made a custom queue data structure...need help

Bill_Wandel · August 23, 2016, 5:18pm

Aren’t drivers fun? How about 1000s of installations running in some cases
for years where all of a sudden one blue screens due to a driver bug.

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Tuesday, August 23, 2016 4:53 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] made a custom queue data structure…need help

uh…the code works, for 1000s of requests as I have said, and then it
randomly blue screens

—
NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

OSR_Community_User · August 23, 2016, 5:44pm

does this stack trace make sense?
the bottom begins after the new thread at “DbgPrintEx”…then at the top it shows a TCP stack…ummm? the debug print function is not using TCP…what in the?

that line is
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “current url[%s] flow[%ld]\r\n”, currentUrl, pFlowPacket->flowId);

it’s not an error message, i just have the error level, so they always print for now…

kd> kb

RetAddr : Args to Child : Call Site

00 fffff800f6ffb98e : 0000000000000000 0000000000000000 fffff800f8903070 fffff800f6ef27a4 : nt!DbgBreakPointWithStatus 01 fffff800f6ffb29f : 0000000000000003 fffff800f8903070 fffff800f6f7a290 00000000000000d1 : nt!KiBugCheckDebugBreak+0x12
02 fffff800f6f6c3a4 : fffff800f8903a48 0000000000000081 0000000000000007 0000000000000000 : nt!KeBugCheck2+0x8ab 03 fffff800f6f77de9 : 000000000000000a 000000000000003c 0000000000000002 0000000000000001 : nt!KeBugCheckEx+0x104
04 fffff800f6f7663a : 0000000000000001 fffff800f8903a48 ffffe00000000000 ffffe00000000002 : nt!KiBugCheckDispatch+0x69 05 fffff801590d3192 : 00000000fffffffe ffffe0007ff34d10 ffffe0007f50a030 0000000000000000 : nt!KiPageFault+0x23a
06 fffff801590d1e52 : fffffd461231e438 fffff80159d9f573 ffffe0007d096268 0000000000000001 : tcpip!TcpBeginTcbSend+0x732 07 fffff801590f44ab : 000000000019461a 000000019ec6f17a 000000019ec6f17a fffff80158ebb540 : tcpip!TcpTcbSend+0x226
08 fffff801590c991c : ffffe00080548c2c 0000000000013167 0000000000000000 0000000000000000 : tcpip!TcpFlushDelay+0x20a 09 fffff801590c3423 : ffffe0007e0b9d80 0000000000005000 fffff800f8904ac2 ffffe00081214ac2 : tcpip!TcpPreValidatedReceive+0x3cc
0a fffff801590f6e32 : ffffe0007e7382b0 fffff800f8904600 0000000000000006 fffff8015a8e0006 : tcpip!IpFlcReceivePreValidatedPackets+0x649 0b fffff800f6ec5fc3 : 0000000000000007 0000000000000000 ffffe0007e0e7e10 fffff800f88ff000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x102
0c fffff801590f7076 : fffff801590f6d30 fffff800f89045a0 0000000000000010 0000000000000801 : nt!KeExpandKernelStackAndCalloutInternal+0xf3 0d fffff80158eaea53 : 0000000000000000 fffff800f8904651 0000000000000007 fffff801590d4550 : tcpip!FlReceiveNetBufferListChain+0xb6
0e fffff80158eaee7f : 0000000000000001 0000000000000000 0000000000000000 0000000000000007 : ndis!ndisMIndicateNetBufferListsToOpen+0x123 0f fffff80158eaf6b2 : ffffe0007e9a11a0 0000000000000001 fffff80158ebb540 0000000000000000 : ndis!ndisMTopReceiveNetBufferLists+0x22f
10 fffff80159da11c4 : ffffe00080373000 fffff80159da1efc ffffe00080373e00 ffffe0008050adf0 : ndis!NdisMIndicateReceiveNetBufferLists+0x732 11 fffff80159da1a9d : 0000000000000001 ffffe000803fbc20 ffffe00080373000 0000000000000007 : e1i63x64!RECEIVE::RxIndicateNBLs+0xd4
12 fffff80159d94150 : 0000000000000000 ffffe0007dcb1bf0 0000000000000000 ffff000100000000 : e1i63x64!RECEIVE::RxProcessInterrupts+0x19d 13 fffff80159d9457e : ffffe0007dcb1bf0 ffffe00080373000 ffff000100000000 ffff000100000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x1c0
14 fffff80159d93b78 : fffff800f8904b79 ffff000100000000 0000000000000000 ffffe0007e9a11a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e 15 fffff80158eb0e12 : 0000000000000000 fffff801596eed08 ffffe00080ed9402 fffff800f6e56e17 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
16 fffff800f6e56910 : 0000000000000000 fffff800f6e1e000 fffff800f70d2480 fffff800f7100f44 : ndis!ndisInterruptDpc+0x1a3 17 fffff800f6e55c57 : 0000000000000000 ffffe0007e4ac080 fffff800f711b180 0000000000000000 : nt!KiExecuteAllDpcs+0x1b0
18 fffff800f6f6f3d5 : 0000000000000000 fffff800f711b180 fffff800f75fe900 0000000000000001 : nt!KiRetireDpcList+0xd7 19 fffff800f6f6f1d9 : 00000251db181c71 fffff800f6f71431 0000000001000010 0000000000000282 : nt!KxRetireDpcList+0x5
1a fffff800f6f71445 : 0000000000031fff fffff800f6f6db87 0000000069696969 0000000000000004 : nt!KiDispatchInterruptContinue 1b fffff800f6f6db87 : 0000000069696969 0000000000000004 fffff800f6311138 fffff800f630f03f : nt!KiDpcInterruptBypass+0x25
1c fffff800f6ffea55 : 0000000000000001 ffffd000e36e5f80 0000000000000001 ffffd000e36e6660 : nt!KiInterruptDispatchLBControl+0x197 1d fffff800f7485ccb : ffffd000e36e5f01 ffffd000e36e5ef0 ffffd000e36e5f80 ffffbf803d0363f9 : nt!KeThawExecution+0x119
1e fffff800f7487ce5 : ffffd000e36e5fa0 ffffd000e36e5f01 ffffd000e36e5f80 0000000000000000 : nt!KdExitDebugger+0x77 1f fffff800f748803f : ffffd000e36e5fa0 ffffd000e36e6840 ffffd000e36e6a00 fffff800f6f72eb4 : nt!KdpPrint+0x121
20 fffff800f6eb7388 : ffffd000e36e6798 ffffd000e36e64a0 ffffd000e36e6800 ffffd000e36e6a00 : nt!KdpTrap+0x113 21 fffff800f6f77ec2 : ffffd000e36e6678 fffff800f711b180 ffffffff00000000 0000000100000239 : nt!KiDispatchException+0x610
22 fffff800f6f77533 : ffffe0007f58a880 fffff800f711b100 0000000000000000 0000000000000001 : nt!KiExceptionDispatch+0xc2 23 fffff800f6f72eb5 : fffff800f6ef28e0 0000000000000000 0000000000000200 000000000000017f : nt!KiDebugServiceTrap+0xf3
24 fffff800f6ef28e0 : 0000000000000000 0000000000000200 000000000000017f fffff800f6f5b3f8 : nt!DebugPrint+0x15 25 fffff800f6ef27a4 : ffffe0007ee2da00 0000000000707464 ffffe0007ee338c0 ffffe0007ee338c0 : nt!vDbgPrintExWithPrefixInternal+0x134
26 fffff8015a5eab3f : 0000000000000000 fffff800f6e1e000 fffff8015a5ec700 ffffc000b2be51a0 : nt!DbgPrintEx+0x30 27 fffff800f6f18c10 : ffffc000a64ed080 ffffc000b2be33c0 ffffe000817c9040 0000000000000000 : ProxyOneDriver!ThreadHandleHTTPInjections+0x25b [d:\clients\christopher\http_filter\http_driver\driver.c @ 487]
28 fffff800f6f728c6 : fffff800f711b180 ffffe000817c9040 ffffe000817ca880 0000000000000246 : nt!PspSystemThreadStartup+0x58 29 0000000000000000 : ffffd000e36e7000 ffffd000e36e1000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

Larry_Clawson · August 23, 2016, 6:35pm

So, other than causing BSOD within the network stack what is the purpose of your driver, i.e. what are you trying to do with your diver?

Larry C

OSR_Community_User · August 23, 2016, 6:42pm

it does http/https redirection based on a database of urls…i have the https part commented out for now, until i get this fixed…

my classify function…basically, when a new flow is made, i make sure the HTTP header is completed…then I cloned the packet and block, and it gets reinjected inside of the worker thread…

when data is inbound, i just block and reinject it inline…

#if(NTDDI_VERSION < NTDDI_WIN7)

VOID NTAPI
ClassifyFn(
IN const FWPS_INCOMING_VALUES *inFixedValues,
IN const FWPS_INCOMING_METADATA_VALUES *inMetaValues,
IN OUT VOID *layerData,
IN const FWPS_FILTER *filter,
IN UINT64 flowContext,
IN OUT FWPS_CLASSIFY_OUT *classifyOut
)

#elseif(NTDDI_VERSION == NTDDI_WIN7)

void NTAPI ClassifyFn(
In const FWPS_INCOMING_VALUES0 *inFixedValues,
In const FWPS_INCOMING_METADATA_VALUES0 *inMetaValues,
Inout void *layerData,
In_opt const void *classifyContext,
In const FWPS_FILTER1 *filter,
In UINT64 flowContext,
Inout FWPS_CLASSIFY_OUT0 *classifyOut
)

#else

void NTAPI ClassifyFn(
In const FWPS_INCOMING_VALUES0 *inFixedValues,
In const FWPS_INCOMING_METADATA_VALUES0 *inMetaValues,
Inout_opt void *layerData,
In_opt const void *classifyContext,
In const FWPS_FILTER2 *filter,
In UINT64 flowContext,
Inout FWPS_CLASSIFY_OUT0 *classifyOut
)

#endif

{
UNREFERENCED_PARAMETER(inFixedValues);
UNREFERENCED_PARAMETER(filter);
UNREFERENCED_PARAMETER(flowContext);
UNREFERENCED_PARAMETER(classifyOut);

//PAGED_CODE();

//DebugTrace(“%s Entry”, FUNCTION);
classifyOut->actionType = FWP_ACTION_PERMIT;

FWPS_STREAM_CALLOUT_IO_PACKET *calloutPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
calloutPacket->streamAction = FWPS_STREAM_ACTION_NONE;
calloutPacket->countBytesRequired = 0;
calloutPacket->countBytesEnforced = calloutPacket->streamData->dataLength;

if (IsDriverUnloading) {
if (!flowContext) {
return;
}

NET_BUFFER_LIST *clonedNetBufferList = NULL;
NTSTATUS s = FwpsCloneStreamData(calloutPacket->streamData, NULL, NULL, 0, &clonedNetBufferList);
if (s != STATUS_SUCCESS) {
DebugTrace(“FwpsAllocateCloneNetBufferList failed”);
return;
}

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “injecting data with flow id[%ld] layer id[%d] length[%ld]\r\n”, inMetaValues->flowHandle, inFixedValues->layerId,
calloutPacket->streamData->dataLength);
FwpsStreamInjectAsync(gInjectionHandle, NULL, 0, inMetaValues->flowHandle, CalloutId, inFixedValues->layerId, calloutPacket->streamData->flags,
clonedNetBufferList, calloutPacket->streamData->dataLength, PacketClonedInjectionCompletion, NULL);

classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags = FWPS_CLASSIFY_OUT_FLAG_ABSORB;

return;
}

if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0) {
//DebugTrace(“%s Exit”, FUNCTION);
return;
}

if (!calloutPacket->streamData->dataLength) {
return;
}

PFLOWPACKET pFlowPacket = NULL;
if (!flowContext) {
pFlowPacket = (PFLOWPACKET)ExAllocateFromNPagedLookasideList(&HttpFlowLookList);
if (!pFlowPacket) {
return;
}
pFlowPacket->flowId = inMetaValues->flowHandle;
pFlowPacket->stopThread = 0;
pFlowPacket->flowDeleted = 0;
pFlowPacket->permitPacket = 0;
pFlowPacket->allowPacket = 0;
pFlowPacket->queueInjectionPackets = CQueueCreate();
pFlowPacket->hPkThread = NULL;
pFlowPacket->foundHeader = 0;

//MHashMapInsert(PHashMapHTTPFlows, pFlowPacket->flowId, (void*)pFlowPacket);

NTSTATUS ntStatus = FwpsFlowAssociateContext(pFlowPacket->flowId, FWPS_LAYER_STREAM_V4, CalloutId, (UINT64)pFlowPacket);
if (ntStatus != STATUS_SUCCESS) {
DebugTrace(“FwpsFlowAssociateContext failed for HTTP.”);

//MHashMapRemoveByKey(PHashMapHTTPFlows, pFlowPacket->flowId);
ExFreeToNPagedLookasideList(&HttpFlowLookList, pFlowPacket);
return;
}

else {
PFLOWTHREADPACKET p = (PFLOWTHREADPACKET)ExAllocatePoolWithTag(NonPagedPool, sizeof(FLOWTHREADPACKET), POOLTAGDRIVER);
p->flowId = inMetaValues->flowHandle;
p->queueInjectionPackets = pFlowPacket->queueInjectionPackets;
p->stopThread = 0;
CQueueAddRef(pFlowPacket->queueInjectionPackets);

CQueuePush(QueueHTTPFlowPackets, (void*)p);
KeSetEvent(&KEventNewHTTPFlow, 0, FALSE);

pFlowPacket->threadPacket = p;
}
}
else {
//DebugTrace(“got flow context…”);
pFlowPacket = (PFLOWPACKET)flowContext;
}

if (pFlowPacket->permitPacket) {
return;
}

if (pFlowPacket->foundHeader) {
//DebugTrace(“header found for[%s]…”, pFlowPacket->currentUrl);

//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “injecting data with flow id[%ld] layer id[%d] length[%ld]\r\n”, inMetaValues->flowHandle, inFixedValues->layerId,
//calloutPacket->streamData->dataLength);

for (NET_BUFFER_LIST* pCurrentNBL = calloutPacket->streamData->netBufferListChain; pCurrentNBL;) {
NET_BUFFER_LIST* pNextNBL = NET_BUFFER_LIST_NEXT_NBL(pCurrentNBL);

FwpsReferenceNetBufferList(pCurrentNBL, FALSE);

pCurrentNBL = pNextNBL;
}

NET_BUFFER_LIST *clonedNetBufferList = NULL;
NTSTATUS s = FwpsCloneStreamData(calloutPacket->streamData, NULL, NULL, 0, &clonedNetBufferList);
if (s != STATUS_SUCCESS) {
DebugTrace(“FwpsCloneStreamData failed”);
return;
}

s = FwpsStreamInjectAsync(gInjectionHandle, NULL, 0, inMetaValues->flowHandle, CalloutId, inFixedValues->layerId, calloutPacket->streamData->flags,
clonedNetBufferList, calloutPacket->streamData->dataLength, PacketClonedInjectionCompletion2, NULL);
if (s != STATUS_SUCCESS) {
FwpsFreeNetBufferList(clonedNetBufferList);
}

classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
classifyOut->rights &= ~(UINT32)FWPS_RIGHT_ACTION_WRITE;

DebugTrace(“%s Exit”, FUNCTION);
return;

}

char* stream = (char*)ExAllocatePoolWithTag(NonPagedPool, calloutPacket->streamData->dataLength, POOL_TAG_CALLOUT_STREAM);
if (!stream) {
return;
}

SIZE_T streamBytesCopied = 0;
FwpsCopyStreamDataToBuffer(calloutPacket->streamData, stream, calloutPacket->streamData->dataLength, &streamBytesCopied);
if (streamBytesCopied != calloutPacket->streamData->dataLength) {
DebugTrace(“streamBytesCopied != streamLength”);
ExFreePoolWithTag(stream, POOL_TAG_CALLOUT_STREAM);
return;
}

if (!(stream[0] == ‘G’ && stream[1] == ‘E’ && stream[2] == ‘T’)) {
pFlowPacket->permitPacket = 1;
//KeSetEvent(&pFlowPacket->threadPacket->eventQueue, 0, FALSE);
ExFreePoolWithTag(stream, POOL_TAG_CALLOUT_STREAM);
DebugTrace(“GET not found…”);
calloutPacket->streamAction = FWPS_STREAM_ACTION_ALLOW_CONNECTION;
return;
}

for (int loopa = ((int)streamBytesCopied)-1; loopa >= 0; loopa–) {
if ((loopa - 3) < 0) {
DebugTrace(“need more data…”);
calloutPacket->streamAction = FWPS_STREAM_ACTION_NEED_MORE_DATA;
calloutPacket->countBytesRequired = (UINT32)streamBytesCopied + 1;
classifyOut->actionType = FWP_ACTION_NONE;
ExFreePoolWithTag(stream, POOL_TAG_CALLOUT_STREAM);
return;
}

if (stream[loopa] == ‘\n’) {
if (stream[loopa - 1] == ‘\r’) {
if (stream[loopa - 2] == ‘\n’) {
if (stream[loopa - 3] == ‘\r’) {
pFlowPacket->foundHeader = 1;
break;
}
}
}
}
}

if (!pFlowPacket->foundHeader) {
DebugTrace(“header not found, need more data”);
calloutPacket->streamAction = FWPS_STREAM_ACTION_NEED_MORE_DATA;
classifyOut->actionType = FWP_ACTION_NONE;
calloutPacket->countBytesRequired = (UINT32)streamBytesCopied + 1;
ExFreePoolWithTag(stream, POOL_TAG_CALLOUT_STREAM);
return;
}

for (NET_BUFFER_LIST* pCurrentNBL = calloutPacket->streamData->netBufferListChain; pCurrentNBL;) {
NET_BUFFER_LIST* pNextNBL = NET_BUFFER_LIST_NEXT_NBL(pCurrentNBL);

FwpsReferenceNetBufferList(pCurrentNBL, FALSE);

pCurrentNBL = pNextNBL;
}

NET_BUFFER_LIST *clonedNetBufferList = NULL;
NTSTATUS s = FwpsCloneStreamData(calloutPacket->streamData, NULL, NULL, 0, &clonedNetBufferList);
if (s != STATUS_SUCCESS) {
DebugTrace(“FwpsAllocateCloneNetBufferList failed”);
ExFreePoolWithTag(stream, POOL_TAG_CALLOUT_STREAM);
return;
}

PINJECTION_PACKET pInjectionPacket = (PINJECTION_PACKET)ExAllocatePoolWithTag(NonPagedPool, sizeof(INJECTION_PACKET), ‘eee’);
if (!pInjectionPacket) {
ExFreePoolWithTag(stream, POOL_TAG_CALLOUT_STREAM);
return;
}
pInjectionPacket->data = stream;
pInjectionPacket->data_length = calloutPacket->streamData->dataLength;
pInjectionPacket->flow_id = inMetaValues->flowHandle;
pInjectionPacket->layerId = inFixedValues->layerId;
pInjectionPacket->clonedNetBufferList = clonedNetBufferList;
pInjectionPacket->streamFlags = calloutPacket->streamData->flags;
CQueuePush(pFlowPacket->queueInjectionPackets, (void*)pInjectionPacket);

DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “queueing data with flow id[%ld] layer id[%d] length[%ld]\r\n”, inMetaValues->flowHandle, inFixedValues->layerId,
calloutPacket->streamData->dataLength);
KeSetEvent(&(pFlowPacket->queueInjectionPackets->eventQueue), 0, FALSE);

classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
classifyOut->rights &= ~(UINT32)FWPS_RIGHT_ACTION_WRITE;

//DebugTrace(“%s Exit”, FUNCTION);
}

Larry_Clawson · August 23, 2016, 7:03pm

I see that Verifier caught something but you did not show enough of !analyze -v and it looks like you need to get the correct symbols then use !pool and !poolfind. Also to check pool allocations run poolmon.exe with your pooltags added to pooltag.txt to see if you are allocating/freeing without leaks.

Larry C

OSR_Community_User · August 23, 2016, 8:09pm

i see something interesting…after many successful injections…it crashes when some website tries to load something from http://trc.taboola.com/sg/appnexus-network/1/rtb-h/?taboola_hm=4488103872404401720

that url is dead…but going to trc.taboola.com pings just find…so i guess my filter sees it connected to that on port 80…but injecting the data is to a dead end…

hmm…if i have to make the code check if every website isn’t dead…it would make this app suck…there must be some way of perventing the injection from blue screening, and throwing an error

OSR_Community_User · August 23, 2016, 8:11pm

although it doesn’t crash when i manually type it into the browser…blah…this is so annoying

MBond · August 23, 2016, 8:17pm

You do understand the inherently non-deterministic nature of multi-threaded programming right? Consider yourself lucky that the problem you are looking for is a sufficiently gross error that it can be reliably reproduced on your dev machine after only thousands of iterations. Many errors of this kind occur in ways that are simply not reproducible in dev and can only be located by meticulous review of source code or instruction sequences ? sometimes tools can help, but the hardest ones relate to hardware errata and in some cases may be insolute on particular platforms. Again, consider yourself fortunate that the bug you are chasing appears to be of one of the easiest classes.

Start by applying standard techniques to the crash dumps from various of the faults you have. Make sure you have valid symbols and consider the results of analyze -v. As memory corruption is clearly an issue, the results from a single crash may be misleading, but analyzing a series of faults should allow you to close in on the likely true culprit(s) in you code. Once you think you know where the corruption is occurring, post again and show us some code. If it is not an obvious buffer overrun, then it is likely the misuse of a DDI and perhaps we can help. Otherwise we can only guess and as I had to remind others at work today, my implementation of the psychic transfer protocol (PTP) is as yet incomplete; regardless of how well I appear to guess the answer to the question you were about to ask me next

Sent from Mailhttps: for Windows 10

From: xxxxx@gmail.com mailto:xxxxx
Sent: August 23, 2016 4:51 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] made a custom queue data structure…need help

uh…the code works, for 1000s of requests as I have said, and then it randomly blue screens

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></mailto:xxxxx></mailto:xxxxx></https:>

OSR_Community_User · August 23, 2016, 9:40pm

i am not modifying any data at all…i am simplying registering to be notified when new network data arrives, and I am blocking it, and reinjecting…the crash dumps don’t point to my code at all, it is all windows stuff…this has to be a bug…these injection functions have no data outside of msdn…which tells me, this stuff is barely touched…there are new micosoft hot fixes everyday, im sure something here needs one…

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000005002, subclass of driver violation.
Arg2: 0000000000010000
Arg3: 0000000000000001
Arg4: 0000000000000004

Debugging Details:

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

“KERNELBASE.dll” was not found in the image list.
Debugger will attempt to load “KERNELBASE.dll” at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=,.
Unable to add module at 0000000000000000 BUGCHECK_P1: 5002 BUGCHECK_P2: 10000 BUGCHECK_P3: 1 BUGCHECK_P4: 4 BUGCHECK_STR: 0xc4_5002 CPU_COUNT: 1 CPU_MHZ: 6a0 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 45 CPU_STEPPING: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT PROCESS_NAME: chrome.exe CURRENT_IRQL: 2 ANALYSIS_VERSION: 10.0.10240.9 amd64fre LAST_CONTROL_TRANSFER: from fffff80074a6898e to fffff800749dfe90 STACK_TEXT: ffffd0002052f958 fffff80074a6898e : 0000000000000000 0000000000000000 ffffd0002052fac0 fffff8007495f7a4 : nt!DbgBreakPointWithStatus ffffd0002052f960 fffff80074a6829f : 0000000000000003 0000000000005002 fffff800749e7290 00000000000000c4 : nt!KiBugCheckDebugBreak+0x12 ffffd0002052f9c0 fffff800749d93a4 : ffffd000205306a8 0000000000000002 ffffd00020530118 ffffd00020530301 : nt!KeBugCheck2+0x8ab ffffd000205300d0 fffff800ec564d15 : 00000000000000c4 0000000000005002 0000000000010000 0000000000000001 : nt!KeBugCheckEx+0x104 ffffd00020530110 fffff800ec54532f : ffffd00020530460 ffffe000372e4730 ffffcf81d1184e80 ffffe0000000007c : NETIO!StreamVerifierBreak+0x29 ffffd00020530150 fffff800ec524f2b : ffffd00020530338 0000000000000000 ffffd00020530300 ffffe00037697580 : NETIO!StreamNormalizeClassifyOut+0x20897 ffffd000205301b0 fffff800ec52480f : 0000000000080000 ffffe000376974b0 ffffd00020530371 0000000000000000 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x22b ffffd00020530280 fffff800ec52e9a2 : ffffe00037b00014 fffff800edc975b0 ffffd00000000002 ffffd00020530dd8 : NETIO!StreamProcessCallout+0x76f ffffd000205303c0 fffff800ec515549 : 0000000000000014 ffffd00020530dd8 ffffe00039314420 ffffd00020530c90 : NETIO!ProcessCallout+0x972 ffffd00020530530 fffff800ec514250 : 0000000000000000 ffffd00020530830 ffffd00020530d00 fffff800749228cd : NETIO!ArbitrateAndEnforce+0x2c9 ffffd00020530730 fffff800ec5235a0 : 4032866666666666 0000000000000000 0000000000000000 0000000000000000 : NETIO!KfdClassify+0x831 ffffd00020530bf0 fffff800ec523acd : 0000000000000001 0000000000000000 fffff8007486f900 fffff800749dc1ef : NETIO!StreamClassify+0x220 ffffd00020530d80 fffff800ec525c5d : 0000000000000000 ffffd000205314e0 fffff80074b90000 ffffe00039a6e440 : NETIO!StreamCommonInspect+0x25d ffffd00020531120 fffff800eca5ff66 : ffffe00039a6e440 ffffd00020531290 ffffe000379d58a0 ffffe000379edd70 : NETIO!WfpStreamInspectDisconnect+0x23d ffffd00020531190 fffff800eca5e6a7 : 0003eeec0078c000 0000000000000000 0504070601000302 ffffd00020531450 : tcpip!TcpDisconnectTcb+0xf6 ffffd00020531300 fffff80074932fc3 : 00001f800010000f 0053002b002b0010 0504070601000302 0d0c0f0e09080b0a : tcpip!TcpTlConnectionDisconnectCalloutRoutine+0x28 ffffd00020531330 fffff800eca5f927 : fffff800eca5e680 ffffd00020531450 fffffa8025218d00 0000000000000000 : nt!KeExpandKernelStackAndCalloutInternal+0xf3 ffffd00020531420 fffff800ed2e335c : 0000000000000000 ffffd000205314e9 0000000000000000 0000000000000000 : tcpip!TcpTlConnectionDisconnect+0x5f ffffd00020531490 fffff800ed2e3bc6 : 0000000000000000 ffffe000379d5e40 ffffe000379d0010 0000000000000000 : afd!AfdBeginDisconnect+0x10c ffffd00020531550 fffff800ed2c718b : ffffe00036efc880 ffffe00037982a20 0000000005e8f078 0000000000000005 : afd!AfdPartialDisconnect+0x226 ffffd00020531690 fffff80074d280f2 : 0000000000000010 ffffe00037982a20 ffffd00020531b50 0000000000000001 : afd!AfdFastIoDeviceControl+0x17b ffffd000205319e0 fffff80074cf9572 : ffffcf81d130ee50 0000000000000698 0000000000000001 0000000000000000 : nt!IopXxxControlFile+0x7c2 ffffd00020531b20 fffff800749e4ab3 : ffffe00036efc880 0000000005d8ecf8 ffffd00020531ba8 0000000005e8f65c : nt!NtDeviceIoControlFile+0x56 ffffd00020531b90 00000000778f2352 : 00000000778f1f51 000000237793c2cc 0000000000000023 0000000000020272 : nt!KiSystemServiceCopyEnd+0x13 0000000005d8ecd8 00000000778f1f51 : 000000237793c2cc 0000000000000023 0000000000020272 0000000000000401 : wow64cpu!CpupSyscallStub+0x2 0000000005d8ece0 000000007784219a : 0000000000000000 00000000778f1574 0000000000000000 0000000077842380 : wow64cpu!DeviceIoctlFileFault+0x31 0000000005d8ed90 00000000778420d2 : 0000000000000000 0000000000000000 0000000005d8fd30 0000000005d8f3e0 : wow64!RunCpuSimulation+0xa 0000000005d8ede0 00007ff9fb418dab : 0000000000000000 0000000077841f60 0000000000000000 0000000000000000 : wow64!Wow64LdrpInitialize+0x172 0000000005d8f320 00007ff9fb418c8e : 0000000005d8f3e0 0000000000000000 00000000ff2a4000 0000000000000000 : ntdll!_LdrpInitialize+0xcb 0000000005d8f390 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe STACK_COMMAND: kb FOLLOWUP_IP: NETIO!StreamVerifierBreak+29 fffff800ec564d15 cc int 3

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: NETIO!StreamVerifierBreak+29

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 5681bedf

BUCKET_ID_FUNC_OFFSET: 29

FAILURE_BUCKET_ID: 0xc4_5002_VRF_NETIO!StreamVerifierBreak

BUCKET_ID: 0xc4_5002_VRF_NETIO!StreamVerifierBreak

PRIMARY_PROBLEM_CLASS: 0xc4_5002_VRF_NETIO!StreamVerifierBreak

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc4_5002_vrf_netio!streamverifierbreak

FAILURE_ID_HASH: {fcf5ef21-64f0-ce01-d68b-d6a560b84adb}

Followup: MachineOwner
---------

kd> !stacks 2 ProxyOneDriver
Proc.Thread .Thread Ticks ThreadState Blocker

Max cache size is : 1048576 bytes (0x400 KB)
Total memory in cache : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
counts: 0 cached/0 uncached, 0.00% cached
bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
[fffff80074be0300 Idle]
[ffffe00035c708c0 System]
4.000778 ffffe000375e8880 ffff6d1a READY nt!KiSwapContext+0x76
nt!KiProcessDeferredReadyList+0x13b
nt!KiAbThreadUnboostCpuPriority+0x59
nt!KeAbPostRelease+0x1de
nt!MiTrimAllSystemPagableMemory+0x2d2
nt!MmVerifierTrimMemory+0xa1
nt!ViKeRaiseIrqlSanityChecks+0xd9
nt!VerifierKeAcquireInStackQueuedSpinLock+0xa6
ProxyOneDriver!CQueuePop+0x1e
ProxyOneDriver!ThreadOrganizeHTTPFlows+0x34
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.0005d8 ffffe000391c7880 ffff840f Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.000a1c ffffe00037974880 ffff7b71 Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.001154 ffffe00037999880 ffff7b71 Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.00105c ffffe000373d4880 ffff7ac7 Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.0004c8 ffffe000378cb040 ffff7a7a Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.000d44 ffffe000378f0880 ffff77ae Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.000ccc ffffe000368ae040 ffff7599 Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.0007fc ffffe00037843880 ffff748c Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.0009bc ffffe000398db040 ffff73ec Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.0004bc ffffe00039831040 ffff736d Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.000648 ffffe00039951880 ffff7308 Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16
4.00124c ffffe000398fa880 ffff7263 Blocked nt!KiSwapContext+0x76
nt!KiSwapThread+0x14e
nt!KiCommitThreadWait+0x129
nt!KeWaitForSingleObject+0x373
nt!VerifierKeWaitForSingleObject+0x15c
ProxyOneDriver!ThreadHandleHTTPInjections+0x32
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16</image.ext>

Jesse_Conn-2 · August 23, 2016, 11:04pm

What layer are you registering your classifyfn at? Do you understand all
the possible states of entry into this method, loopback, previously
reinjected etc.? I didn’t see any state checking code for this. Understand
also that you can be reinjecting malformed data into the wrong layer
in/outbound which can cause corruption within the framework that will not
point to your code. Look again at the reference examples. Don’t assume that
some of the state checking code and different paths aren’t necessary.

On Tuesday, August 23, 2016, wrote:

> i am not modifying any data at all…i am simplying registering to be
> notified when new network data arrives, and I am blocking it, and
> reinjecting…the crash dumps don’t point to my code at all, it is all
> windows stuff…this has to be a bug…these injection functions have no
> data outside of msdn…which tells me, this stuff is barely touched…there
> are new micosoft hot fixes everyday, im sure something here needs one…
>
> kd> !analyze -v
> *****************************************
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *****************************************
>
>
> DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
> A device driver attempting to corrupt the system has been caught. This is
> because the driver was specified in the registry as being suspect (by the
> administrator) and the kernel has enabled substantial checking of this
> driver.
> If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA
> will
> be among the most commonly seen crashes.
> Arguments:
> Arg1: 0000000000005002, subclass of driver violation.
> Arg2: 0000000000010000
> Arg3: 0000000000000001
> Arg4: 0000000000000004
>
> Debugging Details:
> ------------------
>
>
>
> Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads
> that take too long.
> Run !sym noisy before .reload to track down problems loading symbols.
>
>
> “KERNELBASE.dll” was not found in the image list.
> Debugger will attempt to load “KERNELBASE.dll” at given base
> 0000000000000000. > > Please provide the full image name, including the extension (i.e. > kernel32.dll) > for more reliable results.Base address and size overrides can be given as > .reload <image.ext>=<base>,<size>. > Unable to add module at 0000000000000000
>
> BUGCHECK_P1: 5002
>
> BUGCHECK_P2: 10000
>
> BUGCHECK_P3: 1
>
> BUGCHECK_P4: 4
>
> BUGCHECK_STR: 0xc4_5002
>
> CPU_COUNT: 1
>
> CPU_MHZ: 6a0
>
> CPU_VENDOR: GenuineIntel
>
> CPU_FAMILY: 6
>
> CPU_MODEL: 45
>
> CPU_STEPPING: 1
>
> DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
>
> PROCESS_NAME: chrome.exe
>
> CURRENT_IRQL: 2
>
> ANALYSIS_VERSION: 10.0.10240.9 amd64fre
>
> LAST_CONTROL_TRANSFER: from fffff80074a6898e to fffff800749dfe90
>
> STACK_TEXT:
> ffffd0002052f958 fffff80074a6898e : 0000000000000000 0000000000000000
> ffffd0002052fac0 fffff8007495f7a4 : nt!DbgBreakPointWithStatus
> ffffd0002052f960 fffff80074a6829f : 0000000000000003 0000000000005002
> fffff800749e7290 00000000000000c4 : nt!KiBugCheckDebugBreak+0x12
> ffffd0002052f9c0 fffff800749d93a4 : ffffd000205306a8 0000000000000002
> ffffd00020530118 ffffd00020530301 : nt!KeBugCheck2+0x8ab
> ffffd000205300d0 fffff800ec564d15 : 00000000000000c4 0000000000005002
> 0000000000010000 0000000000000001 : nt!KeBugCheckEx+0x104
> ffffd00020530110 fffff800ec54532f : ffffd00020530460 ffffe000372e4730
> ffffcf81d1184e80 ffffe0000000007c : NETIO!StreamVerifierBreak+0x29
> ffffd00020530150 fffff800ec524f2b : ffffd00020530338 0000000000000000
> ffffd00020530300 ffffe00037697580 : NETIO!StreamNormalizeClassifyOut+
> 0x20897
> ffffd000205301b0 fffff800ec52480f : 0000000000080000 ffffe000376974b0
> ffffd00020530371 0000000000000000 : NETIO!StreamInvokeCalloutAndNormaliz
> eAction+0x22b
> ffffd00020530280 fffff800ec52e9a2 : ffffe00037b00014 fffff800edc975b0
> ffffd00000000002 ffffd00020530dd8 : NETIO!StreamProcessCallout+0x76f
> ffffd000205303c0 fffff800ec515549 : 0000000000000014 ffffd00020530dd8
> ffffe00039314420 ffffd00020530c90 : NETIO!ProcessCallout+0x972
> ffffd00020530530 fffff800ec514250 : 0000000000000000 ffffd00020530830
> ffffd00020530d00 fffff800749228cd : NETIO!ArbitrateAndEnforce+0x2c9
> ffffd00020530730 fffff800ec5235a0 : 4032866666666666 0000000000000000
> 0000000000000000 0000000000000000 : NETIO!KfdClassify+0x831
> ffffd00020530bf0 fffff800ec523acd : 0000000000000001 0000000000000000
> fffff8007486f900 fffff800749dc1ef : NETIO!StreamClassify+0x220
> ffffd00020530d80 fffff800ec525c5d : 0000000000000000 ffffd000205314e0
> fffff80074b90000 ffffe00039a6e440 : NETIO!StreamCommonInspect+0x25d
> ffffd00020531120 fffff800eca5ff66 : ffffe00039a6e440 ffffd00020531290
> ffffe000379d58a0 ffffe000379edd70 : NETIO!WfpStreamInspectDisconnect+
> 0x23d
> ffffd00020531190 fffff800eca5e6a7 : 0003eeec0078c000 0000000000000000
> 0504070601000302 ffffd00020531450 : tcpip!TcpDisconnectTcb+0xf6
> ffffd00020531300 fffff80074932fc3 : 00001f800010000f 0053002b002b0010
> 0504070601000302 0d0c0f0e09080b0a : tcpip!TcpTlConnectionDisconnectCallo
> utRoutine+0x28
> ffffd00020531330 fffff800eca5f927 : fffff800eca5e680 ffffd00020531450
> fffffa8025218d00 0000000000000000 : nt!KeExpandKernelStackAndCalloutI
> nternal+0xf3
> ffffd00020531420 fffff800ed2e335c : 0000000000000000 ffffd000205314e9
> 0000000000000000 0000000000000000 : tcpip!TcpTlConnectionDisconnect+0x5f
> ffffd00020531490 fffff800ed2e3bc6 : 0000000000000000 ffffe000379d5e40
> ffffe000379d0010 0000000000000000 : afd!AfdBeginDisconnect+0x10c
> ffffd00020531550 fffff800ed2c718b : ffffe00036efc880 ffffe00037982a20
> 0000000005e8f078 0000000000000005 : afd!AfdPartialDisconnect+0x226
> ffffd00020531690 fffff80074d280f2 : 0000000000000010 ffffe00037982a20
> ffffd00020531b50 0000000000000001 : afd!AfdFastIoDeviceControl+0x17b
> ffffd000205319e0 fffff80074cf9572 : ffffcf81d130ee50 0000000000000698
> 0000000000000001 0000000000000000 : nt!IopXxxControlFile+0x7c2
> ffffd00020531b20 fffff800749e4ab3 : ffffe00036efc880 0000000005d8ecf8
> ffffd00020531ba8 0000000005e8f65c : nt!NtDeviceIoControlFile+0x56
> ffffd00020531b90 00000000778f2352 : 00000000778f1f51 000000237793c2cc
> 0000000000000023 0000000000020272 : nt!KiSystemServiceCopyEnd+0x13
> 0000000005d8ecd8 00000000778f1f51 : 000000237793c2cc 0000000000000023
> 0000000000020272 0000000000000401 : wow64cpu!CpupSyscallStub+0x2
> 0000000005d8ece0 000000007784219a : 0000000000000000 00000000778f1574
> 0000000000000000 0000000077842380 : wow64cpu!DeviceIoctlFileFault+0x31
> 0000000005d8ed90 00000000778420d2 : 0000000000000000 0000000000000000
> 0000000005d8fd30 0000000005d8f3e0 : wow64!RunCpuSimulation+0xa
> 0000000005d8ede0 00007ff9fb418dab : 0000000000000000 0000000077841f60
> 0000000000000000 0000000000000000 : wow64!Wow64LdrpInitialize+0x172
> 0000000005d8f320 00007ff9fb418c8e : 0000000005d8f3e0 0000000000000000
> 00000000ff2a4000 0000000000000000 : ntdll!_LdrpInitialize+0xcb
> 0000000005d8f390 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> NETIO!StreamVerifierBreak+29
> fffff800`ec564d15 cc int 3
>
> SYMBOL_STACK_INDEX: 4
>
> SYMBOL_NAME: NETIO!StreamVerifierBreak+29
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: NETIO
>
> IMAGE_NAME: NETIO.SYS
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 5681bedf
>
> BUCKET_ID_FUNC_OFFSET: 29
>
> FAILURE_BUCKET_ID: 0xc4_5002_VRF_NETIO!StreamVerifierBreak
>
> BUCKET_ID: 0xc4_5002_VRF_NETIO!StreamVerifierBreak
>
> PRIMARY_PROBLEM_CLASS: 0xc4_5002_VRF_NETIO!StreamVerifierBreak
>
> ANALYSIS_SOURCE: KM
>
> FAILURE_ID_HASH_STRING: km:0xc4_5002_vrf_netio!streamverifierbreak
>
> FAILURE_ID_HASH: {fcf5ef21-64f0-ce01-d68b-d6a560b84adb}
>
> Followup: MachineOwner
> ---------
>
> kd> !stacks 2 ProxyOneDriver
> Proc.Thread .Thread Ticks ThreadState Blocker
>
> Max cache size is : 1048576 bytes (0x400 KB)
> Total memory in cache : 0 bytes (0 KB)
> Number of regions cached: 0
> 0 full reads broken into 0 partial reads
> counts: 0 cached/0 uncached, 0.00% cached
> bytes : 0 cached/0 uncached, 0.00% cached
> ** Prototype PTEs are implicitly decoded
> [fffff80074be0300 Idle]
> [ffffe00035c708c0 System]
> 4.000778 ffffe000375e8880 ffff6d1a READY nt!KiSwapContext+0x76
> nt!KiProcessDeferredReadyList+
> 0x13b
> nt!KiAbThreadUnboostCpuPriority+
> 0x59
> nt!KeAbPostRelease+0x1de
> nt!MiTrimAllSystemPagableMemory+
> 0x2d2
> nt!MmVerifierTrimMemory+0xa1
> nt!ViKeRaiseIrqlSanityChecks+0xd9
> nt!VerifierKeAcquireInStackQueued
> SpinLock+0xa6
> ProxyOneDriver!CQueuePop+0x1e
> ProxyOneDriver!
> ThreadOrganizeHTTPFlows+0x34
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.0005d8 ffffe000391c7880 ffff840f Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.000a1c ffffe00037974880 ffff7b71 Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.001154 ffffe00037999880 ffff7b71 Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.00105c ffffe000373d4880 ffff7ac7 Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.0004c8 ffffe000378cb040 ffff7a7a Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.000d44 ffffe000378f0880 ffff77ae Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.000ccc ffffe000368ae040 ffff7599 Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.0007fc ffffe00037843880 ffff748c Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.0009bc ffffe000398db040 ffff73ec Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.0004bc ffffe00039831040 ffff736d Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.000648 ffffe00039951880 ffff7308 Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
> 4.00124c ffffe000398fa880 ffff7263 Blocked nt!KiSwapContext+0x76
> nt!KiSwapThread+0x14e
> nt!KiCommitThreadWait+0x129
> nt!KeWaitForSingleObject+0x373
> nt!VerifierKeWaitForSingleObject+
> 0x15c
> ProxyOneDriver!
> ThreadHandleHTTPInjections+0x32
> nt!PspSystemThreadStartup+0x58
> nt!KiStartSystemThread+0x16
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:></image.ext>

OSR_Community_User · August 23, 2016, 11:44pm

i am registered only at STREAM LAYER

i have found some hot fixes i am going to give ah try…

https://support.microsoft.com/en-us/kb/2789397

look at this…
https://support.microsoft.com/en-us/kb/2664888

“This issue occurs because the FwpsStreamInjectAsync0 function causes the interrupt request level (IRQL) to leak.”

WFP should be in BETA and not allowed to be used for production…this is pitiful…

OSR_Community_User · August 23, 2016, 11:47pm

reading the WFP forum on microsoft; they are literally bug fixing as people post stuff…

there must be a more stable way of doing packet injections than using WFP

OSR_Community_User · August 24, 2016, 1:26am

i am 99% confident that these crashes are caused by injecting data into an HTTP steam that returns 204 status code, which means it has no content…it only crashes on these websites

Jesse_Conn-2 · August 24, 2016, 2:05am

Can you share your setup of your injection layer? Are you injecting inbound
or outbound? Eh, swap the direction and give it a test. 4+ years ago I had
myself and Microsoft convinced of a bug in the injection and swapping the
direction which didn’t seem right to me resolved a crazy error like you’re
seeing. I don’t know if it was a bug or not, but if it was going to be
fixed I don’t think they would back port it into Windows 7 as Windows 7 was
phasing. Sorry if this suggestion runs you down a 10 minute path of
futility, but if you’ve convinced yourself of a bug outside of your source
take this up with Microsoft paid tech support which you probably have
through your MSDN account if you have one. If it’s their issue they won’t
even charge you. Best of luck.

On Wednesday, August 24, 2016, wrote:

> i am 99% confident that these crashes are caused by injecting data into an
> HTTP steam that returns 204 status code, which means it has no content…it
> only crashes on these websites
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>

Jason_Stephenson · August 24, 2016, 6:00am

Have you tried dumping out your inFixedValues and inMetaValues variable to see if anything is common between your crashes? Should you not be testing for rights (FWPS_RIGHT_ACTION_WRITE) before absoring any packets? Why have you chosen the STREAM layer over redirection at ALE_CONNECT_REDIRECT? The latter allows you to keep driver code to a minimum and do the bulk of the processing in usermode. It is also more performant than per packet processing. I’ve used this on a project that redirects http/https and it was very reliable.

Whilst it is possible there is a bug in the framework I don’t think you’ve exhausted all your options yet. Also, moaning here about it won’t fix it. Boil the problem down and submit it to MS to investigate.

J

anton_bassov · August 24, 2016, 7:39am

> Here’s some brilliant insight that can only come from years of experience: if Windows

doesn’t crash without your driver but does crash with your driver it is more often your driver
that sucks and not the other way around.

Not necessarily - they may be both impeccable, so that the crash may occur solely due to the "efforts"of some other third-party driver(most likely provided by some AV vendor). However, the most interesting thing here is that this third-party driver may co-exist with a “clean” environment pretty well, and expose its"functionality"only when your driver is around. This, in turn, gives its vendor an excuse to say something to the effect of “once my driver works fine on a “clean”
system it plainly obviously cannot be responsible for BSODs - go and fix yours”, although testing drivers in question on a “clean” system under the DriverVerifier strongly indicates exactly the opposite.

I don’t know if introduction of a PatchGuard “feature” has significantly reduced the probability of this scenario (I was lucky enough not to have had any practical exposure to Windows in the last 10 years so that my knowledge of it may be quite outdated), but this scenario was of a real concern in pre-Vista versions…

Anton Bassov

Slava_Imameev · August 24, 2016, 8:46am

@ Anton

I was lucky enough not to have had any practical exposure to Windows in the last 10 years

Good for you! ( without sarcasm )

Tim_Roberts · August 24, 2016, 12:48pm

xxxxx@gmail.com wrote:

does this stack trace make sense?
the bottom begins after the new thread at “DbgPrintEx”…then at the top it shows a TCP stack…ummm? the debug print function is not using TCP…what in the?

that line is
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, “current url[%s] flow[%ld]\r\n”, currentUrl, pFlowPacket->flowId);

it’s not an error message, i just have the error level, so they always print for now…

It looks like the call to DbgPrint caused an exception, and in handling
that exception the system changed IRQL, which caused it to spawn off
pending DPCs. The rest of the stack is someone else’s DPC. Have you
verified that “currentUrl” is actually a pointer to a valid ASCII string?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · August 24, 2016, 3:00pm

“Have you tried dumping out your inFixedValues and inMetaValues variable to see
if anything is common between your crashes? Should you not be testing for rights
(FWPS_RIGHT_ACTION_WRITE) before absoring any packets? Why have you chosen the
STREAM layer over redirection at ALE_CONNECT_REDIRECT? The latter allows you to
keep driver code to a minimum and do the bulk of the processing in usermode. It
is also more performant than per packet processing. I’ve used this on a project
that redirects http/https and it was very reliable.”

at ALE_CONNECT_REDIRECT later, will i only see Ip/port? i need to get the full page path from the http GET request which has host name and page

OSR_Community_User · August 24, 2016, 3:01pm

but i need this for vista+, that is only windows8+