Can you try the driver attached to this message and tell me if the bug persists? You must: - unzip the attached npf.sys and copy it over the old one in windows\system32\drivers - issue a "net stop npf" from a command line prompt - run nmap again
Loris > Lately while using nmap I've been getting alot of BSOD's from npf.sys > (winpcap 3.01 alpha). It used to happen in 3.0.0 to, but not so often I feel. > nmap (from www.insecure.org) uses libpcap to send ARP and raw IP > on Windows. > > I tried to analyse the Minidump with WinDbg and came up with these > traces. Hopefully you can make some sene out of them, cause I can't. > > > kd> !analyze -v > > **************************************************************************** *** > * > * Bugcheck Analysis > * > **************************************************************************** *** > > Unknown bugcheck code (10000050) > Unknown bugcheck description > > Arguments: > Arg1: ff62d000 > Arg2: 00000000 > Arg3: f8835bcc > Arg4: 00000000 > > Debugging Details: > ------------------ > > ***** Kernel symbols are WRONG. Please fix symbols to do analysis. > Database SolnDb not connected > READ_ADDRESS: unable to get nt!MmPoolCodeEnd > unable to get nt!MmSpecialPoolEnd > unable to get nt!MmPagedPoolEnd > unable to get nt!MmNonPagedPoolEnd > unable to get nt!MmNonPagedPoolStart > unable to get nt!MmSpecialPoolStart > unable to get nt!MmPagedPoolStart > unable to get nt!MiSessionPoolStart > unable to get nt!MiSessionPoolEnd > unable to get nt!MmNonPagedPoolExpansionStart > unable to get nt!MmPoolCodeStart > > ff62d000 > > FAULTING_IP: > npf+bcc > f8835bcc 668139ff00 cmp word ptr [ecx],0xff > > MM_INTERNAL_CODE: 0 > DEFAULT_BUCKET_ID: DRIVER_FAULT > BUGCHECK_STR: 0x50 > LAST_CONTROL_TRANSFER: from 804ea221 to f8835bcc > STACK_TEXT: > WARNING: Stack unwind information not available. Following frames may be wrong. > ec27bc34 804ea221 fe7e2250 8141dc00 806ad190 npf+0xbcc > ec27bc58 8055de46 fe7e2250 8141dc00 81a13cf0 nt!IoBuildPartialMdl+0xe3 > ec27bd00 80556cea 00000750 00000000 00000000 nt!NtWriteFile+0x358a > ec27bd34 8052d571 00000750 00000000 00000000 nt!NtDeviceIoControlFile+0x28 > ec27bd64 823ce9d0 ff8af248 ebb13cec ebb13d98 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0x9fd > 00000000 00000000 00000000 00000000 00000000 0x823ce9d0 > > FOLLOWUP_IP: > npf+bcc > f8835bcc 668139ff00 cmp word ptr [ecx],0xff > FOLLOWUP_NAME: MachineOwner > SYMBOL_NAME: npf+bcc > DEBUG_FLR_IMAGE_TIMESTAMP: 0 > STACK_COMMAND: kb > BUCKET_ID: WRONG_SYMBOLS > MODULE_NAME: Unknown_Module > IMAGE_NAME: Unknown_Image > Followup: MachineOwner > > --------- > > f8835ba4 8b4608 mov eax,[esi+0x8] > f8835ba7 c1e803 shr eax,0x3 > f8835baa 6a00 push 0x0 > f8835bac 5e pop esi > f8835bad 8975f0 mov [ebp-0x10],esi > f8835bb0 7410 jz npf+0xbc2 (f8835bc2) > f8835bb2 66813cf2ff00 cmp word ptr [edx+esi*8],0xff > f8835bb8 7408 jz npf+0xbc2 (f8835bc2) > f8835bba 46 inc esi > f8835bbb 3bf0 cmp esi,eax > f8835bbd 8975f0 mov [ebp-0x10],esi > f8835bc0 72f0 jb npf+0xbb2 (f8835bb2) > f8835bc2 8bce mov ecx,esi > f8835bc4 c1e103 shl ecx,0x3 > f8835bc7 894df8 mov [ebp-0x8],ecx > f8835bca 03ca add ecx,edx > f8835bcc 668139ff00 cmp word ptr [ecx],0xff ds:0023:ff62d000=???? << !!!!! > f8835bd1 752e jnz npf+0xc01 (f8835c01) > f8835bd3 2bc6 sub eax,esi > f8835bd5 48 dec eax > f8835bd6 7429 jz npf+0xc01 (f8835c01) > f8835bd8 6860b583f8 push 0xf883b560 > f8835bdd 8d83640e0000 lea eax,[ebx+0xe64] > f8835be3 50 push eax > f8835be4 8d835c0e0000 lea eax,[ebx+0xe5c] > f8835bea 50 push eax > f8835beb 83c108 add ecx,0x8 > f8835bee 51 push ecx > f8835bef c645fe01 mov byte ptr [ebp-0x2],0x1 > f8835bf3 e8de440000 call npf+0x50d6 (f883a0d6) > f8835bf8 83f801 cmp eax,0x1 > f8835bfb 0f8574030000 jne npf+0xf75 (f8835f75) > > From what I can see this happens in write.c / NPF_Write(). > > Because tcpdump/Ethereal doesn't use npf.sys to send > anything, they seem to work stable. But nmap or any libnet based > apps does not. > > I'm running Win-XP Home SP1 (build 2600) on a 2GHz Pentium 4. > > --gv > > > > ================================================================== > This is the WinPcap users list. It is archived at > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > To unsubscribe use > mailto: [EMAIL PROTECTED] > ==================================================================
npf.zip
Description: Zip compressed data
