Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

How an NDIS filter driver can interact with a user-mode program

ArsenArsen Member Posts: 61

Hello everybody.Who can help me. How can I send outgoing Net Buffer Lists (outgoing traffic from NDIS filter driver (FilterSendNetBufferLists)) to user mode program for some modifications. I am doing it with IRPs, but I think it is not a best case. Because initiator of IRP is user, but I need the driver to be an initiator of communication between NDIS driver and user program.


  • Don_BurnDon_Burn Member - All Emails Posts: 1,767

    First you can encrypt in the kernel, the operating system even has calls for the common model it provides in user space. If you really need to send it to user space look up "inverted call" that is well documented on the OSR site see

  • ArsenArsen Member Posts: 61
    edited January 11

    Thank you Mr Don_Burn. This is very helpful advice. Yes, maybe "inverted call" is what I need. But please tell us about the first method you mentioned. (First you can encrypt in the kernel, the operating system even has calls for the common model it provides in user space.)

  • ArsenArsen Member Posts: 61
    edited January 11

    And the second question. Will "inverted call" work in an NDIS environment

  • Don_BurnDon_Burn Member - All Emails Posts: 1,767

    Bcrypt.h has a kernel version, if you can use the Bcrypt calls in user mode, they should do the work in kernel mode if you want. Yes, the basic inverted call model works with NDIS.

  • ArsenArsen Member Posts: 61

    I read "Inverted Call". This is what I have already done. Yes, from the user mode program I issue an IOCTL request, in the driver I receive this request and store it in the context structure of the driver module. After that, I take it from the FilterSendNetBufferLists function, fill the MDL from NetBufferLists and return it to the user program. If this is the right way, then thanks..

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,445

    DLLs can be loaded in kernel mode, as long as they don't call user-mode APIs.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • ArsenArsen Member Posts: 61

    well, thank You Mr.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online
Writing WDF Drivers 22 May 2023 Live, Online