search

nmap / npcap

Nmap Project's Windows packet capture and transmission library
https://npcap.com
Other
2.97k stars 514 forks source link

Resolve Application Verifier stops in libpcap (wpcap.dll) included with Npcap 1.79 #742

Open fyodor opened 2 months ago

fyodor commented 2 months ago

One of our Npcap OEM redistribution customers reported:

Recently we tried to run our application (x64) with Application Verifier. With the "Networking" checks enabled, 'wpcap.dll' causes two verifier stops (https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier-stop-codes-networking). We would like to enable these checks during our automated test runs. It's currently not possible due to these verifier stops.

The first one is calling 'pcap_findalldevs_ex' causing "A Winsock API was called before a successful WSAStartup() or after a balancing successful WSACleanup() call was made". Application Verifier seems to be tracking these calls on a per module basis. Even if 'main()' had called 'WSAStartup' before calling 'pcap_findalldevs_ex', the stop message is still issued.

The second one happens after 'main()' had exited. When 'wpcap.dll' is unloading the Verifier issues "Illegal networking API called from DllMain".

They are using Npcap 1.79 and sent us some sample code to reproduce. Since wpcap.dll code is 100% Libpcap, we need to work with them on a fix. We upgraded to Libpcap 1.10.4 in Npcap Version 1.74. The two stops are probably related and likely related to the order of calls to WSAStartup() and WSACleanup().

guyharris commented 2 months ago

Since wpcap.dll code is 100% Libpcap, we need to work with them on a fix.

Unless packet.dll is doing WinSock stuff, which it doesn't appear to be doing, this is probably completely a libpcap issue; you probably can't just move this issue to our repository (as they belong to different top-level projects), and you may not want to do so anyway in order to track the fix getting into Npcap, but you should file a libpcap issue giving the above information.

fyodor commented 2 months ago

Thanks @guyharris. We always appreciate your support! I just created libpcap#1333 and we will update it as we discover more in our own testing/debugging of the issue.

dmiller-nmap commented 1 month ago

We did have one issue in Packet.dll due to not calling WSACleanup(). Replacing the few WinSock utility functions we had been using with equivalent ntdll or UCRT functions was sufficient to resolve the issue. There is still a problem with wpcap.dll, so I'll put my notes on that upstream issue.

guyharris commented 1 month ago

We did have one issue in Packet.dll due to not calling WSACleanup().

What issue was that?

dmiller-nmap commented 1 month ago

Correction: Application Verifier issued Stop ID WSA_NOT_INITIALIZED due to Packet.dll calling getaddrinfo() without calling WSAStartup() first. The fix in 79e42f191143d4d895899158c576d0ac71afb290 removes all WinSock functions, and WSAStartup() is not present.