The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
If you've been using WFP callouts in the kernel, you'll have probably noticed that socket bind requests were shoe-horned into the same callout model. The relevant WFP layers are FWPM_LAYER_ALE_BIND_REDIRECT_V4 and FWPM_LAYER_ALE_BIND_REDIRECT_V6.
For code that needs to support Windows 7-10, it's suitable to use the specific callout version defined as FWPS_CALLOUT_CLASSIFY_FN1.
The MSDN page documenting FWPS_CALLOUT_CLASSIFY_FN1 states that the callback may be activated at IRQL <= DISPATCH_LEVEL.
However, for the bind redirect layers specifically, I'm fairly certain that I've seen documentation stating the callouts will always be activated at PASSIVE_LEVEL. The problem right now is I can't find that documentation. I can't even find forum post here or elsewhere that discuss this.
Nor can I find sample code or open source code that in a meaningful way contribute to resolving this mystery.
Empirically, callouts at the bind redirect layers are always activated at PASSIVE_LEVEL. But it would be nice to have some stronger indicator whether this can be relied upon.
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Developing Minifilters||24 May 2021||Live, Online|
|Writing WDF Drivers||14 June 2021||Live, Online|
|Internals & Software Drivers||27 September 2021||Live, Online|
|Kernel Debugging||TBD 2021||Live, Online|