Dietmar Posted June 6, 2022 Share Posted June 6, 2022 @Damnation Can you just disable (or fake) the ask for NdisGroupActiveProcessorCount in e1d6232.sys Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation I just test, that your ntoskrn8.sys together with the files from Longhorn 5048 is downward compatible with i211 on the Asrock z370 k6 board. So, just now on this board runs ndis6 under XP SP3 Dietmar Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 6, 2022 Author Share Posted June 6, 2022 @Dietmar do the Vista RTM versions of ndis/netio/msrpc work with my ntoskrn8.sys? Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation With the Vista files I get Bsod about netio.sys. This is from Vista 6.0.5840.16384 because I have no real Vista RTM *.iso So, maybe Longhorn 5048 is not real Ndis6, still some sort of enlarged Ndis5 ??? Dietmar *** Fatal System Error: 0x0000007e (0xC0000005,0xB9865391,0xBA4C3518,0xBA4C3214) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Mon Jun 6 14:54:43.343 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ........................... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, b9865391, ba4c3518, ba4c3214} *** ERROR: Symbol file could not be found. Defaulted to export symbols for NETIO.SYS - Probably caused by : NETIO.SYS ( NETIO!MdpCreatePool+18e ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: b9865391, The address that the exception occurred at Arg3: ba4c3518, Exception Record Address Arg4: ba4c3214, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: NETIO!MdpCreatePool+18e b9865391 8b401c mov eax,dword ptr [eax+1Ch] EXCEPTION_RECORD: ba4c3518 -- (.exr 0xffffffffba4c3518) ExceptionAddress: b9865391 (NETIO!MdpCreatePool+0x0000018e) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000001c Attempt to read from address 0000001c CONTEXT: ba4c3214 -- (.cxr 0xffffffffba4c3214;r) eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52 eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 NETIO!MdpCreatePool+0x18e: b9865391 8b401c mov eax,dword ptr [eax+1Ch] ds:0023:0000001c=???????? Last set context: eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52 eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 NETIO!MdpCreatePool+0x18e: b9865391 8b401c mov eax,dword ptr [eax+1Ch] ds:0023:0000001c=???????? Resetting default scope PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0000001c READ_ADDRESS: 0000001c FOLLOWUP_IP: NETIO!MdpCreatePool+18e b9865391 8b401c mov eax,dword ptr [eax+1Ch] BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from b9887043 to b9865391 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. ba4c3600 b9887043 b9886000 00000007 b9880048 NETIO!MdpCreatePool+0x18e ba4c3640 8069de4c b9887005 80084000 80084000 NETIO!DllInitialize+0x3e ba4c3690 8069af70 80084000 ba4c36ac 00034000 nt!IopInitializeBootDrivers+0xd4 ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x712 ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7 ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: NETIO!MdpCreatePool+18e FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 453706f4 IMAGE_VERSION: 6.0.5840.16384 STACK_COMMAND: .cxr 0xffffffffba4c3214 ; kb FAILURE_BUCKET_ID: 0x7E_NETIO!MdpCreatePool+18e BUCKET_ID: 0x7E_NETIO!MdpCreatePool+18e ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_netio!mdpcreatepool+18e FAILURE_ID_HASH: {d5191185-245d-5e1f-80bf-780e83a44225} Followup: MachineOwner --------- Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 @Damnation I notice, that the netio.sys from Vista has dependency on the function NmrWaitForProviderDeregisterComplete which the netio.sys from Longhorn 5048 does not have Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 6, 2022 Author Share Posted June 6, 2022 @Dietmar I got the Vista RTM versions with PDB Symbols for you. https://ufile.io/j8gnil57 already redirected to ntoskrn8.sys Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation Yepp, with this Vista files. The Bsod goes always to netio.sys. I think, it is exact the same Bsod, even the name of crashed function in netio.sys is different. Dietmar *** Fatal System Error: 0x0000007e (0xC0000005,0xB9865391,0xBA4C3518,0xBA4C3214) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Mon Jun 6 15:33:51.625 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ........................... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, b9865391, ba4c3518, ba4c3214} Probably caused by : NETIO.SYS ( NETIO!RmpStartModule+91 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: b9865391, The address that the exception occurred at Arg3: ba4c3518, Exception Record Address Arg4: ba4c3214, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: NETIO!RmpStartModule+91 b9865391 8b401c mov eax,dword ptr [eax+1Ch] EXCEPTION_RECORD: ba4c3518 -- (.exr 0xffffffffba4c3518) ExceptionAddress: b9865391 (NETIO!RmpStartModule+0x00000091) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000001c Attempt to read from address 0000001c CONTEXT: ba4c3214 -- (.cxr 0xffffffffba4c3214;r) eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52 eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 NETIO!RmpStartModule+0x91: b9865391 8b401c mov eax,dword ptr [eax+1Ch] ds:0023:0000001c=???????? Last set context: eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52 eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 NETIO!RmpStartModule+0x91: b9865391 8b401c mov eax,dword ptr [eax+1Ch] ds:0023:0000001c=???????? Resetting default scope PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0000001c READ_ADDRESS: 0000001c FOLLOWUP_IP: NETIO!RmpStartModule+91 b9865391 8b401c mov eax,dword ptr [eax+1Ch] BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from b9881032 to b9865391 STACK_TEXT: ba4c35e8 b9881032 8bc0775e 00000000 00000000 NETIO!RmpStartModule+0x91 ba4c3600 b9887043 b9886000 00000007 b9880048 NETIO!RtlInvokeStartRoutines+0x22 ba4c3618 805ad41e ba4c3630 80084000 00000000 NETIO!DllInitialize+0x3e ba4c3640 8069de4c b9887005 80084000 80084000 nt!MmCallDllInitialize+0x10a ba4c3690 8069af70 80084000 ba4c36ac 00034000 nt!IopInitializeBootDrivers+0xd4 ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x712 ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7 ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: NETIO!RmpStartModule+91 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4549b319 IMAGE_VERSION: 6.0.6000.16386 STACK_COMMAND: .cxr 0xffffffffba4c3214 ; kb FAILURE_BUCKET_ID: 0x7E_NETIO!RmpStartModule+91 BUCKET_ID: 0x7E_NETIO!RmpStartModule+91 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7e_netio!rmpstartmodule+91 FAILURE_ID_HASH: {f95916f7-0b10-1efa-9f1c-5cdfefa6763a} Followup: MachineOwner --------- Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 6, 2022 Author Share Posted June 6, 2022 @Dietmar I noticed that RmpStartModule makes use of MmAllocatePagesForMdlEx I made use of code from the windows research kernel for my implementation of it, can you debug that function in my ntoskrn8.sys? Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation I dont know, how to debug ntoskrn8.sys . I noticed, that the function NmrWaitForProviderDeregisterComplete in netio.sys is not in your first post here Dietmar Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 6, 2022 Author Share Posted June 6, 2022 @Dietmar I'm not sure what you mean? - I see NmrWaitForProviderDeregisterComplete function is in both vista and 7 netio.sys Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation Yes, but I think, that XP SP3 dont know what to do with this function. Because everything in 5048 Ndis6 works but there nowhere is a function NmrWaitForProviderDeregisterComplete Dietmar EDIT: NmrWaitForProviderDeregisterComplete is in Export function? Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 6, 2022 Author Share Posted June 6, 2022 @Dietmar The NmrWaitForProviderDeregisterComplete function could still potentially be in 5048 but be invisible without the symbols. Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation I think not, because also IDAPro shows first appear of NmrWaitForProviderDeregisterComplete is in netio.sys fromVista Dietmar Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 6, 2022 Author Share Posted June 6, 2022 @Dietmar where in the debug log makes you think these NMR functions are the cause? Link to comment Share on other sites More sharing options...
Dietmar Posted June 6, 2022 Share Posted June 6, 2022 (edited) @Damnation I think, that Dependency Walker shows not all. PE Maker shows: For example in netio.sys 5048 224 export functions in netio.sys from RTM Vista 351 export functions in netio.sys from Win7 Sp1 391 export functions Dietmar Edited June 6, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now