Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Crash in TCPIP.sys when 3p network driver is present.

Pluto_KoderPluto_Koder Member - All Emails Posts: 7
Hi ,

We have a WFP driver in which we are performing out of band inspection for stream layer data.
Following are the steps performed in stream classify callout function:
1. By default set classifyOut->actionType = FWP_ACTION_PERMIT
2. Check for certain conditions(Ex: port number) and if it doesn't match then return.
3. Clone the net buffer list and push into a queue for out of band inspection.
4. Block and absorb the packet.

Under scanning thread:
1. Scan the data.
2. Reinject net buffer list .

Crash dump occurs while browsing and the dump shows that crash is in TCPIP.sys.

So i want to know the behavior WFP engine in following contexts:

Case 1:
Under stream layer callout, Set permit action :"classifyOut->actionType = FWP_ACTION_PERMIT".
Do not clear write flag "classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE".

In this case can there be conflict for stream data if there are multiple filter drivers attached?
Why do we need to clear FWPS_RIGHT_ACTION_WRITE flag in classifyOut, if FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT is set in filter flags?
What is the significance of FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT for WFP?

Case 2:
Under stream layer callout Set Permit action "classifyOut->actionType = FWP_ACTION_CONTINUE".
How does this action differ from Case 1 where we set FWP_ACTION_PERMIT without clearing FWPS_RIGHT_ACTION_WRITE?

Thanks,
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA