How to diagnose NULL dereference BSoD in NdisFOidRequest? RRS feed

  • Question

  • I have a NDIS LWF filter driver, Npcap, which is crashing in some instances when originating an OID request. The crash is DRIVER_IRQL_NOT_LESS_OR_EQUAL, an attempt to write to the address 0x0 in NdisFOidRequest. The  NDIS_OID_REQUEST object is zeroed-out, and the necessary members are set, but I'm guessing something is not being set properly. Here is the code in question. This function receives an IOCTL and converts it to an OID request. The crash is in a SET request for OID_GEN_CURRENT_LOOKAHEAD, so the branch at line 2238 is skipped.

    I hesitate to guess too much, since this question is about "How to diagnose," and I'm looking for likely mistakes surrounding the NdisFOidRequest function. But I did wonder if I should be setting the RequestHandle on the NDIS_OID_REQUEST. The trouble is, I can't tell from the docs what that member should be set to. Is it the NdisFilterDriverHandle that was returned from NdisFRegisterFilterDriver? Or something else? Or is it not even relevant to this crash?

    Friday, April 20, 2018 6:02 PM


  • The filter handle is what was passed into your attach handler, which you save away in a context block. This is how NDIS knows which driver the request came from. As far as how to diagnose this, look at the assembly language and determine which offset into the request structure it is pulling out the address that it is dereferencing. Using that offset, look at the request structure definition to find out which field you're not setting properly. FYI, kernel data structures are not byte-packed.


    Azius Developer Training Windows device driver, internals, security, & forensics training and consulting. Blog at

    Friday, April 20, 2018 6:25 PM