The simplest form of Inject go into BSOD right away, i cloned the NBL and inject it back absorbing the old packet first, if the NBL is the cloned one the BOSD happens right away, I tried to Deep Clone with creating a new NBL, but still the same, i believe there is something wrong with the cloned NBL.
the simplified code is below showing the current state removing everything else (i have been working on crafting a new paket with MDLs and so Originally) the below code Crashes all the time on the injection.
Notice i made a new injection handle (the code is modified inspect example)
I changed the filter to capture all packets
I removed the capture on transport Layer so its on network and the ALE layers only now .
void
TLInspectOutboundNetworkClassify(
In const FWPS_INCOMING_VALUES* inFixedValues,
In const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
Inout_opt void* layerData,
In const FWPS_FILTER* filter,
In UINT64 flowContext,
Inout FWPS_CLASSIFY_OUT* classifyOut
)
{
classifyOut->actionType = FWP_ACTION_PERMIT;
FWPS_PACKET_INJECTION_STATE packetState;
//NdisRetreatNetBufferDataStart(pNetBuffer, inMetaValues->ipHeaderSize, FALSE, NULL);
packetState = FwpsQueryPacketInjectionState(
gNetworkInjectionHandle,
layerData,
NULL
);
if ((packetState == FWPS_PACKET_INJECTED_BY_SELF) ||
(packetState == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF))
{
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
goto Exit;
}
PNET_BUFFER_LIST pClonedNBL = NULL;
NTSTATUS status = STATUS_SUCCESS;
status = FwpsAllocateCloneNetBufferList(
(PNET_BUFFER_LIST)layerData,
NULL,
NULL,
0,
&pClonedNBL
);
if (!NT_SUCCESS(status))
goto Exit;
// CRASHES DIRECTLY HERE
status = FwpsInjectNetworkSendAsync0(
gNetworkInjectionHandle,
NULL,
0,
UNSPECIFIED_COMPARTMENT_ID,//inMetaValues->compartmentId,
pClonedNBL,//pNewNbl,
TLInspectNetworkInjectComplete,
NULL
);
if (!NT_SUCCESS(status))
{
if (pClonedNBL != NULL)
{
FwpsFreeCloneNetBufferList(pClonedNBL, 0);
}
goto Exit;
}
pClonedNBL = NULL; // ownership transferred to the
// completion function.
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
Exit:
classifyOut->actionType = FWP_ACTION_PERMIT;
return;
}