How to identify the user address where the stream data is getting copied ?

BIJU_CP-2 · February 28, 2017, 12:28pm

Hi,

I am new to the WFP and I am using msn monitor sample application to monitor all the packets received by TCP client application. In stream layer call out function, when a packet is received I could get the stream and anlyze the content using ‘FwpsCopyStreamDataToBuffer’ API. At this point I need to know the user buffer address where this data is getting copied. From FWPS_STREAM_DATA received is there any way to identify this user address ?

Thanks in advance for helping me out.

~Biju

Tim_Roberts · February 28, 2017, 12:40pm

xxxxx@gmail.com wrote:

I am new to the WFP and I am using msn monitor sample application to monitor all the packets received by TCP client application. In stream layer call out function, when a packet is received I could get the stream and anlyze the content using ‘FwpsCopyStreamDataToBuffer’ API. At this point I need to know the user buffer address where this data is getting copied.

Why? Of what possible use would that information be? If you had the
user-mode address, how would you find the correct process? What will
you do if the request originated in kernel mode?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Peter_Scott · February 28, 2017, 12:44pm

User buffer address? The API FwpsCopyStreamDataToBuffer() will copy the
content to the provided buffer address which must be at least
BytesToCopy in length, per the documentation. If you want to inspect
this data in user mode, then you’ll need to integrate an
application/service that will retrieve this content from the driver. Of
course doing this processing synchronously before allowing the data
through will cause a huge performance impact.

Pete

–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@gmail.com
To: “Windows System Software Devs Interest List”
Sent: 2/28/2017 10:28:06 AM
Subject: [ntdev] How to identify the user address where the stream data
is getting copied ?

>Hi,
>
>I am new to the WFP and I am using msn monitor sample application to
>monitor all the packets received by TCP client application. In stream
>layer call out function, when a packet is received I could get the
>stream and anlyze the content using ‘FwpsCopyStreamDataToBuffer’ API.
>At this point I need to know the user buffer address where this data is
>getting copied. From FWPS_STREAM_DATA received is there any way to
>identify this user address ?
>
>Thanks in advance for helping me out.
>
>~Biju
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list online at:
>http:
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:></http:>