block websites using domain name wfp filter

codehelp123 · February 2, 2024, 12:56pm

developing wfp driver to block websites using there ip addresses and catching ip addresses using dns packets matching each domain name of dns packet while they arrive in classify function and parse dns packets and match against targeted domain names if they match then retriving ip adress from them and save them in globle array if got any packets has same ip as stored ip address then block packet but driver is crashing after some time of execution
and this error is showing in windbg:- User
RECURSIVE_NMI (111)
DESCRIPTION
A recursive NMI has occurred.
Arguments:
Arg1: 0000000000000001
Arg2: ffff9b0052536e70
Arg3: fffff80321c0a654
Arg4: ffff9b0052536e70

Debugging Details:

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 3999

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 6569

Key  : Analysis.Init.CPU.mSec
Value: 61936

Key  : Analysis.Init.Elapsed.mSec
Value: 953199

Key  : Analysis.Memory.CommitPeak.Mb
Value: 74

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

BUGCHECK_CODE: 111

BUGCHECK_P1: 1

BUGCHECK_P2: ffff9b0052536e70

BUGCHECK_P3: fffff80321c0a654

BUGCHECK_P4: ffff9b0052536e70

PROCESS_NAME: dwm.exe

STACK_TEXT:
ffff9b0052536678 fffff80321d182f2 : ffff9b00525367e0 fffff80321b7f4f0 0000000000000100 0000000000000000 : nt!DbgBreakPointWithStatus
ffff9b0052536680 fffff80321d178d6 : 0000000000000003 ffff9b00525367e0 fffff80321c14db0 0000000000000111 : nt!KiBugCheckDebugBreak+0x12
ffff9b00525366e0 fffff80321bfd7f7 : 0000000000000000 0000000000000000 0000000000016401 0000000000000000 : nt!KeBugCheck2+0x946
ffff9b0052536df0 fffff80321d26e33 : 0000000000000111 0000000000000001 ffff9b0052536e70 fffff80321c0a654 : nt!KeBugCheckEx+0x107
ffff9b0052536e30 fffff80321c0a4ab : 0000000000016484 0000000000000000 0000000000000000 0000000000000000 : nt!KiMcheckFastForward+0x223
ffff9b0052536e70 fffff80321c0a654 : 0000000000016484 0000000000000000 0000000000000000 0000000000000000 : nt!KiNmiInterrupt+0x1ab
ffff9b0052536e70 0000000000000000 : 0000000000016484 0000000000000000 0000000000000000 0000000000000000 : nt!KiNmiInterrupt+0x354

SYMBOL_NAME: nt!KiMcheckFastForward+223

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 223

FAILURE_BUCKET_ID: 0x111_nt!KiMcheckFastForward

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64
what need to do

codehelp123 · February 2, 2024, 1:13pm

if anybody has idea about it then please post response

Tim_Roberts · February 2, 2024, 7:34pm

Is this occurring on only one test machine? In virtually every case, NMI is caused by a hardware problem in a peripheral. The fact that it originated in DWM (“desktop window manager”) suggests that it may be your graphics card.

codehelp123 · February 3, 2024, 1:58am

If it is hardware issue then why its crashing after some time of loading driver.and if it’s driver then what will be probable reasons.

Tim_Roberts · February 3, 2024, 7:01pm

You didn’t answer my question. Do you see this on more than one machine? If you have memory management problems, you could be writing in a region of memory that maps to the graphics card, causing the graphics hardware to puke.

And, of course, there are better and far less intrusive methods of blocking web sites. That’s what proxies are for, and those involve no dangerous kernel coding at all.

codehelp123 · February 5, 2024, 6:10am

it’s crashing on other machines too when try to open edge browser

brianbranch · February 29, 2024, 11:25am

I have the same problem, and am also using WFP in my driver. It is very annoying, it seems to happen semi-randomly, and the Debugger output is not very helpful.

The fact that it originated in DWM (“desktop window manager”) suggests that it may be your graphics card.

I think the PROCESS_NAME value is more-or-less random. I am plagued by this for some time now, and have seen msedge.exe or also just System.

I am running VirtualBox with two VMs (Debugger and Debuggee) on a linux host.

In virtually every case, NMI is caused by a hardware problem in a peripheral.

It indeed seems to be the case that sometimes it happens even before I have loaded the driver at all - but less frequent (I believe). So it might be a Bug in VirtualBox? However, when no Debugger is running, the VM runs completely fine. I wish I could make the Debugger just ignore this somehow… Using ‘g’ afterwards does not resume the VM, sadly.

Here is the entire output of kd in a case where I haven’t even loaded my driver yet:
https://sprunge.us/orDfXG

Tim_Roberts · March 1, 2024, 12:13am

I wish I could make the Debugger just ignore this somehow.

Nope. The very name “NMI” means “non-maskable interrupt”, which means “this is an interrupt you cannot ignore”.

MBond2 · March 1, 2024, 12:19am

Well, the CPU can’t ignore it, but a debugger could. If it should is in the eye of the beholder I guess.

IMHO, NMI generally shouldn’t be used except in exceptional circumstances - circumstances that you probably don’t want to ignore

codehelp123 · March 1, 2024, 3:41am

Problem get solved just eliminating all kdprint from code

brianbranch · March 13, 2024, 2:23pm

Problem get solved just eliminating all kdprint from code

Thank you for the suggestion.

I have disabled all DbgPrint statements in my code, and it indeed seems to help. I will try to see if I can pinpoint which DbgPrint statement(s) are problematic.

Is there any rationale for how kdprint / DbgPrint could lead to this NMI Interrupt? Could e.g. a non-terminated string cause this? Or a wrong format specifier?

system · April 12, 2024, 2:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.