Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Mocking NET_BUFFER / NET_BUFFER_LIST in user mode ?

IkkepopIkkepop Member Posts: 25

I have code that parses NET_BUFFER_LIST/NET_BUFFER structures I need to debug and test, however WinDBG/Visual Studio , is just making this task impossibly difficult in kernel space, It's making me want to sob uncontrollably and destroy things with my hands and fists, not to mention costing me countless hours and days of lost productivity.
Can I somehow serialize or mock or capture, NET_BUFFER and NET_BUFFER_LIST structures in a userspace , I need them to be realistic, and just jerry rigging some plausible scenarios by hand seems nearly impossible to do, due to how complex these structures are.
Driver debugging is just kicking my ass so badly.


  • Jason_StephensonJason_Stephenson Member Posts: 106
    edited February 2020

    A key attribute to succeeding in this space is persistence. Keep at it. If you are using WinDBG you can use the following commands to display information about NBLs.

    • !ndiskd.nbl address
    • !ndiskd.nbl address -data

    Where address is a kernel memory address.

  • IkkepopIkkepop Member Posts: 25

    I'm currently investigating ndiskd, but what I'm missing is some way to see what is inside the frame to verify I parsed it correctly, is there some way to do that ?

  • Jason_StephensonJason_Stephenson Member Posts: 106

    Not sure what you mean by frame, but if you want to see what's in the packet then the aforementioned commands will do that.

  • IkkepopIkkepop Member Posts: 25

    I meant to actually parse the bytes in the packet and display what kind of headers there is inside. That would be nice for verifying my own implementation agrees with it.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online