Hello everyone,
I am facing a problem with a WFP driver, based on the inspect example shared by Microsoft.
My driver only monitors connections, nothing is blocked, no modification are performed on the packets, and this driver works well everyday since a year.
But when a specific software (with WFP driver) is installed on the same machine, the network connection is totally cut, and I need some help to debug this.
This issue is encountered with Checkpoint VPN Client, or Kaspersky total security for example, and I bet the issue is the same if I start 2 WFP drivers (didn’t test yet).
After multiple test I see the problem occurs in TLInspectCloneReinjectOutbound.
I don’t know why, but when an other WFP driver is present, the packet netBufferList is NULL when the ReinjectOutbound is called.
And this make fail FwpsAllocateCloneNetBufferList with error STATUS_FWP_NULL_POINTER.
Here is the begining of the function if it helps (the original source code in on github, wfp inspect by Microsoft)
NTSTATUS TLInspectCloneReinjectOutbound(_Inout_ TL_INSPECT_PENDED_PACKET* packet)
{
NTSTATUS status = STATUS_SUCCESS;
NET_BUFFER_LIST* clonedNetBufferList = NULL;
FWPS_TRANSPORT_SEND_PARAMS sendArgs = { 0 };
if (debugLog) DbgPrint("DEBUG %d Start TLInspectCloneReinjectOutbound\n", PsGetCurrentThreadId());
if (packet->netBufferList == NULL)
{
if (debugLog) DbgPrint("WARNING %d netBufferList is null\n", PsGetCurrentThreadId());
}
status = FwpsAllocateCloneNetBufferList(packet->netBufferList, NULL, NULL, 0, &clonedNetBufferList);
if (!NT_SUCCESS(status))
{
if (debugLog) DbgPrint("ERROR %d FwpsAllocateCloneNetBufferList Failed, error: 0x%x\n", PsGetCurrentThreadId(), status);
goto Exit;
}
...
Thanks for your help.