FwpmEngineOpen in EvtIoDeviceControl cause driver can not stop.

iFengHuang · November 12, 2018, 6:53pm

Hello guys, I’m new kernerl driver developer.

Im developing a callout driver for redirecting tcp & udp traffic to my local proxy.

I have try:

open engine, add sublayer, register callout, add callout, add filter, close engine all these at DriverEntry after create a control device. This works well, my driver able to stop by “net stop mydriver” command.
open engine, add sublayer, register callout, add callout, add filter, close engine all these at EvtIoDeviceControl when my driver receive IO control from my user-mode application. It’s unable to stop by “net stop mydriver” command. The command result like these words: “Stopping service…” then “unable to stop service”.
open engine, close engine at DriverEntry after create a control device, nothing other operation between open and close, the result same to 1.
open engine, close engine at EvtIoDeviceControl when my driver receive IO control from my user-mode application, the result same to 2.

Why is that?

Doron_Holan · November 12, 2018, 7:30pm

Is there an open handle from the app to the driver in your second scenario? An open handle will prevent unload.

d

Bent from my phone

From: iFengHuang
Sent: Monday, November 12, 2018 10:53:17 AM
To: Doron Holan
Subject: [NTDEV] FwpmEngineOpen in EvtIoDeviceControl cause driver can not stop.

OSR https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.osr.com%2F&data=02|01|doron.holan%40microsoft.com|43fa237cf3614b9a62a608d648d01ce6|72f988bf86f141af91ab2d7cd011db47|1|1|636776456008695341&sdata=aIgNHWmGvIacLMDOGIfq1OYfnFWRkxQPa1UGMIXdYQU%3D&reserved=0
iFengHuang started a new discussion: FwpmEngineOpen in EvtIoDeviceControl cause driver can not stop.

Hello guys, I’m new kernerl driver developer.

Im developing a callout driver for redirecting tcp & udp traffic to my local proxy.

I have try:

1. open engine, add sublayer, register callout, add callout, add filter all these at DriverEntry after create a control device. This works well, my driver able to stop by “net stop mydriver” command.

2. open engine, add sublayer, register callout, add callout, add filter all these at EvtIoDeviceControl when my user-mode application send IO control code to my driver. It’s unable to stop by “net stop mydriver” command. The command result like these words: “Stopping service…” then “unable to stop service”.

Why is that?

Don_Burn · November 12, 2018, 7:22pm

In DriverEntry the calling thread is a system thread, so assuming you are using NULL for the authnService parameter you are opening it with the system credentials. In EvtIoDeviceControl you don’t know what thread you are running on so you cannot be sure of the credentials unless you specify them.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

Note: The email was trying to reply to an invalid Discussion (290771).

iFengHuang · November 12, 2018, 7:35pm

@Doron_Holan said:
Is there an open handle from the app to the driver in your second scenario? An open handle will prevent unload.

No. I call FwpmEngineClose after FwpmEngineOpen at 4th. Is it about IRQL cause this problom ?

Doron_Holan · November 12, 2018, 7:38pm

I meant a handle open from the app to the driver.

iFengHuang · November 12, 2018, 7:46pm

@Doron_Holan said:
I meant a handle open from the app to the driver.

pretty !! solved ! Thank You !