Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


deployed NDIS filter driver to VM, but shutdown occured

380nanometres380nanometres Member Posts: 9

Hello, I'm struggling for writing my first NDIS filter driver.
I used NDIS filter driver sample code and added some lines of code at FilterSendNetBufferLists just for checking ethernet header.
Here is added code.


struct ethernet_h *eth;
PNET_BUFFER_LIST CurrNbl2;
UCHAR *header;
UCHAR buffer[14];
CurrNbl2 = NetBufferLists;
NetBuffer = NET_BUFFER_LIST_FIRST_NB(CurrNbl2);
NdisAdvanceNetBufferDataStart(NetBuffer, NetBuffer->DataOffset, FALSE, NULL);
header = NdisGetDataBuffer(NetBuffer, sizeof(buffer), NULL, 1, 0);
eth = (struct ethernet_h *)header;
DEBUGP(DL_TRACE, "\n ====Ethernet headertest : \n MAC src : %04x:%04x:%04x \n", eth->src_mac.byte1, eth->src_mac.byte2, eth->src_mac.byte3);
DEBUGP(DL_TRACE, "MAC dst : %04x:%04x:%04x \n", eth->dst_mac.byte1, eth->dst_mac.byte2, eth->dst_mac.byte3);

I deployed and installed the driver to VM, and as soon as driver is installed, VM stopped and shutdown occured.

VM tried to restart, but stopped boot.

I am really new to develop driver, so I don't know what is the problem... I am not good at English, so I am not sure whether my problem was delivered properly. I'm sorry.

For last, it is debugger text.


debugger text

``` Connected to Windows 10 19041 x64 target at (Mon Sep 21 13:27:08.901 2020 (UTC + 9:00)), ptr64 TRUE Kernel Debugger connection established. Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 19041 MP (1 procs) Free x64 Built by: 19041.1.amd64fre.vb_release.191206-1406 Machine Name: Kernel base = 0xfffff805`6841c000 PsLoadedModuleList = 0xfffff805`69046310 System Uptime: 0 days 0:00:00.000 KDTARGET: Refreshing KD connection KDTARGET: Refreshing KD connection *** Fatal System Error: 0x000000d1 (0x0000000000000028,0x0000000000000002,0x0000000000000000,0xFFFFF8056A5216B6) Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus: fffff805`68817d40 cc int 3 kd> !analyze -v Connected to Windows 10 19041 x64 target at (Mon Sep 21 13:29:23.555 2020 (UTC + 9:00)), ptr64 TRUE Loading Kernel Symbols ............................................................... ................................................................ .. Loading User Symbols Loading unloaded module list ....Unable to enumerate user-mode unloaded modules, Win32 error 0n30 ************* Symbol Loading Error Summary ************** Module name Error SharedUserData No error - symbol load deferred You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 0000000000000028, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff8056a5216b6, address which referenced memory Debugging Details: ------------------ \```

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,627

    You are trying to write a structure member through a null pointer. You didn't include enough details to determine where. You need to look through the stack dump to figure out which of your instructions is causing the crash.

    Why do you think NdisAdvanceNetBufferDataStart is something you need?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • 380nanometres380nanometres Member Posts: 9

    @Tim_Roberts said:
    You are trying to write a structure member through a null pointer. You didn't include enough details to determine where. You need to look through the stack dump to figure out which of your instructions is causing the crash.

    Why do you think NdisAdvanceNetBufferDataStart is something you need?

    Hi, thanks for your comment. I don't know I understood it well.

    You are trying to write a structure member through a null pointer.

    You mean the point '(struct ethernet_h* )' ? If so, I wrote this above the FilterSendNetBufferLists function.

    struct ethernet_h { // Destination Mac Address, Source Mac Address, Ethernet type struct
    struct mac dst_mac, src_mac;
    USHORT type;
    };

    Why do you think NdisAdvanceNetBufferDataStart is something you need?

    I read documents about NBL, NB and MDL. I thought there is a unused data space before used data space start(DataOffset is the number of bytes from the start of the buffer described by the NB where the used data space begins ), so I used NdisAdvanceNetBufferDataStart to access to used data space straightly because NdisGetDataBuffer should get proper data. If I am wrong, tell me. I don't know everything strictly since I'm not an expert.

    Thanks,

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,627

    You mean the point "(struct ethernet_h * )?

    No. What I'm saying is that your dump shows that someone tried to write a structure member through a null pointer. You tried to write to the address 0x00000028. We don't know where that occurred, because you didn't include the stack trace. That's what you have to debug.

    I thought there is a unused data space before used data space start

    NdisAdvanceNetBufferDataStart is only useful if someone has previously done an NdisRetreatNetBufferDataStart.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • 380nanometres380nanometres Member Posts: 9

    Hi, fully thank you for your help.

    @Tim_Roberts said:
    No. What I'm saying is that your dump shows that someone tried to write a structure member through a null pointer. You tried to write to the address 0x00000028. We don't know where that occurred, because you didn't include the stack trace. That's what you have to debug.

    Okay, I will try to fix it...

    NdisAdvanceNetBufferDataStart is only useful if someone has previously done an NdisRetreatNetBufferDataStart.

    Can I understand that I don't have to use NdisAdvanceNetBufferDataStart? Without that function, I access to the information that I want, am I right? I didn't know about this. Thanks for letting me know.

  • 380nanometres380nanometres Member Posts: 9
    edited September 22

    I modified the function FilterSendNetBufferLists :
    added if(eth != NULL) , removed header pointer variable and NdisAdvanceNetBufferDataStart.
    It worked! I could get src/dst MAC addresses.
    Thank you very much!!!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE