Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Mocking NET_BUFFER / NET_BUFFER_LIST in user mode ?

IkkepopIkkepop Member Posts: 25

I have code that parses NET_BUFFER_LIST/NET_BUFFER structures I need to debug and test, however WinDBG/Visual Studio , is just making this task impossibly difficult in kernel space, It's making me want to sob uncontrollably and destroy things with my hands and fists, not to mention costing me countless hours and days of lost productivity.
Can I somehow serialize or mock or capture, NET_BUFFER and NET_BUFFER_LIST structures in a userspace , I need them to be realistic, and just jerry rigging some plausible scenarios by hand seems nearly impossible to do, due to how complex these structures are.
Driver debugging is just kicking my ass so badly.


  • Jason_StephensonJason_Stephenson Member Posts: 89
    edited February 2020

    A key attribute to succeeding in this space is persistence. Keep at it. If you are using WinDBG you can use the following commands to display information about NBLs.

    • !ndiskd.nbl address
    • !ndiskd.nbl address -data

    Where address is a kernel memory address.

  • IkkepopIkkepop Member Posts: 25

    I'm currently investigating ndiskd, but what I'm missing is some way to see what is inside the frame to verify I parsed it correctly, is there some way to do that ?

  • Jason_StephensonJason_Stephenson Member Posts: 89

    Not sure what you mean by frame, but if you want to see what's in the packet then the aforementioned commands will do that.

  • IkkepopIkkepop Member Posts: 25

    I meant to actually parse the bytes in the packet and display what kind of headers there is inside. That would be nice for verifying my own implementation agrees with it.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE