Hello,
I want to get original process id or process name using FWPM_CONDITION_ALE_ORIGINAL_APP_ID in WFP. I tried to get processid using this in WFPSampler example. But whenever i tried to get data or access the variable “data” in FWP_BYTE_BLOB structure it will give me null or the driver will crash.
Can anyone help me how to do that.
Thanks
Nishant Varshney
Hello
See
https://msdn.microsoft.com/en-us/library/windows/hardware/ff549944(v=vs.85).aspx
. As you can see the FWPM_CONDITION_ALE_ORIGINAL_APP_ID is valid only from
Windows 8 onwards, if you’re not interested if the traffic is made by the
application or from a proxy you can use FWPM_CONDITION_ALE_APP_ID.
Also, you also make sure the conditions you access are available at your
layers (consult:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff549939(v=vs.85).aspx
for this).
On 13 May 2016 at 09:25, wrote:
> Hello,
>
> I want to get original process id or process name using
> FWPM_CONDITION_ALE_ORIGINAL_APP_ID in WFP. I tried to get processid using
> this in WFPSampler example. But whenever i tried to get data or access the
> variable “data” in FWP_BYTE_BLOB structure it will give me null or the
> driver will crash.
>
> Can anyone help me how to do that.
>
> Thanks
> Nishant Varshney
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
Hello Alexandru Gurzou,
I go through the link already. I did in this way pClassifyValues->incomingValue[FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_ORIGINAL_APP_ID].value.byteblob->data. But the problem is that this always give me null or crash the system.
Thanks for your reply.
In what callback are you doing this ? At what layer I should ask ?
Gabriel Bercea
Windows Kernel Driver Consulting
On Fri, May 13, 2016 at 12:47 AM -0700, wrote:
Hello Alexandru Gurzou,
I go through the link already. I did in this way pClassifyValues->incomingValue[FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_ORIGINAL_APP_ID].value.byteblob->data. But the problem is that this always give me null or crash the system.
Thanks for your reply.
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at
To unsubscribe, visit the List Server section of OSR Online at
Hello Gabriel Bercea,
I am doing it in ClassifyProxyByALERedirect function and at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 layer.
Thanks for the reply sir.
On what operating system are you running this?
On 13 May 2016 at 11:51, wrote:
> Hello Gabriel Bercea,
>
> I am doing it in ClassifyProxyByALERedirect function and at
> FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 layer.
>
> Thanks for the reply sir.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
Should work.
Make sure you are not making a little mistake in your code that causes the
crash.
There should definitely not be a crash. Maybe the information you are
looking for should be missing but not a BSOD.
Gabriel
www.kasardia.com
On Fri, May 13, 2016 at 1:20 PM, Gurzou Alexandru <
xxxxx@gmail.com> wrote:
On what operating system are you running this?
On 13 May 2016 at 11:51, wrote:
>
>> Hello Gabriel Bercea,
>>
>> I am doing it in ClassifyProxyByALERedirect function and at
>> FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 layer.
>>
>> Thanks for the reply sir.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
–
Bercea. G.</http:>
Hello Alexandru Gurzou,
I am running it on Windows 8.1 64-Bit operating system.
Thanks for your reply sir.
Hello Gabriel Bercea,
Now its not giving me BSOD. But also I am not getting any data. I am trying to print pClassifyValues->incomingValue[FWPS_FIELD_ALE_CONNECT_REDIRECT_V4_ALE_ORIGINAL_AP P_ID].value.byteblob->data in kernel mode and I am getting blank screen instead of getting app path.
I want to print the app path while it is being redirected by my filter.
Thanks for your reply sir.