Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Why filterId in DISCARD_METADATA is zero?

klimandrklimandr Member Posts: 8
edited May 6 in NTDEV

I wrote program for inspecting packets on DISCARD layers of WFP. To get reason and filter id of discards I use folowwing code:

if (FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_DISCARD_REASON))
    {
        FWPS_DISCARD_METADATA0 discardData = inMetaValues->discardMetadata;
        FWPS_DISCARD_MODULE0 discardModule = discardData.discardModule;
        UINT32 discardReason = discardData.discardReason;
        UINT64 discardFilter = discardData.filterId;
        switch (discardModule)
        {
        case FWPS_DISCARD_MODULE_NETWORK:
            PrintNetworkDiscardReason(discardReason);
            break;

        case FWPS_DISCARD_MODULE_TRANSPORT:
            PrintTransportDiscardReason(discardReason);
            break;

        case FWPS_DISCARD_MODULE_GENERAL:
            if (FWPS_DISCARD_FIREWALL_POLICY == discardReason)
            {
                PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_FIREWALL_POLICY");
            }
            else if (FWPS_DISCARD_IPSEC == discardReason)
            {
                PRINT_MSG("DISCARD_REASON: FWPS_DISCARD_IPSEC");
            }
            break;
        }

        PRINT_MSG("DISCARD FILTER: %x", discardFilter);
    }

Program write filterId correctly when packet is discarded by windows firewall (on some ale layer), but filterId is zero when antivirus blocks packets (on FWPS_LAYER_INBOUND_IPPACKET_V4_DISCARD layer ).
Is it possible to get filterId of filter that discard those packets?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA