search

wbenny / injdrv

proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC
MIT License
1.11k stars 277 forks source link

BSOD Windows 10 #20

Open ahura24 opened 3 years ago

ahura24 commented 3 years ago

Hi & Tnx for your code

After a few hours running in system, We've got a BSOD. Can you guide me to how to fix it plz ?! this is the result of !analyze -v

BUGCODE_NDIS_DRIVER (7c) The operating system detected an error in a networking driver. The BUGCODE_NDIS_DRIVER bugcheck identifies problems in network drivers. Often, the defect is caused by a NDIS miniport driver. You can get a complete list of NDIS miniport drivers using !ndiskd.netadapter. You can get a big-picture overview of the network stack with !ndiskd.netreport. Arguments: Arg1: 0000000000000025, NDIS_BUGCHECK_WATCHDOG An attempt to manage the network stack has taken too long. When NDIS calls out into other drivers, NDIS starts a watchdog timer to ensure the call completes promptly. If the call takes too long, NDIS injects a bugcheck. This can be caused by a simple deadlock -- look with "!stacks 2 ndis!" or similar to see if any threads look suspicious. Pay special attention to the PrimaryThread from the NDIS_WATCHDOG_TRIAGE_BLOCK. This can be caused by lost NBLs, in which case !ndiskd.pendingnbls may help. Check for OIDs that are stuck using !ndiskd.oid. Arg2: 0000000000000011, NDIS_BUGCHECK_WATCHDOG_FILTER_PAUSE There was a timeout while pausing a filter driver. Arg3: ffffd78e90fb4fa8, Cast to ndis!_NDIS_WATCHDOG_TRIAGE_BLOCK. Interesting fields:

Debugging Details:

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202

DUMP_TYPE: 0

BUGCHECK_P1: 25

BUGCHECK_P2: 11

BUGCHECK_P3: ffffd78e90fb4fa8

BUGCHECK_P4: 0

MODULE_NAME: wfplwfs

FAULTING_IP: wfplwfs!LwfLowerPause+0 fffff805`081a61f0 48895c2408 mov qword ptr [rsp+8],rbx

CPU_COUNT: 4

CPU_MHZ: a22

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3e

CPU_STEPPING: 4

CPU_MICROCODE: 6,3e,4,0 (F,M,S,R) SIG: 427'00000000 (cache) 427'00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x7C

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_SESSION_TIME: 12-14-2020 12:28:48.0744

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

STACK_TEXT:
ffff9f88ad213c38 fffff80505aba942 : 0000000000000025 0000000000000003 ffff9f88ad213da0 fffff805058709f0 : nt!DbgBreakPointWithStatus ffff9f88ad213c40 fffff80505aba032 : 0000000000000003 ffff9f88ad213da0 fffff805059e7a60 000000000000007c : nt!KiBugCheckDebugBreak+0x12 ffff9f88ad213ca0 fffff805059d3487 : 0000000000000000 0000000000000007 ffffd78e8a80c1a0 fffff80505b3af6b : nt!KeBugCheck2+0x952 ffff9f88ad2143a0 fffff80507c4e27e : 000000000000007c 0000000000000025 0000000000000011 ffffd78e90fb4fa8 : nt!KeBugCheckEx+0x107 ffff9f88ad2143e0 fffff80507cf4121 : 0000000000000000 fffff8050618b3f0 ffffd78e90fb4ee0 00000000000000a8 : ndis!ndisBugCheckEx+0x1e ffff9f88ad214420 fffff80507cf3ff1 : 0000000003bfefbf ffffd78e90fb4ee0 fffff80507cb6918 0000000000000000 : ndis!ndisReportTimeoutWaitingForExternalDriver+0xd5 ffff9f88ad214460 fffff80507cf43e9 : 0000000000040b28 ffffd78e90fb4fa8 0000000000000011 ffff9f88ad214558 : ndis!ndisFindSomeoneToBlame+0x125 ffff9f88ad2144d0 fffff80507cf3e6e : ffffd78e90fb4ee0 ffff9f88ad2145d9 ffffd78e8b6b2d30 0000000000010286 : ndis!ndisWaitForExternalDriver+0x75 ffff9f88ad214500 fffff80507cf4342 : ffffd78e90fb4ee0 fffff80507cf4314 0000000000000010 0000000000010246 : ndis!NdisWatchdogState::WaitSynchronously+0x6e ffff9f88ad214540 fffff80507d06a23 : ffffd78e90fb4ee0 ffff9f88ad2145d9 ffffd78e8b6b2d30 ffffd78e8b6b2ca0 : ndis!ndisWaitForEventThenDisarmWatchdog+0x2e ffff9f88ad214580 fffff80507cdb830 : ffffe78746c4efa0 ffffe78746c4efa0 ffffd78e8a80d5a8 ffffd78e8b6b2ca0 : ndis!ndisPauseFilterInner+0x573b ffff9f88ad214640 fffff80507cd166a : 0000000000000000 ffff9f88ad214790 ffffd78e8a80d590 0000000000000000 : ndis!ndisPauseFilter+0xb4 ffff9f88ad214690 fffff80507cd13c0 : ffffd78e8a80c1a0 ffffd78e8a80c1a0 ffffd78e8a80d608 ffffd78e8a80d590 : ndis!Ndis::BindEngine::Iterate+0x202 ffff9f88ad214810 fffff80507ccc409 : ffffd78e8a80d590 0000000000000000 0000000000000000 0000000000000000 : ndis!Ndis::BindEngine::UpdateBindings+0x98 ffff9f88ad214860 fffff80507ccc2c8 : ffffd78e8a80d590 0000000000000000 ffffd78e8a80d590 fffff80507ccc8e6 : ndis!Ndis::BindEngine::DispatchPendingWork+0x75 ffff9f88ad214890 fffff80507c24728 : ffffd78e8a80c1a0 0000000000000002 0000000000000020 0000000000000000 : ndis!Ndis::BindEngine::ApplyBindChanges+0x54 ffff9f88ad2148e0 fffff80507be280d : ffffd78e8a80c1a0 0000000000000000 ffffd78e8a80cd48 ffffd78e8a80c1a0 : ndis!ndisPrepForLowPowerCommon+0x41eec ffff9f88ad2149d0 fffff80507be3246 : ffffd78e8a80c1a0 0000000000000000 ffffd78e970f4e10 fffff80507bd6755 : ndis!ndisPrepForLowPower+0x1d ffff9f88ad214a20 fffff80507be3931 : 0000000000000000 ffffd78e00000004 ffffd78e970f4e10 ffffd78e8a80c1a0 : ndis!ndisSetSystemPower+0x19e ffff9f88ad214aa0 fffff80507be9e84 : ffffd78e970f4e10 ffffd78e8690ed30 ffffd78e970f4f28 ffffd78e8a80c1a0 : ndis!ndisSetPower+0x109 ffff9f88ad214b00 fffff8050598b02f : ffffd78e8a80c050 ffff9f88ad214be0 0000000000000000 ffffd78e970f4e10 : ndis!ndisPowerDispatch+0x114 ffff9f88ad214b60 fffff8050587cce5 : 0000000000000000 ffffd78e86939080 fffff8050598ae50 0000000000000000 : nt!PopIrpWorker+0x1df ffff9f88ad214c10 fffff805059da9ca : ffffa38117580180 ffffd78e86939080 fffff8050587cc90 0000000000000000 : nt!PspSystemThreadStartup+0x55 ffff9f88ad214c60 0000000000000000 : ffff9f88ad215000 ffff9f88ad20f000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x2a

THREAD_SHA1_HASH_MOD_FUNC: fb82d6835acc43782ce2d8cc87312c71a062da7a

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: e9f541403998cd88a52fb202de8d71d9d54c78c0

THREAD_SHA1_HASH_MOD: ee7c730e4531afb6d09bc1abcea8a663b1fba34b

FOLLOWUP_IP: wfplwfs!LwfLowerPause+0 fffff805`081a61f0 48895c2408 mov qword ptr [rsp+8],rbx

FAULT_INSTR_CODE: 245c8948

SYMBOL_NAME: wfplwfs!LwfLowerPause+0

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: wfplwfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 60902cbb

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 0

FAILURE_BUCKET_ID: 0x7C_VRF_FILT_Pause_wfplwfs!LwfLowerPause

BUCKET_ID: 0x7C_VRF_FILT_Pause_wfplwfs!LwfLowerPause

PRIMARY_PROBLEM_CLASS: 0x7C_VRF_FILT_Pause_wfplwfs!LwfLowerPause

TARGET_TIME: 2020-12-14T08:55:59.000Z

OSBUILD: 18362

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 190318-1202

BUILDLAB_STR: 19h1_release

BUILDOSVER_STR: 10.0.18362.1.amd64fre.19h1_release.190318-1202

ANALYSIS_SESSION_ELAPSED_TIME: d54

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x7c_vrf_filt_pause_wfplwfs!lwflowerpause

FAILURE_ID_HASH: {fef43b4d-fb67-4c46-c742-ecef5a38ee06}

Followup: MachineOwner

wbenny commented 3 years ago

I'm sorry, but judging by the stack trace, there isn't anything that would suggest that injdrv is at fault for this bugcheck.