deployed NDIS filter driver to VM, but shutdown occured

Hello, I’m struggling for writing my first NDIS filter driver.
I used NDIS filter driver sample code and added some lines of code at FilterSendNetBufferLists just for checking ethernet header.
Here is added code.

I deployed and installed the driver to VM, and as soon as driver is installed, VM stopped and shutdown occured.

VM tried to restart, but stopped boot.

I am really new to develop driver, so I don’t know what is the problem… I am not good at English, so I am not sure whether my problem was delivered properly. I’m sorry.

For last, it is debugger text.

Connected to Windows 10 19041 x64 target at (Mon Sep 21 13:27:08.901 2020 (UTC + 9:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (1 procs) Free x64
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff805`6841c000 PsLoadedModuleList = 0xfffff805`69046310
System Uptime: 0 days 0:00:00.000
KDTARGET: Refreshing KD connection
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x000000d1
                       (0x0000000000000028,0x0000000000000002,0x0000000000000000,0xFFFFF8056A5216B6)

Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff805`68817d40 cc              int     3
kd> !analyze -v
Connected to Windows 10 19041 x64 target at (Mon Sep 21 13:29:23.555 2020 (UTC + 9:00)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
..
Loading User Symbols

Loading unloaded module list
....Unable to enumerate user-mode unloaded modules, Win32 error 0n30

************* Symbol Loading Error Summary **************
Module name            Error
SharedUserData         No error - symbol load deferred

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8056a5216b6, address which referenced memory

Debugging Details:
------------------

</code>
\```

</p>
</details>

You are trying to write a structure member through a null pointer. You didn’t include enough details to determine where. You need to look through the stack dump to figure out which of your instructions is causing the crash.

Why do you think NdisAdvanceNetBufferDataStart is something you need?

@Tim_Roberts said:
You are trying to write a structure member through a null pointer. You didn’t include enough details to determine where. You need to look through the stack dump to figure out which of your instructions is causing the crash.

Why do you think NdisAdvanceNetBufferDataStart is something you need?

Hi, thanks for your comment. I don’t know I understood it well.

You are trying to write a structure member through a null pointer.
You mean the point ‘(struct ethernet_h* )’ ? If so, I wrote this above the FilterSendNetBufferLists function.

struct ethernet_h { // Destination Mac Address, Source Mac Address, Ethernet type struct
struct mac dst_mac, src_mac;
USHORT type;
};


Why do you think NdisAdvanceNetBufferDataStart is something you need?

I read documents about NBL, NB and MDL. I thought there is a unused data space before used data space start(DataOffset is the number of bytes from the start of the buffer described by the NB where the used data space begins ), so I used NdisAdvanceNetBufferDataStart to access to used data space straightly because NdisGetDataBuffer should get proper data. If I am wrong, tell me. I don’t know everything strictly since I’m not an expert.

Thanks,

You mean the point "(struct ethernet_h * )?

No. What I’m saying is that your dump shows that someone tried to write a structure member through a null pointer. You tried to write to the address 0x00000028. We don’t know where that occurred, because you didn’t include the stack trace. That’s what you have to debug.

I thought there is a unused data space before used data space start

NdisAdvanceNetBufferDataStart is only useful if someone has previously done an NdisRetreatNetBufferDataStart.

Hi, fully thank you for your help.

@Tim_Roberts said:
No. What I’m saying is that your dump shows that someone tried to write a structure member through a null pointer. You tried to write to the address 0x00000028. We don’t know where that occurred, because you didn’t include the stack trace. That’s what you have to debug.
Okay, I will try to fix it…
NdisAdvanceNetBufferDataStart is only useful if someone has previously done an NdisRetreatNetBufferDataStart.
Can I understand that I don’t have to use NdisAdvanceNetBufferDataStart? Without that function, I access to the information that I want, am I right? I didn’t know about this. Thanks for letting me know.

I modified the function FilterSendNetBufferLists :
added if(eth != NULL) , removed header pointer variable and NdisAdvanceNetBufferDataStart.
It worked! I could get src/dst MAC addresses.
Thank you very much!!!