Hi,
Im writing a networks hook by using windows filtering api and callout
drivers. When my driver get loaded on boot time the call for *" FwpmEngineOpen
api fails with error 0xc0020035" . *I have made sure that the my driver
gets loaded only after NDIS and FWPKCLNT drivers are loaded. I keep
on trying in loop and when i logged in to the system only then this call
returns success. So does this API depends on any process which is only
initialize after user logged in to the system? Since im calling this api
inside my driverEntry so i want this api to return success at boot time. So
that i can catch any network traffic.
Thanks,
Vishnu
Opening the engine is actually an RPC call into UM to the BFE service. As such, you must wait for the BFE to actually be running. Fortunately the WFP infrastructure includes a means by which your driver may register for notifications regarding the lifecycle of the BFE.
Go look at FwpmBfeStateSubscribeChanges().
https://msdn.microsoft.com/en-us/library/windows/hardware/ff550062(v=vs.85).aspx
Good Luck,Dave Cattley
Thanks Dave.
But does that means no network traffic can flow before the start of base
filtering engine ??? or it is independent of rest of the network services
???
Thanks,
Vishnu
On Tue, Aug 25, 2015 at 11:59 PM, Dave Cattley wrote:
> Opening the engine is actually an RPC call into UM to the BFE service.
> As such, you must wait for the BFE to actually be running. Fortunately the
> WFP infrastructure includes a means by which your driver may register for
> notifications regarding the lifecycle of the BFE.
>
> Go look at FwpmBfeStateSubscribeChanges().
>
>
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff550062(v=vs.85).aspx
>
> Good Luck,
> Dave Cattley
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> But does that means no network traffic can flow before the start of base filtering engine ???
If that is your goal then you must register a boot time filter.
See this: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363977(v=vs.85).aspx
A boot-time filter is a filter that is enforced at boot-time as soon as the TCP/IP stack driver (tcpip.sys) starts. A boot-time filter is disabled when BFE starts. A filter is marked as boot-time by setting the FWPM_FILTER_FLAG_BOOTTIME flag when FwpmFilterAdd0 is invoked.
Good Luck,
Dave Cattley
Sent from Mail for Windows 10
Hi Dave,
if im not wrong to implement a boot time filter i have to call *FwpmFilterAdd0
https:.
*This api needs an input parameter which is engine handler itself. Engine
handler we can get only after calling the *FwpmEngineOpen0
https:.
*This api failed because BFE is not running yet. which was my original
problem.
Only i can do is register a callout in my driver but that callout will be
only called after the filtering engine start.
Thanks,
Vishnu
On Wed, Aug 26, 2015 at 8:02 AM, Dave Cattley wrote:
> > But does that means no network traffic can flow before the start of
> base filtering engine ???
>
>
>
> If that is your goal then you must register a boot time filter.
>
>
>
> See this:
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa363977(v=vs.85).aspx
>
>
>
> A boot-time filter is a filter that is enforced at boot-time as soon as
> the TCP/IP stack driver (tcpip.sys) starts. A boot-time filter is disabled
> when BFE starts. A filter is marked as boot-time by setting the
> FWPM_FILTER_FLAG_BOOTTIME
> https:
> flag when FwpmFilterAdd0
> https:
> is invoked.
>
>
>
> Good Luck,
>
> Dave Cattley
>
>
>
> Sent from Mail http: for
> Windows 10
>
>
></http:></https:></https:></https:></https:>
Yes that is correct but I believe the idea is that this filter will come
into play next time you boot. The filter is probably stored somewhere and
enforced as soon as you boot before the bfe starts.
After it starts you can manage it through its interface .
It is frustrating because if you want to do “real-time” analysis of the
network traffic you have to wait for bfe with WFP. But again I don’t think
much network data goes in and out ( if any ) when you boot your PC.
Network drivers are usually ordered to load pretty late so I believe all is
OK in the end but I am not the biggest expert in this, I have only made
some stream filters that start as BFE starts.
If anyone knows I would be interested as well what happens before BFE
starts with the traffic.
Regards,
Gabriel
On Aug 26, 2015 09:09, “Vishnu Kant Rathour” wrote:
> Hi Dave,
>
> if im not wrong to implement a boot time filter i have to call *FwpmFilterAdd0
> https:.
> *This api needs an input parameter which is engine handler itself. Engine
> handler we can get only after calling the *FwpmEngineOpen0
> https:.
> *This api failed because BFE is not running yet. which was my original
> problem.
>
> Only i can do is register a callout in my driver but that callout will be
> only called after the filtering engine start.
>
> Thanks,
> Vishnu
>
> On Wed, Aug 26, 2015 at 8:02 AM, Dave Cattley wrote:
>
>> > But does that means no network traffic can flow before the start of
>> base filtering engine ???
>>
>>
>>
>> If that is your goal then you must register a boot time filter.
>>
>>
>>
>> See this:
>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa363977(v=vs.85).aspx
>>
>>
>>
>> A boot-time filter is a filter that is enforced at boot-time as soon as
>> the TCP/IP stack driver (tcpip.sys) starts. A boot-time filter is disabled
>> when BFE starts. A filter is marked as boot-time by setting the
>> FWPM_FILTER_FLAG_BOOTTIME
>> https:
>> flag when FwpmFilterAdd0
>> https:
>> is invoked.
>>
>>
>>
>> Good Luck,
>>
>> Dave Cattley
>>
>>
>>
>> Sent from Mail http: for
>> Windows 10
>>
>>
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer</http:></https:></https:></https:></https:>