Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


WFP callout driver and DV

Gyani_LalGyani_Lal Member Posts: 10

I am working on connection redirection using WFP callout driver from https://docs.microsoft.com/en-us/windows-hardware/drivers/network/using-bind-or-connect-redirection
I am registering for intercepting connection at FWPM_LAYER_ALE_AUTH_CONNECT_REDIRECT_V4 layer and associating few details about connection by allocating memory and assigning it to localRedirectContext. As per MSDN, the ownership of this allocated memory gets transferred to WFP and free it when the flow/redirection terminates. I am able to accept the redirected connection in the user-mode process and retrieve the data associated with the connection using SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT and take the connection to its actual destination. So far its working well.

The problem started when I tried to test my WFP callout driver with DV. During the reboot, DV is not complaining about any memory leak.
When I stop the driver normally, DV complains about the memory not freed before unloading the driver. And it's the same memory that allocated and assigned to localRedirectContext. 
Another fact is, !verifier 3 driver.sys not showing all the memory allocation. Looks like ownership of most memory allocation are taken by WFP but not all the allocation transferred to WFP.

My question here, Is this WFP driver behavior with DV is expected or what extra step is needed to ensure all memory allocated by callout driver transferred to WFP? Is it possible to convince DV to ignore this allocation?
Any guidance would be helpful.

thanks,

Comments

  • Gyani_LalGyani_Lal Member Posts: 10

    Here I am referring to

    [ typedef struct _FWPS_CONNECT_REQUEST0 {
    SOCKADDR_STORAGE localAddressAndPort;
    SOCKADDR_STORAGE remoteAddressAndPort;
    UINT64 portReservationToken;
    DWORD localRedirectTargetPID;
    struct _FWPS_CONNECT_REQUEST0 *previousVersion;
    UINT64 modifierFilterId;
    HANDLE localRedirectHandle;
    void *localRedirectContext;
    SIZE_T localRedirectContextSize;
    } FWPS_CONNECT_REQUEST0;

    localRedirectContext

    A callout driver context area that the callout driver allocated by calling the ExAllocatePoolWithTag function.

    Note Starting with Windows 8, memory allocated for localRedirectContext will have its ownership taken by WFP, and will be freed when the proxied flow is removed](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fwpsk/ns-fwpsk-_fwps_connect_request0)

    The driver verifier complains about memory leak for the memory allocated for localRedirectContext when the driver stops. As per MSDN it should have been transferred to WFP and DV shouldn't anything here.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA