Damnation

very true.

@Mov AX, 0xDEAD are you willing to help? or not interested?

@Dietmar I'm out of ideas for now. I'll come back to this later. If you discover something else that you think might help with this let me know. Thanks for all the help!

@Dietmar Please double check that it's not ntoskrn8.sys again - I see PDB symbols are not loaded for it.

@Dietmar Thanks for all the help with debugging Dietmar! I really appreciate it. https://ufile.io/vhdgq4uy

@Dietmar OK, lets try this one - sorry it's not ufile.io - it's down for me right now. https://anonfiles.com/Hc1fR7n4y6/ndis6_fordietmar_8jun2022_5_7z edit: ufile is back https://ufile.io/69oe56vn

@Dietmar can you load the PDB symbols for ntoskrn8? last time it was has that changed?

@Dietmar OK, try this one. https://ufile.io/nuiwxdd6

@Dietmar I think KeAllocateCalloutStackEx is the cause, let me try something.

@Dietmar OK, I changed security_cookie in those files https://ufile.io/072ifs98 hopefully this yields results!

@Dietmar I just remembered something! I did not update the security_cookie in ndis/netio/msrpc.sys IIRC This might be the cause of the 7F BSOD Give me a few minutes to patch them.

@Dietmar I've never heard of it. Although If I want to patched imports I can already use CFF Explorer or PEMaker 0.8.2 for that.

@Dietmar This was with the most recent version? If it's in an infinite loop, I guess I'll stop working on this for now. Unless you or @Mov AX, 0xDEAD have some ideas for where to go from here?

@Dietmar I made some changes to SeQueryInformationToken https://ufile.io/q1o3tltj please test this one.

@Dietmar is this happening in SeQueryInformationToken_inject? or somewhere else?

@Dietmar I implemented SeCaptureSubjectContextEx and SeAccessCheckFromState in assembly in this version https://ufile.io/8sapwobp please test. If this still doesn't work I'll do the same for NtTraceControl and NtQuerySystemInformationEx

@Dietmar I think @Mov AX, 0xDEAD or @daniel_k would know more about adding a new exported function to 5048 ndis.sys since they've done this sort of thing before.

@Dietmar Sorry, I'm not skilled enough to manually add a new exported function to vista 5048 ndis.sys implementing this into ntoskrn8.sys won't do anything since it will never be called from there. making an ndis.sys extender for this version won't work either since we don't have a vista beta DDK to link it to, and the vista RTM version of the ndis.lib library won't link it correctly.

@Dietmar can you try these ndis/netio/msrpc.sys files on a system with a known XP compatible NDIS5 NIC? i.e just swap the files on a system with a working NIC on XP and restart. Does it stop working? do you get a similar BSOD on that kind of hardware?

@Dietmar OK, So we are quite sure now that netio.sys is where it is failing. I will have to implenent SeCaptureSubjectContextEx and SeAccessCheckFromState properly I think. Unless you or @Mov AX, 0xDEAD have some other ideas?

@Dietmar we might also need to add some registry keys?

@Dietmar try bu ndis!DriverEntry does a BSOD occur? if so, any change in the BSOD?

@Mov AX, 0xDEAD I've added the internal ntoskrnl libraries for use with the ntoskrnl extender project. This was to help with some of the much larger functions like MmAllocatePagesForMdlEx You can make use of internal Ki functions this way. It's helped a bit with @Dietmar being able to allocate resources to hardware, and at the very least, adding these libraries did not interfere with anything that already worked with the previous version ntoskrnl extender. Can you take a look at what I have to see if it's possible to get NDIS6 working this way? https://ufile.io/x8teed7c

@Dietmar where in the debug log makes you think these NMR functions are the cause?

@Dietmar The NmrWaitForProviderDeregisterComplete function could still potentially be in 5048 but be invisible without the symbols.