LNS driver crash

Hi,

Last time I had a crash (Stop Error; Blue Screen) with the following important notes in the message:

IRQL_NOT_LESS_OR_EQUAL

***STOP: 0x0000000A (0x00000000, 0x00000002, 0x00000000, 0x804DC25D


I analysed which driver caused the crash with 'Winternals Crash Analyzer Wizard'. It displayed that the driver: 'lnsfw1.sys' probably was at fault. It returned some analysis details with some code for the manufacturer to analyze and solve the bug. I have attached the analysis.log file with the analysis details, so that you can solve the bug.

Can it also be that LnS wasn't the root cause for the crash, but that I have some other applications running along with LnS that aren't compatible LnS and thus conflicting with LnS, that finally results in LnS crashing? Because I must say I found it odd when I saw LnS the reason for the crash, as I thought it would be a trouble free application.

Best regards,
Mark

 

Hi,

Could you send us the minidump file at lnssupport@soft4ever.com and tell us what is the version you are using (2.05p2 or p3), and the features that were enabled (the interesting ones: DLL Detection, Watch Thread injection, Whatch DNS Call, and Beta detection features in case you use the p3).

Thanks,

Frederic

 

Hi,

I have send you the minidump file by e-mail.


I copied this part from the analysis.log file:

GetPointerFromAddress: unable to read from 8055ee34
THREAD fdec17f0 Cid 0750.0f74 Teb: 7ffae000 Win32Thread: 00000000 RUNNING on processor 0
IRP List:
Unable to read nt!_IRP @ 81e9e008
Not impersonating
GetUlongFromAddress: unable to read from 8055ee44
Owning Process fefef590 Image: nod32krn.exe
ffdf0000: Unable to get shared data
Wait Start TickCount 235639
Context Switch Count 368
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Start Address 0x7c810856
Win32 Start Address 0x2020acb0
Stack Init ec3c0000 Current ec3bf2f8 Base ec3c0000 Limit ec3bd000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr Args to Child
ec3bf370 efc11449 00000000 00000000 00000000 nt!KeWaitForSingleObject+0xbb (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
ec3bf3cc efc1198a 00000000 00000750 ec3bf738 lnsfw1+0xc449
ec3bf6a4 efc0899e 00000000 81e9e018 821cff38 lnsfw1+0xc98a
ec3bf700 efc05cdc 821a7cd8 81e9e008 81e9e09c lnsfw1+0x399e
ec3bf75c efc066c1 821a7cd8 81e9e008 81e9e09c lnsfw1+0xcdc
ec3bf7cc 804e37f7 821a7c20 81e9e008 81e9e008 lnsfw1+0x16c1
ec3bf7dc 8057069a 82219de8 81ec6fac ec3bf984 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
ec3bf8bc 8056316c 82219e00 00000000 81ec6f08 nt!IopParseDevice+0xa58 (FPO: [Non-Fpo])
ec3bf944 8056729a 00000000 ec3bf984 00000240 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
ec3bf998 80570b73 00000000 00000000 57076f00 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
ec3bfa14 80570c42 fed3b6f0 02000000 ec3bfbb8 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
ec3bfa70 efafe483 fed3b6f0 02000000 ec3bfbb8 nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
ec3bfc24 efb052c7 fdec1a00 821cd030 ec3bfc58 afd!AfdBind+0x2dc (FPO: [Non-Fpo])
ec3bfc34 804e37f7 82219030 82068800 806ef2d0 afd!AfdDispatchDeviceControl+0x53 (FPO: [Non-Fpo])
ec3bfc44 8056a101 820688dc fdd82540 82068800 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
ec3bfc58 80579a8a 82219030 82068800 fdd82540 nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
ec3bfd00 8057bfa5 0000024c 00000250 00000000 nt!IopXxxControlFile+0x611 (FPO: [Non-Fpo])
ec3bfd34 804de7ec 0000024c 00000250 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])
ec3bfd34 7c90eb94 0000024c 00000250 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ ec3bfd64)
02629cb8 00000000 00000000 00000000 00000000 0x7c90eb94


It sais something about nod32krn.exe:

GetUlongFromAddress: unable to read from 8055ee44
Owning Process fefef590 Image: nod32krn.exe
ffdf0000: Unable to get shared data.

I don't know what that means, but I just took for sure so you can have the info.

 

Thanks, I will look at the minidump file.

Frederic

 

Hi Mark,

I've looked at the file, and the application filtering driver (Lnsfw1) crashed when a new application tried to connect to internet, when a popup dialog box should appear at the GUI level.
Did you get this crash several times ? Do you know if it occured just after pressing the Allow/Block buttons in the authorization dialog box ? or when a new application was just started ? (a new application could also be an existing application that has just been updated and the signature was different).

To answer your first post, 'Winternals Crash Analyzer Wizard' is reporting the correct information about Lnsfw1 crashing. Now, the root cause of the crash is still unknown, but even if it is caused by another bad thing in another application the driver should not crash. If you have several additional instances of the crash it could help.

Regards,

Frederic

 

I can help with this Frederic,
several days ago I experienced a problem such like this,
I didn’t choose to report it at that time (and I know I should have).

I’m not sure exactly how identical this may be to Mark Klomp, but I have a feeling it is very close if not exactly the same thing.

It can begin with a client application like for instance an Updater, this Updater can already have rights in Look ‘n’ Stop Application Filtering, but this can happen regardless.

From what I observed, if the client application not even existing in the list, and when the client application is about to make an update attempt, BOOM, updater application crashes, and NO Look ‘n’ Stop Application Filtering alert for the program appears.

I do have a theory, I believe it to be something with Look ‘n’ Stop DLL filtering in addition...

 

Hi,

I can tell you that I have many apps in the 'application filtering' in the 'list of authorized or blocked applications' added, to be precisely 72 application's. Maybe that's causing instability for the LNS app filtering driver.
A while ago when I had Process Guard it was generating error's (at user level) due to to many apps that were added in the application list of blocked and allowed applications. When I removed PG the error's were gone. When I had Outpost firewall it was causing stop error's but I don't know if that also was due to to many apps added in the application filtering list.

BTW that's interesting Phant0m, I hope we'll soon discover what's actually the problem.
And yes I have DLL-detection enabled.

Best regards,
Mark Klomp

 

I have a large number of entries in Application Filtering list too, but this problem seems to be tied to DLL filtering, I can almost swear on it…

 

Mark Klomp, list me off all the DLLs that you have set on block, you don't need to include paths, just filenames....

 

I have got all the DLL's listed allowed.

 

It is always exactly the same Event logging....

 

In the crashdump I've examined, the context of crash is not linked to the DLL detection.

Phant0m, if you have some Minidumps with a similar issue, send them to me and I will take a look.

Thanks,

Frederic

 

Hey Phant0m....check your PMs, brother

 

Frederic, can you solve the issue I'm having in the next release of LnS.
Maybe you should seriously debug LnS to fix all bugs/exploits in the program. It certainly is said easier than done, but anyway, it's always nice to have a really stable program

Thanks,
Mark

 

Hi Mark,

I'm not sure what you meant by "seriously debugging LnS".
There is not a lot of bugs. You are the only one reporting this kind of crash so far (this doesn't mean I do not investigate it).

The main identified issue is the incompatibility between DEP protection and advanced LnS features & detection.
Besides this, no real major issue shared by a lot of people.

Did you see my post above, I was asking some questions regarding the occurence of this problem, and the condition it is happening.

Also do you know there is a 2.05p3 ? This version is fixing some issues yet.
Perhaps you should try it. Either it will solve your issue, or I will get a different minidump that may help.

Thanks,

Frederic

 

Just final note on my experiences I had shared on here, mine wasn’t a BSOD just mere application crash, crashing of a particular client application, an updater system for one of the products I run.


Bests Regards,
Phant0m``

 

It just occurs I don't know why. But in the .log should be explained how to fix the bug if it's right.

Maybe I should send you a ''Kernel Memory Dump'' file? But then I have to enable it first, and then the same crash has to occur again. But maybe if I send it to you you have more information, of why the Stop Error occured. I can also enable ''Complete Memory Dump'' files (full dumps), but those are to large to send over the internet, with my memory capacity it will be over 512 MB. But ''Kernel Memory Dump'' files do already include more information about the cause of the Stop error than ''Small Memory Dump'' files (minidumps), because you can consider ''Kernel Memory Dump'' files as intermediate.

 

Hey Mark Klomp

How is that working out for yea?

My problem is direct relation to ‘Watch Thread injections’, the anomaly is persistent when doing re-tries, but every time I disable Only ‘Watch Thread injections’ feature and try once again, BANG, zero problems…