Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FltCreateCommunicationPort causes a blue

ArsenArsen Member Posts: 61
edited January 5 in NTDEV

Hello.
Please who can help me.
I need to call the FltCreateCommunicationPort function from an NDIS filter driver.
I call it from DriverEntry. (Is this correct or call it from within FilterAttach ?)
The first argument to this function
PFLT_FILTER Filter;
This identificator is set when the Filter Driver is registered with FltRegisterFilter (as the 3rd parameter);
But the registration function for the NDIS filter driver is NdisFRegisterFilterDriver(); This is different from FltRegisterFilter() for NDIS,
and the 3rd argument of NdisFRegisterFilterDriver is a FilterDriverHandle instead of a RetFilter (an opaque filter handle to the caller); What can I do?;
This causes a blue screen.
This is the code I added to the DriverEntry to create a communication port with the user mode application to send to user mode all outgoing packets over the network;

Use_decl_annotations NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
................................................. . ...............................
................................................. . ...............................
................................................. . ...............................
Status = NdisFRegisterFilterDriver(DriverObject, (NDIS_HANDLE)FilterDriverObject,&FChars,&FilterDriverHandle); // //FltRegisterFilter(DriverObject, &fff, &RetFilter) for non-NDIS drivers
................................................. . ...............................
................................................. . ...............................
................................................. . ...............................
///////////////////////// Creating a communication port
UNICODE_STRING single line;
RtlInitUnicodeString(&uniString, NDISENCRYPT_PORT_NAME);
OBJECT_ATTRIBUTES ObjectAttr = { 0 };
InitializeObjectAttributes(&ObjectAttr, (&uniString), OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
Status = FltCreateCommunicationPort((PFLT_FILTER)(FilterDriverHandle), pServerPort, &ObjectAttr, NULL, ConClbk, DisconClbk, MsgClbk, 1);
// then a blue screen appears
if (Status!= STATUS_SUCCESS) {
if (Status == STATUS_FLT_DELETING_OBJECT) KdPrint(("NdisFilterDr --> The specified filter is being demolished. This is an error code \n"));
else if (Status == STATUS_INSUFFICIENT_RESOURCES) KdPrint(("NdisFilterDr --> FltCreateCommunicationPort encountered a pool allocation error \n"));
else if (Status == STATUS_OBJECT_NAME_COLLISION) KdPrint(("NdisFilterDr --> Filter communication port with the same name already exists\n"));
else KdPrint(("NdisFilterDr --> FltCreateCommunicationPort encountered an error\n"));
}
////////////////////////////////////////////////

  } while(bFalse);

  DEBUGP(DL_TRACE, "<===DriverEntry, Status = %8x\n", Status);
  return status;

}

Comments

  • ArsenArsen Member Posts: 61

    Hello.
    Please who can help me.
    I need to call the FltCreateCommunicationPort function from an NDIS filter driver.
    I call it from DriverEntry. (Is this correct or call it from within FilterAttach ?)
    The first argument to this function
    PFLT_FILTER Filter;
    This identificator is set when the Filter Driver is registered with FltRegisterFilter (as the 3rd parameter);
    But the registration function for the NDIS filter driver is NdisFRegisterFilterDriver(); This is different from FltRegisterFilter() for NDIS,
    and the 3rd argument of NdisFRegisterFilterDriver is a FilterDriverHandle instead of a RetFilter (an opaque filter handle to the caller); What can I do?;
    This causes a blue screen.
    This is the code I added to the DriverEntry to create a communication port with the user mode application to send to user mode all outgoing packets over the network;

  • Don_BurnDon_Burn Member - All Emails Posts: 1,767

    FltCreateCommunicationPort only works for file system filters. Bottom line, you are using an API that does not work in the NDIS environment.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    ?
    Just register a minifilter, and it works (no need to axtually filter
    anything).

    I.e. pass the filter handle from FltRegisterFilter.

    Dejan.
  • ArsenArsen Member Posts: 61
    edited January 6

    Thank you. Mr. Dejan_Maximovic. And help me please. How can I communicate an NDIS filter driver to a user mode application. It is required to send to the user program all outgoing and incoming packets captured by the filter driver. Those. how can i pass all network traffic to a program running in user mode to make some changes

    Post edited by Arsen on
  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    If I need to answer that question, you're in trouble :)
    Not because the implementation would be easy and you should figure it in
    minutes, but because sending that much data will kill your OS.

    Kind regards, Dejan Maksimovic.
    FS Lead: http://www.alfasp.com
  • ArsenArsen Member Posts: 61
    edited January 7

    Thank you, Mister. But I will only send the shared addresses of these packets, and I think that in this way I can change the outgoing and incoming Ethernet packets (or not?). Tell me please. What mechanism to use. Possibly an IRP. (inverted call). For one month, I tried some mechanisms, but nothing worked.
    I will copy that packets and pass to user program the copy, and return original packets to kernel from inside FilterSend and FilterReceive procedures of my NDIS filter driver. Thank You

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    Do you have a sense how many packets per second you would send and wait for
    UM to process?
  • ArsenArsen Member Posts: 61
    edited January 8

    No, because this driver will be installed on all hosts in the private network and users will communicate with each other․
    They will do whatever they want.
    I have already done driver and encryption. But now they want to make the encryption process in user mode, so I have to send all outgoing and incoming packets to the user program.
    Thank You Mr. Dejan_Maksimovic.
    Thank You Mr.Don_Burn.

    Post edited by Arsen on
  • ArsenArsen Member Posts: 61
    edited January 11

    Hello everybody.Who can help me. How can I send outgoing Net Buffer Lists (outgoing traffic from NDIS filter driver (FilterSendNetBufferLists)) to user mode program for some modifications. I am doing it with IRPs, but I think it is not a best case. Because initiator of IRP is user, but I need the driver to be an initiator of communication between NDIS driver and user program.
    Thank You.

  • ThatsBerkanThatsBerkan Member Posts: 63
    How is this not a big security flaw anyway? OP wants to modify packets captured in kernel from usermode... Meaning anyone who attacks the usermode application can basically alter every single packets sent or received by the computer. I understand that this is on a private network but still, this project of yours and its use case doesn't make any sense to me.
  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,588

    @Arsen said:
    Hello everybody.Who can help me. How can I send outgoing Net Buffer Lists (outgoing traffic from NDIS filter driver (FilterSendNetBufferLists)) to user mode program for some modifications. I am doing it with IRPs, but I think it is not a best case. Because initiator of IRP is user, but I need the driver to be an initiator of communication between NDIS driver and user program.
    Thank You.

    You might want to ask new question s in a new thread.

  • ArsenArsen Member Posts: 61

    Thanks for the answer. My goal is to encrypt packets in user mode. Because the encryption algorithm is in a dll, it runs in user mode. This algorithm is safe and cannot be inside a driver. The driver images are on the hard drive, which is a security breach

  • ArsenArsen Member Posts: 61
    edited January 11

    Driver developed by me. NDIS filter driver. I think if the driver wants to, it should be able to communicate with the user mode. There is a communication mechanism (FtlCreateCommunicationPort) for non NDIS drivers, it does not work for NDIS drivers.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    >
    > Thanks for the answer. My goal is to encrypt packets in user mode. Because
    > the encryption algorithm is in a dll, it runs in user mode. This algorithm
    > is safe and cannot be inside a driver. The driver images are on the hard
    > drive, which is a security breach

    Could you translate this for me, please?
    User mode is not on a hard drive, but drivers are?

    Again, how much data and how often do you need to send to user mode? 10 per
    second, millisecond, microsecond, nanosecond?
  • ArsenArsen Member Posts: 61

    Mr. Deyan_Maximovich. I wrote an NDIS filter driver. It will be installed on some isolated networks. How much data will be transmitted over the network there, I do not know. They will send documents, hold teleconferences and much more. I dont know. I think this is not very important, because. at first, customers suggested me to send outgoing packets back to user mode using a loop, i.e. to send packets back through sockets.
    This means that all packets will be circulated 3 times. From the application to the network driver, from the driver to the user-mode encryption program, and finally from that program to the network.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    Try sending a million packets between kernel and user mode per second, and
    check the latency difference. (Any packet, no need to test NDIS packets for
    this test)

    If you do that, I suspect you will find the performanxece to be
    unacceptable.

    I don't have a good sense of how many NDIS packets go per second, so maybe
    I am off by an order of 1000x.

    Dejan.
  • ArsenArsen Member Posts: 61
    edited January 11

    Could you translate this for me, please?
    User mode is not on a hard drive, but drivers are?

    The driver image is on the hard drive. We cannot call the driver from flash. But we can't put the algorithm in the driver code, because someone can copy this driver from //Windows//system//drivers. Therefore, we decided to transfer the source packets to a user program on a removable disk, which should receive all packets from the driver, perform encryption and transfer back to the driver.

  • ArsenArsen Member Posts: 61

    well, thank You Mr.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    That.. will be awesome, perf wise, when paging kicks in :)
    Ok, you can use the AvScan example to send data. But test the performance,
    I think you will run into unacceptable bottlenecks

    OT: how da heck did the message get translated into.. Russian, but only via
    email?? When I go to the forum, it is in English :)
  • ArsenArsen Member Posts: 61

    well

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,445

    @Dejan_Maksimovic Messages can be edited for an hour after you enter them. Only the initial version gets sent in the email.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • ArsenArsen Member Posts: 61

    Well. ThakYou.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 506
    via Email
    Ah, right! I knew it wasn't AI translation, grammar was good in both
    languages :)
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online
Writing WDF Drivers 22 May 2023 Live, Online