BAD_POOL_CALLER in inspect.sys

Comodo Internet Security - CIS Resolved/Outdated Issues - CIS
1

Hi,

i run into serious trouble with the CIS Kernel-Land driver. Whenever i hibernate/save my System to disk and then try to restore load the hibernated system back into systems memory, my systems goes 0xC2 (BAD_POOL_CALLER). Thats when it happens. I first made a complete chkdsk /F /V /X /R, then complete RAM Check, hardware check, just to make sure nothing is wrong with my hw. But i get this over and over. Since i am a developer too, i examined the Kernel Dump from the last Bugcheck and the kernel memory and got this:

1: kd> !analyze -v

  •                                                                         *

  •                    Bugcheck Analysis                                    *

  •                                                                         *

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000110b, (reserved)
Arg3: 08530008, Memory contents of the pool block
Arg4: 85811278, Address of the block of pool being deallocated

Debugging Details:

POOL_ADDRESS: 85811278 Nonpaged pool

FREED_POOL_TAG: aPmI

BUGCHECK_STR: 0xc2_7_aPmI

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 8252c00c to 8250b0e3

STACK_TEXT:
8b96b524 8252c00c 000000c2 00000007 0000110b nt!KeBugCheckEx+0x1e
8b96b598 8aa12370 85811278 00000000 8b96b5e8 nt!ExFreePoolWithTag+0x17f
WARNING: Stack unwind information not available. Following frames may be wrong.
8b96b5a8 8f43d160 85811278 00000000 00000000 ndis!NdisFreeMemory+0x16
8b96b5e8 8aae14b1 8b96b684 8b96b610 87178294 inspect+0x2160
8b96b67c 8aae1129 c0000001 84d5eb10 8aa41918 ndis!TrFilterDprIndicateReceiveComplete+0x2d1d
8b96b708 8aaeff67 86fe10e8 00000000 00000000 ndis!TrFilterDprIndicateReceiveComplete+0x2995
8b96b72c 8aaf01e1 00000000 859d11c4 00000000 ndis!NdisWriteConfiguration+0x2a4
8b96b74c 8f4edfe0 86f75e60 859d1264 859d11c4 ndis!NdisIMInitializeDeviceInstanceEx+0x100
8b96b760 8f4ebf42 859d11c4 8b96b7a4 86fe5d34 VBoxNetFlt+0x5fe0
8b96b774 8f4ebace 00000000 00000000 86fe5d34 VBoxNetFlt+0x3f42
8b96b798 8f4ebb5f 00000000 859d1168 8b96b8ec VBoxNetFlt+0x3ace
8b96b7b4 8f4e91ad 859d1168 8b96b8ec 8b96b810 VBoxNetFlt+0x3b5f
8b96b7d4 8f4e9277 8f4f6cc0 8b96b810 8b96b800 VBoxNetFlt+0x11ad
8b96b7f8 8f4ebbd3 8f4f6cc0 8b96b810 8b96b90c VBoxNetFlt+0x1277
8b96b8fc 8f4ebfdd 8b96b91c 85aa9898 00000000 VBoxNetFlt+0x3bd3
8b96b924 8aae14b1 8b96b9c0 8b96b94c 86fe5d34 VBoxNetFlt+0x3fdd
8b96b9b8 8aae1129 00000000 84d4e820 8aa41918 ndis!TrFilterDprIndicateReceiveComplete+0x2d1d
8b96ba44 8aaeff67 86fe50e8 00000000 00000000 ndis!TrFilterDprIndicateReceiveComplete+0x2995
8b96ba68 8aaf01e1 00000000 85501090 00000000 ndis!NdisWriteConfiguration+0x2a4
8b96ba88 8aba2ada 86f516d0 85a4c4e8 85501090 ndis!NdisIMInitializeDeviceInstanceEx+0x100
8b96bb4c 8aba5d6f 86cafd34 8b96bbe0 8aae14b1 VMNetSrv+0x2ada
00000000 00000000 00000000 00000000 00000000 VMNetSrv+0x5d6f

STACK_COMMAND: kb

FOLLOWUP_IP:
inspect+2160
8f43d160 8b4dfc mov ecx,dword ptr [ebp-4]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: inspect+2160

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: inspect

IMAGE_NAME: inspect.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 491b1a47

FAILURE_BUCKET_ID: 0xc2_7_aPmI_inspect+2160

BUCKET_ID: 0xc2_7_aPmI_inspect+2160

Having a look at the driver gave me this:

Show File Version Info 1, 0, 0, 1 (UNICODE)
Copyright (C) 2008 Kerem Gümrükcü
Contact: kerem.g@arcor.de
License: GNU/GPL
Self MD5: eb2c900a6fab3ff28fa2b812381bfe92
Self SHA1: 22bee01c9b454d94ecb6a2c529e0e40ab8064608

File Version Info for:
“C:\Windows\System32\drivers\inspect.sys”

[FileName]
– C:\Windows\System32\drivers\inspect.sys –
[Language]
– Englisch (USA) –
[CompanyName]
– COMODO –
[FileDescription]
– COMODO Internet Security Firewall Driver –
[FileVersion]
– 3, 5, 55470, 430 built by: WinDDK –
[InternalName]
– inspect.sys –
[LegalCopyright]
– 2005-2008 COMODO. All rights reserved. –
[OriginalFilename]
– inspect.sys –
[ProductName]
– COMODO Internet Security Firewall Driver –
[ProductVersion]
– 3, 5, 55470, 430 –

My (development) system is Windows Vista Ultimate Edition (32-Bit), its Up2Date and runs stable so far, except this. I general work with UAC on and do not modify any OS and Kernel Memory if there is no need for while developing drivers/userland stuff and i really take care what enters the kernel and trys to run in ring0.

I am not a paying customer, but i like your product and i want to help to improve it and free from buggy code. I hope, i can be of any help and I can provide a full kernel-space memory dump if needed,…

Regards

Kerem

2

Hello keremg,

From the file version a assume this is the current “stable” 3.5.57173.439 ?
I’ve had this same problem and it seems to be resolved in the current beta.

3

Hi Ronny,

thanks for your reply. Was it exactly the same behaviour, i mean first hibernate and then go BSOD on restore to memory? I mean if this version is flagged “stable” there must be some patch/fix to do that. Internally its a call to a Executive Library Support Routine named ExFreePoolWithTag(…) in IRQL <= DISPATCH_LEVEL or IRQL <= APC_LEVEL, but i guess and i am sure its more difficult, because i know that from my drivers,…

Is the latest “beta” more stable than the previous “stable” codebase,…?

Regards

Kerem

4

I could reproduce it almost every time, put my system to standby after 1 minute inactivity and it bsod’d on wakeup.
Or the screen would stay black and it would dump without a “blue” screen.

Same results for windbg.

No not for me, if it’s not a too big a problem i would at least wait for the RC to come out.

5

Ok, well, i run it on XP and 2000 with almost no problem, so i wont remove them from there, but of course ill wait for the release of the next stable. Well i know how difficult it is to maintain a big piece of software like CIS, where you have usermode and kernelmode code and its hundredts of thousands of lines of code. I hoghly respect the developers and architecture designers skills. So i can understand when it takes time to fix that or when they decide to skip that step and include the fix in the next release,…

Currently i am developing and working on a hobby projects named “Device Remover”, a advanced Device Manager for Windows which is also build on a kernel mode and a usermode space. its has a kernel driver and usermode UI and i am doing both at the same time, so i know how much of work it is to make a application stable, usefull and easy to use. Check it out if you like:

http://www.pro-it-education.de/software/deviceremover/

I recommend you to use full setup and if you use it in futire, also do a regular update (automatic update check is on by default!)

Regards

Kerem

6

Looks impressive, nice work !

7

Thanks, more than a “nice work”, it was a “hard work”,… :wink: and i am still improving it every day,…
The reason why i wrote this and still writing on it is that the Windows Device Manager lacks lots of featurees you will find in my app e.g. like removing a set of devices in one shot, even all on your system if you like,… :-TU

  • device searching capabillities
  • mass removal
    – wmi interface
  • extensincve and very verbose information on devices, drivers and services
  • very powerfull command line supporting applications (Tools->Application->)
  • and lots more,…

Check it out if you like,…

Regards

Kerem