Jump to content

NDIS6 support for XP?


Damnation
 Share

Recommended Posts


Posted (edited)

@Damnation

I just test, that your ntoskrn8.sys together with the files from Longhorn 5048 is

downward compatible with i211 on the Asrock z370 k6 board.

So, just now on this board runs ndis6 under XP SP3

Dietmar

20220606-143640.jpg

Edited by Dietmar
Link to comment
Share on other sites

Posted (edited)

@Damnation

With the Vista files I get Bsod about netio.sys.

This is from Vista 6.0.5840.16384 because I have no real Vista RTM *.iso

So, maybe Longhorn 5048 is not real Ndis6, still some sort of enlarged Ndis5 ???

Dietmar

*** Fatal System Error: 0x0000007e
                       (0xC0000005,0xB9865391,0xBA4C3518,0xBA4C3214)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Mon Jun  6 14:54:43.343 2022 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...........................
Loading User Symbols

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, b9865391, ba4c3518, ba4c3214}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for NETIO.SYS -
Probably caused by : NETIO.SYS ( NETIO!MdpCreatePool+18e )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052b724 cc              int     3
11: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b9865391, The address that the exception occurred at
Arg3: ba4c3518, Exception Record Address
Arg4: ba4c3214, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher  bertragen.

FAULTING_IP:
NETIO!MdpCreatePool+18e
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch]

EXCEPTION_RECORD:  ba4c3518 -- (.exr 0xffffffffba4c3518)
ExceptionAddress: b9865391 (NETIO!MdpCreatePool+0x0000018e)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000001c
Attempt to read from address 0000001c

CONTEXT:  ba4c3214 -- (.cxr 0xffffffffba4c3214;r)
eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52
eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
NETIO!MdpCreatePool+0x18e:
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch] ds:0023:0000001c=????????
Last set context:
eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52
eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
NETIO!MdpCreatePool+0x18e:
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch] ds:0023:0000001c=????????
Resetting default scope

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher  bertragen.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0000001c

READ_ADDRESS:  0000001c

FOLLOWUP_IP:
NETIO!MdpCreatePool+18e
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

LAST_CONTROL_TRANSFER:  from b9887043 to b9865391

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
ba4c3600 b9887043 b9886000 00000007 b9880048 NETIO!MdpCreatePool+0x18e
ba4c3640 8069de4c b9887005 80084000 80084000 NETIO!DllInitialize+0x3e
ba4c3690 8069af70 80084000 ba4c36ac 00034000 nt!IopInitializeBootDrivers+0xd4
ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x712
ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7
ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  NETIO!MdpCreatePool+18e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  453706f4

IMAGE_VERSION:  6.0.5840.16384

STACK_COMMAND:  .cxr 0xffffffffba4c3214 ; kb

FAILURE_BUCKET_ID:  0x7E_NETIO!MdpCreatePool+18e

BUCKET_ID:  0x7E_NETIO!MdpCreatePool+18e

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x7e_netio!mdpcreatepool+18e

FAILURE_ID_HASH:  {d5191185-245d-5e1f-80bf-780e83a44225}

Followup: MachineOwner
---------

Edited by Dietmar
Link to comment
Share on other sites

@Damnation

I notice, that the netio.sys from Vista has dependency on the function NmrWaitForProviderDeregisterComplete

which the netio.sys from Longhorn 5048 does not have

Dietmar

Link to comment
Share on other sites

Posted (edited)

@Damnation

Yepp, with this Vista files. The Bsod goes always to netio.sys. I think, it is exact the same Bsod,

even the name of crashed function in netio.sys is different.

Dietmar

*** Fatal System Error: 0x0000007e
                       (0xC0000005,0xB9865391,0xBA4C3518,0xBA4C3214)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Mon Jun  6 15:33:51.625 2022 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...........................
Loading User Symbols

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, b9865391, ba4c3518, ba4c3214}

Probably caused by : NETIO.SYS ( NETIO!RmpStartModule+91 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052b724 cc              int     3
11: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b9865391, The address that the exception occurred at
Arg3: ba4c3518, Exception Record Address
Arg4: ba4c3214, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher  bertragen.

FAULTING_IP:
NETIO!RmpStartModule+91
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch]

EXCEPTION_RECORD:  ba4c3518 -- (.exr 0xffffffffba4c3518)
ExceptionAddress: b9865391 (NETIO!RmpStartModule+0x00000091)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000001c
Attempt to read from address 0000001c

CONTEXT:  ba4c3214 -- (.cxr 0xffffffffba4c3214;r)
eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52
eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
NETIO!RmpStartModule+0x91:
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch] ds:0023:0000001c=????????
Last set context:
eax=00000000 ebx=00000000 ecx=8bc9cca0 edx=8bc9c8b0 esi=805a7d2c edi=74506d52
eip=b9865391 esp=ba4c35e0 ebp=ba4c3600 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
NETIO!RmpStartModule+0x91:
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch] ds:0023:0000001c=????????
Resetting default scope

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher  bertragen.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0000001c

READ_ADDRESS:  0000001c

FOLLOWUP_IP:
NETIO!RmpStartModule+91
b9865391 8b401c          mov     eax,dword ptr [eax+1Ch]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

LAST_CONTROL_TRANSFER:  from b9881032 to b9865391

STACK_TEXT:  
ba4c35e8 b9881032 8bc0775e 00000000 00000000 NETIO!RmpStartModule+0x91
ba4c3600 b9887043 b9886000 00000007 b9880048 NETIO!RtlInvokeStartRoutines+0x22
ba4c3618 805ad41e ba4c3630 80084000 00000000 NETIO!DllInitialize+0x3e
ba4c3640 8069de4c b9887005 80084000 80084000 nt!MmCallDllInitialize+0x10a
ba4c3690 8069af70 80084000 ba4c36ac 00034000 nt!IopInitializeBootDrivers+0xd4
ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x712
ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7
ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  NETIO!RmpStartModule+91

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4549b319

IMAGE_VERSION:  6.0.6000.16386

STACK_COMMAND:  .cxr 0xffffffffba4c3214 ; kb

FAILURE_BUCKET_ID:  0x7E_NETIO!RmpStartModule+91

BUCKET_ID:  0x7E_NETIO!RmpStartModule+91

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x7e_netio!rmpstartmodule+91

FAILURE_ID_HASH:  {f95916f7-0b10-1efa-9f1c-5cdfefa6763a}

Followup: MachineOwner
---------

 

 

Edited by Dietmar
Link to comment
Share on other sites

@Dietmar

I noticed that RmpStartModule makes use of MmAllocatePagesForMdlEx

I made use of code from the windows research kernel for my implementation of it, can you debug that function in my ntoskrn8.sys?

Link to comment
Share on other sites

Posted (edited)

@Damnation

I dont know, how to debug ntoskrn8.sys .

I noticed,

that the function NmrWaitForProviderDeregisterComplete in netio.sys

is not in your first post here

Dietmar

Edited by Dietmar
Link to comment
Share on other sites

Posted (edited)

@Damnation

Yes, but I think, that XP SP3 dont know what to do with this function.

Because everything in 5048 Ndis6 works but there nowhere is a function

NmrWaitForProviderDeregisterComplete

Dietmar

EDIT: NmrWaitForProviderDeregisterComplete is in Export function?

Edited by Dietmar
Link to comment
Share on other sites

Posted (edited)

@Damnation

I think not, because also IDAPro shows first appear of

NmrWaitForProviderDeregisterComplete

is in netio.sys fromVista

Dietmar

Edited by Dietmar
Link to comment
Share on other sites

Posted (edited)

@Damnation

I think, that Dependency Walker shows not all. PE Maker shows:

For example in netio.sys 5048   224 export functions

in netio.sys from RTM Vista      351 export functions

in netio.sys from Win7 Sp1       391 export functions

Dietmar

 

 

Edited by Dietmar
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...