WFP Loop

I need some suggestion for the WFP loop that occurs in case of multiple
drivers as follows.

=>Initially Callout A sees FWPS_PACKET_NOT_INJECTED,
driver A clone and block the packet, filter the data in user mode,
Allocate and inject new NET_BUFFER_LIST containing the filtered data

=>Callout A sees FWPS_PACKET_INJECTED_BY_SELF and lets it by.

=>Callout B sees FWPS_PACKET_INJECTED_BY_OTHER, and allocate inject new
NET_BUFFER_LIST.
Now Callout A will see the same flag FWPS_PACKET_INJECTED_BY_OTHER and it
do repeat same thing and goes into infinite loop

Can someone suggest how can we avoid this loop.

You should be able to use FwpsQueryPacketInjectionState0() and check for FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF
See https://msdn.microsoft.com/en-us/library/windows/hardware/ff551202.aspx

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ravish Yadav
Sent: 07 July 2016 12:47
To: Windows System Software Devs Interest List
Subject: [ntdev] WFP Loop

I need some suggestion for the WFP loop that occurs in case of multiple drivers as follows.

=>Initially Callout A sees FWPS_PACKET_NOT_INJECTED,
driver A clone and block the packet, filter the data in user mode,
Allocate and inject new NET_BUFFER_LIST containing the filtered data

=>Callout A sees FWPS_PACKET_INJECTED_BY_SELF and lets it by.

=>Callout B sees FWPS_PACKET_INJECTED_BY_OTHER, and allocate inject new NET_BUFFER_LIST.
Now Callout A will see the same flag FWPS_PACKET_INJECTED_BY_OTHER and it do repeat same thing and goes into infinite loop

Can someone suggest how can we avoid this loop.

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

Packet injected by driver a , when comes to a again that flag will be
there, but when it goes to driver b which see packet injected by other and
decided to pend , deep copy again and inject , then my driver a will again
see that packet is injected by other and if driver a will do the same thing
again.
On Jul 7, 2016 18:45, “David Boyce” wrote:

> You should be able to use FwpsQueryPacketInjectionState0() and check for
> FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF See
> https://msdn.microsoft.com/en-us/library/windows/hardware/ff551202.aspx
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Ravish Yadav
> Sent: 07 July 2016 12:47
> To: Windows System Software Devs Interest List
> Subject: [ntdev] WFP Loop
>
>
>
> I need some suggestion for the WFP loop that occurs in case of multiple
> drivers as follows.
>
>
> =>Initially Callout A sees FWPS_PACKET_NOT_INJECTED,
> driver A clone and block the packet, filter the data in user mode,
> Allocate and inject new NET_BUFFER_LIST containing the filtered data
>
> =>Callout A sees FWPS_PACKET_INJECTED_BY_SELF and lets it by.
>
> =>Callout B sees FWPS_PACKET_INJECTED_BY_OTHER, and allocate inject new
> NET_BUFFER_LIST.
> Now Callout A will see the same flag FWPS_PACKET_INJECTED_BY_OTHER and it
> do repeat same thing and goes into infinite loop
>
> Can someone suggest how can we avoid this loop.
>
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> ------------------------------
> This email message has been delivered safely and archived online by
> Mimecast.
> For more information please visit http://www.mimecast.com
> ------------------------------
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>