Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Running into STATUS_FWP_OUT_OF_BOUNDS while making a call to fwpkclnt!FwpmFilterAdd0

Amritanshu_JohriAmritanshu_Johri Member Posts: 75

I am trying to see the types of events that show up in WFP, if I try to use FWPM_LAYER_NAME_RESOLUTION_CACHE but my call to add a filter is failing with STATUS_FWP_OUT_OF_BOUNDS,
I have modified the inspect driver in WFP sample code [0] , the documentation on FWPM_LAYER_NAME_RESOLUTION_CACHE_V4 is really thin otherwise as well.

call stack from where the call failing is
00 fwpkclnt!FwppProxyFilterAdd --> in this function ultimately the response from this call returns the error msrpc!Ndr64AsyncClientCall
01 fwpkclnt!FwpmFilterAdd0
02 Inspect!TLInspectAddFilter1
03 Inspect!TLInspectRegisterNamespaceClassifyCallout
04 Inspect!TLInspectRegisterCallouts
05 Inspect!DriverEntry

The final snippet where things fail is as follows:

    NTSTATUS status = STATUS_SUCCESS;
    FWPM_FILTER filter = { 0 };
    filter.layerKey = FWPM_LAYER_NAME_RESOLUTION_CACHE_V4;
    filter.displayData.name = (wchar_t*)filterName;
    filter.displayData.description = (wchar_t*)filterDesc;
    filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
    filter.action.calloutKey = *calloutKey;
    filter.subLayerKey = TL_NAMESPACE_SUBLAYER;
    filter.weight.type = FWP_EMPTY; // auto-weight.
    filter.rawContext = context;


    status = FwpmFilterAdd0(
        gEngineHandle,
        &filter,
        NULL,
        NULL);

Let me know if I am missing something obvious.

TIA,
Johri

[0] https://github.com/microsoft/Windows-driver-samples/tree/master/network/trans/inspect

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 20 Apr 2020 LIVE ONLINE
Writing WDF Drivers 11 May 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA