Mapping from NDIS OIDs to WMI classes

In which we write a PowerShell script, install the WDK, attach a kernel debugger, reverse-engineer the OS, and prove Goldbach’s conjecture We’ve previously talked about how to rummage through all the NDIS WMI classes, but there’s one topic we haven’t fully covered.  Suppose you’re looking for the WMI class that maps to a specific OID…


Summary of packet-tracking techniques

Tracking the packet tracking We just covered a couple ways to track packets in the kernel debugger.  Here’s a quick reference table to help you understand how these techniques fit into your toolbelt. !ndiskd.pendingnbls !ndiskd.nbl -log Documentation Here Here Finds “lost packets” Yes No Finds “smuggled packets” No Yes Finds use-after-free No Yes Loses data…


!ndiskd.nbl -log

All your NBL are belong to !ndiskd Last time we talked about !ndiskd.pendingnbls.  This command shows you which component currently holds an NBL.  But what if you want to see how the NBL got there?  That sounds like a job for !ndiskd.nbl-log! Starting with Windows 8 and Windows Server 2012, NDIS can be configured to…


!ndiskd.pendingnbls

I’ve got your NBLs right here The most common issue we see in NDIS drivers is a “lost packet”.  You have lost a packet when NDIS gives your driver a NET_BUFFER_LIST (NBL) and your driver never returns the packet back to NDIS.  A lost packet will often show up as a hang during Pause or…


TMF download page

Are you targeting Windows 8 or Windows Server 2012?  You don’t need anything from here!  These operating systems already include all the TMFs you’ll need in the PDB from the Microsoft Symbol Server. For Windows 7 and Windows Server 2008 R2, here is a copy of the TMF decoders for NDIS.SYS: → Download here. This…

0

Debugging with NDISKD

Chapter three of a beginner’s guide to debugging with NDISKD In Part 1 of the series, we set up a kernel debugger. In the second installment, we took a closer look at ndiskd’s output for miniports. Today, we will use what we know to debug an actual network issue. The symptoms are thus: The network…

2

NDISKD and !miniport

The second installment of a beginner’s guide to debugging with NDISKD Last time we set up the debugger, looked at !ndiskd.help, and dumped out a table of active miniports.  Today we’ll continue our laboratory by examining a specific miniport.  As before, we use !ndiskd.miniports to get the table of active miniports: kd> !ndiskd.miniport MiniDriver         Miniport           …

0

Getting started with NDISKD

Part 1 of a beginner’s guide to debugging with NDISKD If you haven’t already, grab the updated WDK with its new ndiskd debugger extension.  You’ll need it for today’s laboratory exercise: getting started with ndiskd. If you are new to Windows kernel debugging, check out Ilias’s thorough tutorial.  You should follow that tutorial to get…

0

[Re]Introducing NDISKD

Over a decade of making NDIS developers dangerous Today we released a new version of the WDK.  This release has an updated version of the debuggers, including an overhauled version of ndiskd. Ndiskd is a debugger extension written by the NDIS team.  Internally, we use the extension to debug NDIS.SYS itself.  Since it’s also useful…

0