Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Running into STATUS_FWP_OUT_OF_BOUNDS while making a call to fwpkclnt!FwpmFilterAdd0

Amritanshu_JohriAmritanshu_Johri Member Posts: 75

I am trying to see the types of events that show up in WFP, if I try to use FWPM_LAYER_NAME_RESOLUTION_CACHE but my call to add a filter is failing with STATUS_FWP_OUT_OF_BOUNDS,
I have modified the inspect driver in WFP sample code [0] , the documentation on FWPM_LAYER_NAME_RESOLUTION_CACHE_V4 is really thin otherwise as well.

call stack from where the call failing is
00 fwpkclnt!FwppProxyFilterAdd --> in this function ultimately the response from this call returns the error msrpc!Ndr64AsyncClientCall
01 fwpkclnt!FwpmFilterAdd0
02 Inspect!TLInspectAddFilter1
03 Inspect!TLInspectRegisterNamespaceClassifyCallout
04 Inspect!TLInspectRegisterCallouts
05 Inspect!DriverEntry

The final snippet where things fail is as follows:

    NTSTATUS status = STATUS_SUCCESS;
    FWPM_FILTER filter = { 0 };
    filter.layerKey = FWPM_LAYER_NAME_RESOLUTION_CACHE_V4;
    filter.displayData.name = (wchar_t*)filterName;
    filter.displayData.description = (wchar_t*)filterDesc;
    filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
    filter.action.calloutKey = *calloutKey;
    filter.subLayerKey = TL_NAMESPACE_SUBLAYER;
    filter.weight.type = FWP_EMPTY; // auto-weight.
    filter.rawContext = context;


    status = FwpmFilterAdd0(
        gEngineHandle,
        &filter,
        NULL,
        NULL);

Let me know if I am missing something obvious.

TIA,
Johri

[0] https://github.com/microsoft/Windows-driver-samples/tree/master/network/trans/inspect

Comments

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE