Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Internals & Software Drivers||19-23 June 2023||Live, Online|
|Writing WDF Drivers||10-14 July 2023||Live, Online|
|Kernel Debugging||16-20 October 2023||Live, Online|
|Developing Minifilters||13-17 November 2023||Live, Online|
What u do is fully wrong. You should create new NetBuffer to manipulate MDL (previously NDIS_BUFFER) and chain it to newly created NET_BUFFER. Moreover maybe u misuse some API at wrong DISPATCH level. I advise u to refer to NDIS 6.0 mux intermediate driver and protocol driver sample included with WDK 7600.
In fact, I also come up similar question and posted a thread, but as to yet nobody responses. It is fortune that I have gone through all barriers to completed our own filter driver.
not 'own'. A NBL indicated to your driver is usually treated as
'read-only'. To 'modify' the packet, your driver typically would copy the
NBL, modify the copy, indicate the copy, and when the copy is returned, free
it and return the original (unmodified) NBL to the entity that indicated it
Depending on the nature of the change you wish to make to the NBL, there are
various degrees of 'depth' that you might make to 'copy' the original NBL.
Review carefully the WDK documentation on Cloning Net Buffers (and NBLs) as
well as the effect of Advance/Retreat operations on Net Buffers.
If you want to be able to scribble all of the entire indicated 'frame' from
MAC header to end of transport payload, you could make the 'copy' by doing:
1. Shrink the Original NB to 'nothing' temporarily with an Advance operation
of its entire length.
2. Clone the Original NB.
3. Restore the Original NB by retreating the amount you advanced.
4. Retreat the Clone to the size the Clone will be (whatever it will be
after modification say).
5. Copy what you want form the Original to the Clone making whatever
modifications you want.
6. Indicate the Clone.
Other approaches are possible depending on how much you want to modify.
From: [email protected]
[mailto:[email protected]] On Behalf Of [email protected]
Sent: Sunday, December 20, 2009 10:15 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to modify NetBufferList in FilterReceiveNetBufferLists?
Hi Dear All,
I am writing a filter driver to modify the traffic network packet. According
to the doc of msdn, filter drivers can filter received data before
indicating the data to overlying drivers. For each buffer that is submitted
to its FilterReceiveNetBufferLists function, a filter driver can modify the
contents of the buffer before calling NdisFIndicateReceiveNetBufferLists.
I reference to the sample of the filter driver "ndislwf" and modify the
FilterReceiveNetBufferLists function. I queue the NetBufferList in a local
structure and do the modification. And then I pass the local structure as
the NetBufferList to the NdisFIndicateReceiveNetBufferLists function, but
blue screen at once.
I want to ask that how can I modify the contents of the buffer before
calling NdisFIndicateReceiveNetBufferLists? Any sample or advice?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
To unsubscribe, visit the List Server section of OSR Online at
Pls show some code snippt to demonstrate what u advise.
complete your own filter driver, and would u please kindly give me some code snippt that how you can overcome the barriers and modify the NB? Thank you~