I have an exe that I am trying to RE and regardless of the debugger that I use it crashes them. Runs fine if the exe is not loaded in the debugger (ollydbg attach). The routine that crashes them is "pcap_findalldevs_ex".

Anyone else run into this and/or knows how to get around this?

Thanks.

the debugger crashs or the exe crashs ?
do you use softice too ?

If you have actually READ THE FAQ, you would know that we expect posters on these Forums to have done some of their own homework prior to posting questions on these Forums and to show some of their own work.

We do not know if you have actually READ THE FAQ, but your post makes it appear that you have not.

Doing your own homework!!! Have you attempted to enter something fairly obvious in your favorite search engine, such as:

pcap_findalldevs_ex crashing

In google, I got 150 hits, which is where YOU should start. If you have already searched, you could avoid hearing from me if you indicated that you have attempted to find the answer on your own and not succeeded or didn't understand what you found.

At the moment, based only on what you have posted, it appears that you are having a problem with pcap_findalldevs_ex crashing and haven't done ANYTHING about attempting to find an answer to your question, yourself, other than to post your question here. Again, if you have done any of your own research, how would we know??

How about you actually read the FAQ and follow it's guidelines, by doing some searching, both here and on the net, and then report back what YOU find and state what YOU have tried to do to help yourself.



Regards,

#1 I Have been chasing my ass around in circles for the last 7 hours trying to figure this out.
#2 It only crashes the program and the debugger when the program is being debugged not when ran by itself.

After looking over 10 or 15 links (2 or 3 pages) from Google I did not find them to be talking about my type of issue (using the debugger + winpcap) so I posted here.

Google is your friend but it should never be used as a bat swinging blindly towards others.

Yep, the debugger (hard crash for olly) and the exe. I am on Vista 64 bit so Softice is a thing from my past and its replacement will not work on Vista 64 (always refuses to load).

Google was not used as a "Bat" and I never "swing blindly against others." My comments were clearly and appropriately directed to your failure to meet the requirements of the FAQ regarding stating that you have searched and what you have attempted to solve your own problem.

Had you stated the information contained in your second post, in your first post as the FAQ requires, there would have been no need for me to "Administrate" or comment on your post at all.

As I stated, both for you, and for others who follow after, if you state what you have done to try to find the answer to your own question and what you have already attempted, you do not need, and will not receive "guidance" for me.

Regards,

You sure must get a lot of tards and script kiddies on here then cause I am not used to that type of a reception.

Anyways, this can't just be my machine doing this but I am wondering if it is or has no one attempted to RE anything that uses winpcap on Vista 64 yet?

Sometimes we do, but it's not about that. While there *might* be one or two people who could directly answer your question, there are a *lot* more who can assist in debugging the problem if you give them more to work with.

The first question that comes to mind is - what are the error messages you receive? Can you not analyze a usermode crash dump with Windbg to get more detailed information?

Doing a quick search for "pcap_findalldevs_ex" I read that

"In the code above, we see that pcap_findalldevs_ex() function has an errorBuffer parameter. If an error is encountered, the description of the error will be stored in this parameter."

http://www.codeproject.com/KB/IP/winpcap_basic.aspx?display=PrintAll


Can you not check the errorBuffer parameter? What about putting a breakpoint on the start of pcap_findalldevs_ex() and simply tracing it to see where and why it crashes?

These would seem to be a few basic steps you should try first, or at least mention if you have tried them.

"What about putting a breakpoint on the start of pcap_findalldevs_ex() and simply tracing it to see where and why it crashes?" Yep, I am narrowing it down.

What I have up to now is when it goes to find the device names it is crashing in there but only while it is being debugged. If I run the program and allow olly to attach itself there are no issues. After tracing it down even farther I can see why there would be no issues because by the time I have attached olly to the process the program would have already past the point of finding the device names.

The thing is the error is an exception error 000006ba.

DarkAlchemist:

Try not to "quote" parts of replies unless they are needed to make your response clear. If you use the "Post Reply" button on the left, it does not indescriminately quote the entire post. At the bottom right of the post there are two buttons which read "Edit" and "Quote." To the right of those two buttons are what looks like two pages of text, one with a "+" sign and the other with a down arrow. The one with the down arrow is a "quick reply"

If you use either the Post Reply button or the "page" with the down arrow, it will not needlessly quote prior post portions which are not necessary for clarity. If you do want to quote some portion of a prior post, please only quote the portion that directly relates to your comment.

This is simply saves us some room in the database.

Regards,

it might be easier for you to build it from the source code yourself and debug it with the source code in hand. should be easier to understand where and why it's crashing the debugger.
http://www.winpcap.org/install/bin/WpcapSrc_4_0_2.zip

I did and it still crashes even my own applications.

No biggie as I have just accepted the fact that it crashes if I try and debug it. No idea why but I can always work around the findalldevs by attaching after that has ran.