000000a0dd0c – (.trap 0xa0dd0c)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=1a4a5ea100000000 rsp=1a4a23350d82d890 rbp=1a4a23352058bcc9
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=3 vip vif nv up ei ng nz na po cy
819d:0000 ?? ???
Resetting default scope

EXCEPTION_RECORD: 00a0dbf800bb2d28 – (.exr 0xa0dbf800bb2d28)
Cannot read Exception record @ 00a0dbf800bb2d28

LAST_CONTROL_TRANSFER: from fffff800f6ffb98e to fffff800f6f72e90

STACK_TEXT:
fffff800f8902f08 fffff800f6ffb98e : 0000000000000000 0000000000000000 fffff800f8903070 fffff800f6ef27a4 : nt!DbgBreakPointWithStatus
fffff800f8902f10 fffff800f6ffb29f : 0000000000000003 fffff800f8903070 fffff800f6f7a290 00000000000000d1 : nt!KiBugCheckDebugBreak+0x12
fffff800f8902f70 fffff800f6f6c3a4 : fffff800f8903a48 0000000000000081 0000000000000007 0000000000000000 : nt!KeBugCheck2+0x8ab
fffff800f8903680 fffff800f6f77de9 : 000000000000000a 000000000000003c 0000000000000002 0000000000000001 : nt!KeBugCheckEx+0x104
fffff800f89036c0 fffff800f6f7663a : 0000000000000001 fffff800f8903a48 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
fffff800f8903800 fffff801590d3192 : 00000000fffffffe ffffe0007d738010 fffffd4600000000 fffff80158c05122 : nt!KiPageFault+0x23a
fffff800f8903990 fffff801590d1e52 : ffffe0007ddebbf0 0000000000000000 ffffe0007d096138 0000000000000001 : tcpip!TcpBeginTcbSend+0x732
fffff800f8903c70 fffff801590f44ab : 0000000000000001 0000000000000001 ffffe0007e99eb10 ffffe00081075df0 : tcpip!TcpTcbSend+0x226
fffff800f8903fc0 fffff801590c991c : ffffe0008057262c 000000000000e57e 0000000000000000 0000000000000000 : tcpip!TcpFlushDelay+0x20a
fffff800f8904070 fffff801590c3423 : ffffe0007e0b9d80 0000000000005000 0000000000004cc2 fffff800f6ef4cc2 : tcpip!TcpPreValidatedReceive+0x3cc
fffff800f8904170 fffff801590f6e32 : ffffe0007e7382b0 fffff800f8904600 0000000000000006 fffff8015a8e0006 : tcpip!IpFlcReceivePreValidatedPackets+0x649
fffff800f8904350 fffff800f6ec5fc3 : 0000000000000003 0000000000000000 ffffe0007e0e7e10 fffff800f88ff000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x102
fffff800f8904480 fffff801590f7076 : fffff801590f6d30 fffff800f89045a0 0000000000000010 0000000000000801 : nt!KeExpandKernelStackAndCalloutInternal+0xf3
fffff800f8904570 fffff80158eaea53 : 0000000000000000 fffff800f8904651 0000000000000003 fffff801590d4550 : tcpip!FlReceiveNetBufferListChain+0xb6
fffff800f89045f0 fffff80158eaee7f : 0000000000000001 0000000000000000 0000000000000000 0000000000000003 : ndis!ndisMIndicateNetBufferListsToOpen+0x123
fffff800f89046b0 fffff80158eaf6b2 : ffffe0007e9a11a0 0000000000000001 fffff80158ebb540 0000000000000000 : ndis!ndisMTopReceiveNetBufferLists+0x22f
fffff800f8904740 fffff80159da11c4 : ffffe00080373000 fffff80159da1efc ffffe00080373e00 ffffe00081099c20 : ndis!NdisMIndicateReceiveNetBufferLists+0x732
fffff800f8904930 fffff80159da1a9d : 0000000000000001 ffffe00080f39df0 ffffe00080373000 0000000000000003 : e1i63x64!RECEIVE::RxIndicateNBLs+0xd4
fffff800f8904970 fffff80159d94150 : 0000000000000000 ffffe0007dcb1bf0 0000000000000000 ffff000100000000 : e1i63x64!RECEIVE::RxProcessInterrupts+0x19d
fffff800f89049f0 fffff80159d9457e : ffffe0007dcb1bf0 ffffe00080373000 ffff000100000000 ffff000100000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x1c0
fffff800f8904a60 fffff80159d93b78 : fffff800f8904b79 ffff000100000000 0000000000000000 ffffe0007e9a11a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff800f8904ac0 fffff80158eb0e12 : 0000000000000000 fffff801596eed08 ffffe00080ed9402 fffff800f6e56e17 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff800f8904b00 fffff800f6e56910 : 0000000000000000 fffff800f6e1e000 fffff800f70d2480 ffffe0007e080f44 : ndis!ndisInterruptDpc+0x1a3
fffff800f8904be0 fffff800f6e55c57 : 0000000000000000 ffffe0007e43e080 fffff800f711b180 0000000000000000 : nt!KiExecuteAllDpcs+0x1b0
fffff800f8904d30 fffff800f6f6f3d5 : 0000000000000000 fffff800f711b180 fffff800f75fe900 0000000000bb3c74 : nt!KiRetireDpcList+0xd7
fffff800f8904fb0 fffff800f6f6f1d9 : 000002051de0fabc fffff800f6f71431 0000000001000010 0000000000000286 : nt!KxRetireDpcList+0x5
ffffd000d8d52bc0 fffff800f6f71445 : ffffd000d8d52c80 fffff800f6f6db87 0000000000000001 0000000000000001 : nt!KiDispatchInterruptContinue
ffffd000d8d52bf0 fffff800f6f6db87 : 0000000000000001 0000000000000001 0000000000000001 ffffe00081408060 : nt!KiDpcInterruptBypass+0x25
ffffd000d8d52c00 000000006cbc4cc1 : 00a0dbf800bb2d28 00a0dd2800a0dd10 0000000000a0dd0c 6cbc4abc00a0db60 : nt!KiInterruptDispatchLBControl+0x197
0000000000a0d99c 00a0dbf800bb2d28 : 00a0dd2800a0dd10 0000000000a0dd0c 6cbc4abc00a0db60 4c99048800bb3c74 : chrome_child!ChromeMain+0x250fda
0000000000a0d9a4 00a0dd2800a0dd10 : 0000000000a0dd0c 6cbc4abc00a0db60 4c99048800bb3c74 00bb2d2800a0dbf8 : 0x00a0dbf800bb2d28<br>0000000000a0d9ac 0000000000a0dd0c : 6cbc4abc00a0db60 4c99048800bb3c74 00bb2d2800a0dbf8 00a0d9c86ebbd3cc : 0x00a0dd2800a0dd10
0000000000a0d9b4 6cbc4abc00a0db60 : 4c99048800bb3c74 00bb2d2800a0dbf8 00a0d9c86ebbd3cc 0000000000bb2d28 : 0xa0dd0c
0000000000a0d9bc 4c99048800bb3c74 : 00bb2d2800a0dbf8 00a0d9c86ebbd3cc 0000000000bb2d28 0000000000000000 : 0x6cbc4abc00a0db60<br>0000000000a0d9c4 00bb2d2800a0dbf8 : 00a0d9c86ebbd3cc 0000000000bb2d28 0000000000000000 6ebbd3f400000000 : 0x4c99048800bb3c74
0000000000a0d9cc 00a0d9c86ebbd3cc : 0000000000bb2d28 0000000000000000 6ebbd3f400000000 00bb2d2800a0d9c8 : 0x00bb2d2800a0dbf8<br>0000000000a0d9d4 0000000000bb2d28 : 0000000000000000 6ebbd3f400000000 00bb2d2800a0d9c8 0000000000000000 : 0x00a0d9c86ebbd3cc
0000000000a0d9dc 0000000000000000 : 6ebbd3f400000000 00bb2d2800a0d9c8 0000000000000000 0000000000000000 : 0xbb2d28

STACK_COMMAND: kb

FOLLOWUP_IP:
e1i63x64!RECEIVE::RxIndicateNBLs+d4
fffff801`59da11c4 40f6c702 test dil,2

SYMBOL_STACK_INDEX: 11

SYMBOL_NAME: e1i63x64!RECEIVE::RxIndicateNBLs+d4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: e1i63x64

IMAGE_NAME: e1i63x64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 51496739

BUCKET_ID_FUNC_OFFSET: d4

FAILURE_BUCKET_ID: AV_e1i63x64!RECEIVE::RxIndicateNBLs

BUCKET_ID: AV_e1i63x64!RECEIVE::RxIndicateNBLs

PRIMARY_PROBLEM_CLASS: AV_e1i63x64!RECEIVE::RxIndicateNBLs

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_e1i63x64!receive::rxindicatenbls

FAILURE_ID_HASH: {2cf978e1-1c85-263b-b2c7-d8a8f2358ee6}

Followup: MachineOwner
---------

I am trying to see how to work the !pte, i have never used it</image.ext>

No need for !pte. The address is 000000000000003c which is always invalid.

The good news is that both crashes have the same pattern ( TcpBeginTcbSend ) so it would be easy to isolate the culprit code. The damage happened before KiExecuteAllDpcs was called, probably when a packet was injected. Try to play with re-injection to isolate the code that precede crashing, e.g. reinject for a single process ( Chrome e.g. ), introduce a global lock to serialize reinjection( only for debug ).