Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

FwpmEngineOpen in EvtIoDeviceControl cause driver can not stop.

iFengHuangiFengHuang Member Posts: 15
edited November 12 in NTDEV

Hello guys, I'm new kernerl driver developer.

Im developing a callout driver for redirecting tcp & udp traffic to my local proxy.

I have try:
1. open engine, add sublayer, register callout, add callout, add filter, close engine all these at DriverEntry after create a control device. This works well, my driver able to stop by "net stop mydriver" command.

  1. open engine, add sublayer, register callout, add callout, add filter, close engine all these at EvtIoDeviceControl when my driver receive IO control from my user-mode application. It's unable to stop by "net stop mydriver" command. The command result like these words: "Stopping service......." then "unable to stop service".

  2. open engine, close engine at DriverEntry after create a control device, nothing other operation between open and close, the result same to 1.

  3. open engine, close engine at EvtIoDeviceControl when my driver receive IO control from my user-mode application, the result same to 2.

Why is that?

Comments

  • Don_BurnDon_Burn Member - All Emails Posts: 1,630
    In DriverEntry the calling thread is a system thread, so assuming you are using NULL for the authnService parameter you are opening it with the system credentials. In EvtIoDeviceControl you don't know what thread you are running on so you cannot be sure of the credentials unless you specify them.


    Don Burn
    Windows Driver Consulting
    Website: http://www.windrvr.com

    Note: The email was trying to reply to an invalid Discussion (290771).
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,379
    via Email
    Is there an open handle from the app to the driver in your second scenario? An open handle will prevent unload.

    d

    Bent from my phone
    ________________________________
    From: iFengHuang
    Sent: Monday, November 12, 2018 10:53:17 AM
    To: Doron Holan
    Subject: [NTDEV] FwpmEngineOpen in EvtIoDeviceControl cause driver can not stop.

    OSR https://na01.safelinks.protection.outlook.com/?url=https://community.osr.com/&data=02|01|[email protected]|43fa237cf3614b9a62a608d648d01ce6|72f988bf86f141af91ab2d7cd011db47|1|1|636776456008695341&sdata=aIgNHWmGvIacLMDOGIfq1OYfnFWRkxQPa1UGMIXdYQU=&reserved=0
    iFengHuang started a new discussion: FwpmEngineOpen in EvtIoDeviceControl cause driver can not stop.

    Hello guys, I'm new kernerl driver developer.

    Im developing a callout driver for redirecting tcp & udp traffic to my local proxy.

    I have try:

    1. open engine, add sublayer, register callout, add callout, add filter all these at DriverEntry after create a control device. This works well, my driver able to stop by "net stop mydriver" command.

    2. open engine, add sublayer, register callout, add callout, add filter all these at EvtIoDeviceControl when my user-mode application send IO control code to my driver. It's unable to stop by "net stop mydriver" command. The command result like these words: "Stopping service......." then "unable to stop service".

    Why is that?
  • iFengHuangiFengHuang Member Posts: 15

    @Doron_Holan said:
    Is there an open handle from the app to the driver in your second scenario? An open handle will prevent unload.

    No. I call FwpmEngineClose after FwpmEngineOpen at 4th. Is it about IRQL cause this problom ?

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,379
    via Email
    I meant a handle open from the app to the driver.
  • iFengHuangiFengHuang Member Posts: 15

    @Doron_Holan said:
    I meant a handle open from the app to the driver.

    pretty !! solved ! Thank You !

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!