Hello, I’m struggling for writing my first NDIS filter driver.
I used NDIS filter driver sample code and added some lines of code at FilterSendNetBufferLists just for checking ethernet header.
Here is added code.
struct ethernet_h *eth;
PNET_BUFFER_LIST CurrNbl2;
UCHAR *header;
UCHAR buffer[14];
CurrNbl2 = NetBufferLists;
NetBuffer = NET_BUFFER_LIST_FIRST_NB(CurrNbl2);
NdisAdvanceNetBufferDataStart(NetBuffer, NetBuffer->DataOffset, FALSE, NULL);
header = NdisGetDataBuffer(NetBuffer, sizeof(buffer), NULL, 1, 0);
eth = (struct ethernet_h *)header;
DEBUGP(DL_TRACE, "\n ====Ethernet headertest : \n MAC src : %04x:%04x:%04x \n", eth->src_mac.byte1, eth->src_mac.byte2, eth->src_mac.byte3);
DEBUGP(DL_TRACE, "MAC dst : %04x:%04x:%04x \n", eth->dst_mac.byte1, eth->dst_mac.byte2, eth->dst_mac.byte3);
I deployed and installed the driver to VM, and as soon as driver is installed, VM stopped and shutdown occured.
VM tried to restart, but stopped boot.
I am really new to develop driver, so I don’t know what is the problem… I am not good at English, so I am not sure whether my problem was delivered properly. I’m sorry.
For last, it is debugger text.
debugger text
Connected to Windows 10 19041 x64 target at (Mon Sep 21 13:27:08.901 2020 (UTC + 9:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (1 procs) Free x64
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`6841c000 PsLoadedModuleList = 0xfffff805`69046310
System Uptime: 0 days 0:00:00.000
KDTARGET: Refreshing KD connection
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x000000d1
(0x0000000000000028,0x0000000000000002,0x0000000000000000,0xFFFFF8056A5216B6)
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff805`68817d40 cc int 3
kd> !analyze -v
Connected to Windows 10 19041 x64 target at (Mon Sep 21 13:29:23.555 2020 (UTC + 9:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..
Loading User Symbols
Loading unloaded module list
....Unable to enumerate user-mode unloaded modules, Win32 error 0n30
************* Symbol Loading Error Summary **************
Module name Error
SharedUserData No error - symbol load deferred
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8056a5216b6, address which referenced memory
Debugging Details:
------------------
</code>
\```
</p>
</details>