I am working on connection redirection using WFP callout driver from https://docs.microsoft.com/en-us/windows-hardware/drivers/network/using-bind-or-connect-redirection
I am registering for intercepting connection at FWPM_LAYER_ALE_AUTH_CONNECT_REDIRECT_V4 layer and associating few details about connection by allocating memory and assigning it to localRedirectContext. As per MSDN, the ownership of this allocated memory gets transferred to WFP and free it when the flow/redirection terminates. I am able to accept the redirected connection in the user-mode process and retrieve the data associated with the connection using SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT and take the connection to its actual destination. So far its working well.
The problem started when I tried to test my WFP callout driver with DV. During the reboot, DV is not complaining about any memory leak.
When I stop the driver normally, DV complains about the memory not freed before unloading the driver. And it’s the same memory that allocated and assigned to localRedirectContext.
Another fact is, !verifier 3 driver.sys not showing all the memory allocation. Looks like ownership of most memory allocation are taken by WFP but not all the allocation transferred to WFP.
My question here, Is this WFP driver behavior with DV is expected or what extra step is needed to ensure all memory allocated by callout driver transferred to WFP? Is it possible to convince DV to ignore this allocation?
Any guidance would be helpful.
thanks,