npcap icon indicating copy to clipboard operation
npcap copied to clipboard
verified publisher icon nmap

Npcap installer terminates processes using DLLs which are not part of Npcap install

Open dmiller-nmap opened this issue 4 years ago • 3 comments

NPFInstall.exe is used by the Npcap installer to terminate processes which are using Npcap DLLs so that those DLLs can be replaced. We currently do this by using EnumProcessModulesEx and comparing the filename to "wpcap.dll" and "packet.dll" and further restricting to those with "Npcap" or "WinPcap" in the product name. This has a few problems:

  1. It kills processes using WinPcap even if we're not installing in WinPcap-compatible mode (though that is the default now)
  2. It kills processes that may be using their own copies of the DLLs. Those programs will likely have problems anyway because of possible incompatibilities, especially between Packet.dll and the driver.
  3. It kills processes that may have our DLLs loaded but no capture handles open. This may not be necessary if we can replace those DLLs while the processes are running. We attempt to do that with a rename-replace-delete sequence, but I don't think we've tested that. And the processes would probably need to restart anyway to get our new DLLs, so this may be moot.

We need to investigate solutions. One idea is not attempting to kill these processes unless they are likely to have a handle open to a driver we intend to replace. We already rename existing DLLs if they cannot be deleted, so we may be able to do the upgrade without impacting them. Downside: running processes will be using old copy of the DLLs and will have to restart to get the new ones. Also, we still need a way to find out if any processes are holding handles open. Newer Npcap can be queried for this info, but older installs and WinPcap we have to rely on the DLL thing.

Another compatible change might be to avoid checking for such processes until after we've attempted to stop the driver. This would prevent new processes from obtaining handles, and would allow us to skip the check altogether if the driver successfully stops (presuming that our rename-replace method actually works), unless we decide that we need to kill processes using our DLLs for continuity purposes (ensuring they load the new ones instead).

dmiller-nmap avatar Oct 11 '21 19:10 dmiller-nmap

Further note: if the process is running as a Windows service, our method of terminating it may not work correctly. We should determine whether this is satisfactory or whether a different method should be used in that case.

dmiller-nmap avatar Oct 12 '21 18:10 dmiller-nmap

More info: We can't use EnumProcessModulesEx on every process, even as Administrator. Example log:

[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = System, dwProcessID = 4.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = Secure System, dwProcessID = 72.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = Registry, dwProcessID = 144.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = smss.exe, dwProcessID = 576.
[00003680] 2021-10-07 18:28:22     EnumProcessModulesEx: error, errCode = 0x000003e6.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = csrss.exe, dwProcessID = 980.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = wininit.exe, dwProcessID = 1040.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = services.exe, dwProcessID = 1180.
[00003680] 2021-10-07 18:28:22     EnumProcessModulesEx: error, errCode = 0x000003e6.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = XtaCache.exe, dwProcessID = 2976.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = Memory Compression, dwProcessID = 3300.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = MsMpEng.exe, dwProcessID = 5000.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = NisSrv.exe, dwProcessID = 6652.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = SecurityHealthService.exe, dwProcessID = 11236.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = svchost.exe, dwProcessID = 10520.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = svchost.exe, dwProcessID = 3728.
[00003680] 2021-10-07 18:28:22     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = csrss.exe, dwProcessID = 8488.
[00003680] 2021-10-07 18:28:23     enumDLLs::OpenProcess: error, errCode = 0x00000005, strProcessName = svchost.exe, dwProcessID = 3076.
[00003680] 2021-10-07 18:28:23 <-- enumProcesses

dmiller-nmap avatar Oct 14 '21 17:10 dmiller-nmap